09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
Size

380KB
MD5

2b0cf1e3ed423ce68f82c3aec19cee0d
SHA1

2672a36ab2b9cf8983b2443351f6d3a4bf24a815
SHA256

09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698
SHA512

2ce21d03686ed4081139b02503c47b80dabe6addac43b506eeebf934fc85af330f34e172be710661df9beaad1b26552dbba5f0037b09253bbe5f061919720ad9
SSDEEP

3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122fa-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012345-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012345-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012345-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012345-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012345-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}	{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4CED66E-0759-4434-868B-16AF9A8B76ED}	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{662EBD2D-236A-4210-85BE-21F2CB663B4D}\stubpath = "C:\\Windows\\{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe"	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD71964-233B-4ecd-9735-1E0030ACE394}	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E3643F-8F94-4695-A6C3-737185743895}\stubpath = "C:\\Windows\\{E6E3643F-8F94-4695-A6C3-737185743895}.exe"	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}	{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E23DC54-9100-4ab0-A541-93F3C45223C8}\stubpath = "C:\\Windows\\{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe"	{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4CED66E-0759-4434-868B-16AF9A8B76ED}\stubpath = "C:\\Windows\\{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe"	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{662EBD2D-236A-4210-85BE-21F2CB663B4D}	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059A57E5-9666-44a7-A373-6D1D8DEFF183}\stubpath = "C:\\Windows\\{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe"	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}\stubpath = "C:\\Windows\\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe"	{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E7144C-499C-4219-88F2-A01E997B8DF9}	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E7144C-499C-4219-88F2-A01E997B8DF9}\stubpath = "C:\\Windows\\{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe"	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD71964-233B-4ecd-9735-1E0030ACE394}\stubpath = "C:\\Windows\\{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe"	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}\stubpath = "C:\\Windows\\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe"	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059A57E5-9666-44a7-A373-6D1D8DEFF183}	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E3643F-8F94-4695-A6C3-737185743895}	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07DFB8B-D523-4cd2-A107-30F49D34D423}	{E6E3643F-8F94-4695-A6C3-737185743895}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07DFB8B-D523-4cd2-A107-30F49D34D423}\stubpath = "C:\\Windows\\{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe"	{E6E3643F-8F94-4695-A6C3-737185743895}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}\stubpath = "C:\\Windows\\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe"	{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E23DC54-9100-4ab0-A541-93F3C45223C8}	{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe
2032	{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
2380	{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
540	{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
1576	{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
File created	C:\Windows\{E6E3643F-8F94-4695-A6C3-737185743895}.exe	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
File created	C:\Windows\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe	{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
File created	C:\Windows\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe	{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
File created	C:\Windows\{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
File created	C:\Windows\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
File created	C:\Windows\{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
File created	C:\Windows\{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe	{E6E3643F-8F94-4695-A6C3-737185743895}.exe
File created	C:\Windows\{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe	{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
File created	C:\Windows\{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
File created	C:\Windows\{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
Token: SeIncBasePriorityPrivilege	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
Token: SeIncBasePriorityPrivilege	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
Token: SeIncBasePriorityPrivilege	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
Token: SeIncBasePriorityPrivilege	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
Token: SeIncBasePriorityPrivilege	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
Token: SeIncBasePriorityPrivilege	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
Token: SeIncBasePriorityPrivilege	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe
Token: SeIncBasePriorityPrivilege	2032	{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
Token: SeIncBasePriorityPrivilege	2380	{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
Token: SeIncBasePriorityPrivilege	540	{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3020	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	28
PID 1568 wrote to memory of 3020	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	28
PID 1568 wrote to memory of 3020	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	28
PID 1568 wrote to memory of 3020	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	28
PID 1568 wrote to memory of 2612	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	29
PID 1568 wrote to memory of 2612	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	29
PID 1568 wrote to memory of 2612	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	29
PID 1568 wrote to memory of 2612	1568	09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe	29
PID 3020 wrote to memory of 2572	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	30
PID 3020 wrote to memory of 2572	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	30
PID 3020 wrote to memory of 2572	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	30
PID 3020 wrote to memory of 2572	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	30
PID 3020 wrote to memory of 2664	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	31
PID 3020 wrote to memory of 2664	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	31
PID 3020 wrote to memory of 2664	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	31
PID 3020 wrote to memory of 2664	3020	{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe	31
PID 2572 wrote to memory of 2356	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	32
PID 2572 wrote to memory of 2356	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	32
PID 2572 wrote to memory of 2356	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	32
PID 2572 wrote to memory of 2356	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	32
PID 2572 wrote to memory of 2412	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	33
PID 2572 wrote to memory of 2412	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	33
PID 2572 wrote to memory of 2412	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	33
PID 2572 wrote to memory of 2412	2572	{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe	33
PID 2356 wrote to memory of 2828	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	34
PID 2356 wrote to memory of 2828	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	34
PID 2356 wrote to memory of 2828	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	34
PID 2356 wrote to memory of 2828	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	34
PID 2356 wrote to memory of 2080	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	35
PID 2356 wrote to memory of 2080	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	35
PID 2356 wrote to memory of 2080	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	35
PID 2356 wrote to memory of 2080	2356	{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe	35
PID 2828 wrote to memory of 2308	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	38
PID 2828 wrote to memory of 2308	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	38
PID 2828 wrote to memory of 2308	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	38
PID 2828 wrote to memory of 2308	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	38
PID 2828 wrote to memory of 288	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	39
PID 2828 wrote to memory of 288	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	39
PID 2828 wrote to memory of 288	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	39
PID 2828 wrote to memory of 288	2828	{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe	39
PID 2308 wrote to memory of 240	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	40
PID 2308 wrote to memory of 240	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	40
PID 2308 wrote to memory of 240	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	40
PID 2308 wrote to memory of 240	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	40
PID 2308 wrote to memory of 1600	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	41
PID 2308 wrote to memory of 1600	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	41
PID 2308 wrote to memory of 1600	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	41
PID 2308 wrote to memory of 1600	2308	{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe	41
PID 240 wrote to memory of 932	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	42
PID 240 wrote to memory of 932	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	42
PID 240 wrote to memory of 932	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	42
PID 240 wrote to memory of 932	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	42
PID 240 wrote to memory of 1456	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	43
PID 240 wrote to memory of 1456	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	43
PID 240 wrote to memory of 1456	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	43
PID 240 wrote to memory of 1456	240	{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe	43
PID 932 wrote to memory of 2032	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	44
PID 932 wrote to memory of 2032	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	44
PID 932 wrote to memory of 2032	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	44
PID 932 wrote to memory of 2032	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	44
PID 932 wrote to memory of 1704	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	45
PID 932 wrote to memory of 1704	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	45
PID 932 wrote to memory of 1704	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	45
PID 932 wrote to memory of 1704	932	{E6E3643F-8F94-4695-A6C3-737185743895}.exe	45

C:\Users\Admin\AppData\Local\Temp\09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe
"C:\Users\Admin\AppData\Local\Temp\09c2063b37f37dcfc4a47a4154ad4de98f710434098d7b3a97ded7981875e698.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
  C:\Windows\{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
    C:\Windows\{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
      C:\Windows\{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
        
        C:\Windows\{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
        
        C:\Windows\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
        
        C:\Windows\{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\{E6E3643F-8F94-4695-A6C3-737185743895}.exe
        
        C:\Windows\{E6E3643F-8F94-4695-A6C3-737185743895}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
        
        C:\Windows\{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
        
        C:\Windows\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
        
        C:\Windows\{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe
        
        C:\Windows\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe
        12⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E23D~1.EXE > nul
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20C63~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B07DF~1.EXE > nul
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E36~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{059A5~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8AB~1.EXE > nul
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD71~1.EXE > nul
        6⤵
        
        PID:288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{662EB~1.EXE > nul
        5⤵
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4CED~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97E71~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09C206~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{058DE7BA-5DA5-4a9f-B832-74CAE069D420}.exe

Filesize
380KB

MD5
eb18d2f2730afdf386c239a23029b1c0

SHA1
6a2e8da3969337eb895d8bbd4c21163c63da5fbf

SHA256
c061545fe89db0224314bf0ea4681d4200304474c2c256c0a655c3d895a9a75a

SHA512
a1050849e7027f56a3be5017a3a7b3d20071c889b006334c842705c58e64479a51f54e127ab655b9105db14065bd5d8c26cc3bd4f06c306970482167e60d9455

Download Submit
C:\Windows\{059A57E5-9666-44a7-A373-6D1D8DEFF183}.exe

Filesize
380KB

MD5
09518db1526a1d6333088f56e35e11ec

SHA1
20806939fc46aef177f30a9f8178ea572335b15e

SHA256
da6c769d0618381dc61df513f497ee205da8b56f55c097454b1381e757f43d07

SHA512
cb4dcd50f2e4092cd259a190793cfdc36e96a9614be66d68c213a8944fd7a275531f1f938f7728883da35a26ffd1ae77b32bafe345a5bf7e227cf4fe11fddd7f

Download Submit
C:\Windows\{0E8AB1BC-A5E9-469a-85BF-0014D2A2F46B}.exe

Filesize
380KB

MD5
30e964b52c5e32ca171051e9126c688d

SHA1
7a763d1510e0dcb97f4f9218dbe157f9f9e24bef

SHA256
54797f4ffb725aa9b9ec2df6b3dda850668e8ce18907fcc908225f2e559b7200

SHA512
397cc9f56f461d3d5746f88ec6cb1bd8e1e2ac4c6c3b3217f4ec98c1421f6a6be8c09c2901f969f5d2ad3a7c542fc91fe07b9f4d1f5e1b9cba6f35e8073d2281

Download Submit
C:\Windows\{1FD71964-233B-4ecd-9735-1E0030ACE394}.exe

Filesize
380KB

MD5
af7b1224df82189efcc9c7cca2918221

SHA1
8dd83c6566b84b208c1b2ada5c9dfb38f94d812f

SHA256
46651d669267be6ae0f72cdaf76ec037ae74c8fa25c7c3203ea9f50fababf0f9

SHA512
5b8939b836be63dd6d9fb9b9dfdb52220fd3d2b299b85c04ded60f6cc985f4fbc416915ae6c719387319e4d6e15bde3a4c7ce7294d111dddc5d203e89167105a

Download Submit
C:\Windows\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe

Filesize
201KB

MD5
87c82d0afc2ee0b5acc0b4a368758dd2

SHA1
0ba5edd9875e4489c2a753a66d8322db94f51733

SHA256
b2f537820e7895baa0f1685c2dea1f4f2e19e20c1b60288c6cdf3769bd0c8dc8

SHA512
ab77e168c78bcb0f84c14f1f5a8e793f557e5053c94b684905c52d298d8d8c924729f3a2ba9ea9e1371f0d3d6fb58bee95558a47c393152e69e74252108395b2

Download Submit
C:\Windows\{20C635B5-62CA-48bd-B37F-62F38FA17EEE}.exe

Filesize
380KB

MD5
e86f9bf9681f5e2758df89e84dd7e20e

SHA1
d640c9cf4dea4788e84d0fba636d7342543ee6e1

SHA256
7cf90f2d7b550eecb4e253e62ea25901f8135e210fd98f0080d6336ba3bceeda

SHA512
a8ff79f991b76c58c47a6ec2a7bc660254deda487eeac931eb3c0446922258c83e17b3266ff0368f1e9ac7a1e29efc1b2d324edfee3ea589f1062327a1323448

Download Submit
C:\Windows\{2E23DC54-9100-4ab0-A541-93F3C45223C8}.exe

Filesize
380KB

MD5
52195bcb2730c6271a323a0e3a42154b

SHA1
a40a62da7f962af84c4b9676e62faa0e6e8f4e4f

SHA256
ee071c1083142954e7a6afa60765266408234e062bfaf5e5d174b5dda93e419c

SHA512
7548090cace875b871188cc1f7e025437855fc8ad4eab8df679fce2ca5d0a47ba9ad57673c4a6159be852a81ee44bb46d4ad284a738e88dc5cf165e61c1e0928

Download Submit
C:\Windows\{662EBD2D-236A-4210-85BE-21F2CB663B4D}.exe

Filesize
380KB

MD5
71fa1be726e1f8fd9504608d1d0cc0b8

SHA1
97d14d4a9b5a74ae514b9835bc25bd3ef454fa51

SHA256
8e7f3454a7baff7535302f9154463e689159a36002b2af39a48f796d48c332e9

SHA512
d1c45b527b378e0530ace3e989ba6553a0989dd5cb489aa75b6f5cfc72ef3b142d1282c59feb1c96e3a4d62d3820ab9dca37777f15a60e02b86c253acf107952

Download Submit
C:\Windows\{97E7144C-499C-4219-88F2-A01E997B8DF9}.exe

Filesize
380KB

MD5
4c0f8f25273f649911c62bc0048f2e7b

SHA1
c3f0a862de856c649b0311797f9c1b95ce708190

SHA256
e7aa62c72d92ccd6c545343b5efb7fd0386463998a451254bd12fb0ce29f3114

SHA512
a7055e50d1cfdadbf32c4b20204baeecfed85b096563a242717ec01613912beedf795012d720eba8af7f73a45ff90c4eb502636bac102527454c27bececebc3a

Download Submit
C:\Windows\{B07DFB8B-D523-4cd2-A107-30F49D34D423}.exe

Filesize
380KB

MD5
0fee10cdd772abd3db9363c30208f29a

SHA1
33b18d848793871c77d5fe6b005cbab2644a47a2

SHA256
85be8f3ef6aba0c610e3c5be45be006bc8f55ae06070599a9d0c8f2097dcb9f2

SHA512
afbf2037b21c310da507daea481c93bfbaf7400874d9d8ee64d2156567dae2951873c728f2927582bb1ced81a4cb41f70b3af86b7af0e7c3b3091a8d18ff5f56

Download Submit
C:\Windows\{E4CED66E-0759-4434-868B-16AF9A8B76ED}.exe

Filesize
380KB

MD5
54d0a3f9b483b625b103ec96524cae73

SHA1
8b8f2079c0bc941571b6eed151f591ec3fa7f2c2

SHA256
f7176a95c483d8a10370778891d3e93a8788668f5d214bc86b369152f3c660a2

SHA512
0c988a6a394906796c5dbc7521e680dcbd24a931a94dc33652c507f7d45e5039c0146a6ef4709931c05073722d28d8f83abe70dd3b52e6837044613b3ec3b007

Download Submit
C:\Windows\{E6E3643F-8F94-4695-A6C3-737185743895}.exe

Filesize
380KB

MD5
2c82faec1607b4cb8725d51fbf555db5

SHA1
680fa93d2fd3d3f1067d9124773d307cdb9e6979

SHA256
6f4b75bb43f5c1e9fa73a4ff8e8d8041f66cb21a18d70e2746b6d5ef35d4bab9

SHA512
afabab87c113622459ddb7446dae2116166a4a0620ba6add236a9ea9996441959490319bfe308fa95792169e1a825bd03ffba19811986d6bdcc1e09288acfe9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads