0b6dd330e8c6e6cc332e773da4202bae05f330911b12ec2eef46c1821b2bc1d6

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
Size

197KB
MD5

6275e1e7326b27a78f0ff08a478ebc8c
SHA1

2c078870212d09d3e2ed8dc9e1c0ff68641e5650
SHA256

0b6dd330e8c6e6cc332e773da4202bae05f330911b12ec2eef46c1821b2bc1d6
SHA512

e831058f36fda0e1b1ddd9588443560fb8aa6fc5cffaaf684df151fd5d4ebe85e2b012c00441766550a962d0b33ecb44a0f8fbdec57b432aeaf43f85af050502
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGnlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013420-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000013a84-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013420-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000013acb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013420-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013420-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013420-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8F1E880-D4DD-40fe-BC82-A4707D656847}\stubpath = "C:\\Windows\\{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe"	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}\stubpath = "C:\\Windows\\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe"	{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}\stubpath = "C:\\Windows\\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe"	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CFDE40-4353-497f-939A-47BFFEE8DB07}	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CFDE40-4353-497f-939A-47BFFEE8DB07}\stubpath = "C:\\Windows\\{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe"	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}	{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}\stubpath = "C:\\Windows\\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe"	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D43C54-7F48-440d-BD37-EB17B34046E5}	{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}	{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD0349DD-1807-4ca9-9957-C976C74B3149}\stubpath = "C:\\Windows\\{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe"	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}\stubpath = "C:\\Windows\\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe"	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}\stubpath = "C:\\Windows\\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe"	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8F1E880-D4DD-40fe-BC82-A4707D656847}	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}\stubpath = "C:\\Windows\\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe"	{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD0349DD-1807-4ca9-9957-C976C74B3149}	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}\stubpath = "C:\\Windows\\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe"	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D43C54-7F48-440d-BD37-EB17B34046E5}\stubpath = "C:\\Windows\\{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe"	{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
2776	{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
1968	{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
540	{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
1400	{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
File created	C:\Windows\{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
File created	C:\Windows\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe	{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
File created	C:\Windows\{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
File created	C:\Windows\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
File created	C:\Windows\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
File created	C:\Windows\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe	{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
File created	C:\Windows\{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe	{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
File created	C:\Windows\{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
File created	C:\Windows\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
File created	C:\Windows\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
Token: SeIncBasePriorityPrivilege	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
Token: SeIncBasePriorityPrivilege	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
Token: SeIncBasePriorityPrivilege	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
Token: SeIncBasePriorityPrivilege	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
Token: SeIncBasePriorityPrivilege	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
Token: SeIncBasePriorityPrivilege	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
Token: SeIncBasePriorityPrivilege	2776	{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
Token: SeIncBasePriorityPrivilege	1968	{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
Token: SeIncBasePriorityPrivilege	540	{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2980	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	28
PID 2100 wrote to memory of 2980	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	28
PID 2100 wrote to memory of 2980	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	28
PID 2100 wrote to memory of 2980	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	28
PID 2100 wrote to memory of 2476	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	29
PID 2100 wrote to memory of 2476	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	29
PID 2100 wrote to memory of 2476	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	29
PID 2100 wrote to memory of 2476	2100	2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe	29
PID 2980 wrote to memory of 2828	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	30
PID 2980 wrote to memory of 2828	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	30
PID 2980 wrote to memory of 2828	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	30
PID 2980 wrote to memory of 2828	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	30
PID 2980 wrote to memory of 2532	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	31
PID 2980 wrote to memory of 2532	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	31
PID 2980 wrote to memory of 2532	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	31
PID 2980 wrote to memory of 2532	2980	{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe	31
PID 2828 wrote to memory of 2484	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	32
PID 2828 wrote to memory of 2484	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	32
PID 2828 wrote to memory of 2484	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	32
PID 2828 wrote to memory of 2484	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	32
PID 2828 wrote to memory of 2372	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	33
PID 2828 wrote to memory of 2372	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	33
PID 2828 wrote to memory of 2372	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	33
PID 2828 wrote to memory of 2372	2828	{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe	33
PID 2484 wrote to memory of 2668	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	36
PID 2484 wrote to memory of 2668	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	36
PID 2484 wrote to memory of 2668	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	36
PID 2484 wrote to memory of 2668	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	36
PID 2484 wrote to memory of 2624	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	37
PID 2484 wrote to memory of 2624	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	37
PID 2484 wrote to memory of 2624	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	37
PID 2484 wrote to memory of 2624	2484	{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe	37
PID 2668 wrote to memory of 2712	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	38
PID 2668 wrote to memory of 2712	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	38
PID 2668 wrote to memory of 2712	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	38
PID 2668 wrote to memory of 2712	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	38
PID 2668 wrote to memory of 1580	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	39
PID 2668 wrote to memory of 1580	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	39
PID 2668 wrote to memory of 1580	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	39
PID 2668 wrote to memory of 1580	2668	{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe	39
PID 2712 wrote to memory of 2256	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	40
PID 2712 wrote to memory of 2256	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	40
PID 2712 wrote to memory of 2256	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	40
PID 2712 wrote to memory of 2256	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	40
PID 2712 wrote to memory of 1008	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	41
PID 2712 wrote to memory of 1008	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	41
PID 2712 wrote to memory of 1008	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	41
PID 2712 wrote to memory of 1008	2712	{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe	41
PID 2256 wrote to memory of 2264	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	42
PID 2256 wrote to memory of 2264	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	42
PID 2256 wrote to memory of 2264	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	42
PID 2256 wrote to memory of 2264	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	42
PID 2256 wrote to memory of 1376	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	43
PID 2256 wrote to memory of 1376	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	43
PID 2256 wrote to memory of 1376	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	43
PID 2256 wrote to memory of 1376	2256	{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe	43
PID 2264 wrote to memory of 2776	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	44
PID 2264 wrote to memory of 2776	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	44
PID 2264 wrote to memory of 2776	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	44
PID 2264 wrote to memory of 2776	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	44
PID 2264 wrote to memory of 340	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	45
PID 2264 wrote to memory of 340	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	45
PID 2264 wrote to memory of 340	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	45
PID 2264 wrote to memory of 340	2264	{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_6275e1e7326b27a78f0ff08a478ebc8c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
  C:\Windows\{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
    C:\Windows\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
      C:\Windows\{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
        
        C:\Windows\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
        
        C:\Windows\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
        
        C:\Windows\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
        
        C:\Windows\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
        
        C:\Windows\{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
        
        C:\Windows\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
        
        C:\Windows\{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe
        
        C:\Windows\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D43~1.EXE > nul
        12⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B47BA~1.EXE > nul
        11⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8F1E~1.EXE > nul
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DDD2~1.EXE > nul
        9⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93AF3~1.EXE > nul
        8⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E8C6~1.EXE > nul
        7⤵
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE92~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75CFD~1.EXE > nul
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C15~1.EXE > nul
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD034~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E8C65BE-DA7C-4b95-9293-B9FEB69E9740}.exe

Filesize
197KB

MD5
b9d3f191c9e0348e697e6fcf57b73e4b

SHA1
e918f7aeb2955a1f323bcd00b14634148ae8838c

SHA256
2560160895102ccf716035947ad9a23d494788dbde4516c34a359602ba76e517

SHA512
e87231d5fcd78834d2e19c438843a205aeb18de558c0234bfbc67f6625260ff56b0d0aa7e7539e9da7e9b2e6460a8410a27539013f9c037a6aebe81a1d507c89

Download Submit
C:\Windows\{75CFDE40-4353-497f-939A-47BFFEE8DB07}.exe

Filesize
197KB

MD5
d75fb0d8ddd8e6772d918e274d3c3201

SHA1
4923c28cd7e5060f0a591efc6f456c73226c6905

SHA256
9eaf7af36631ef497daab0ab2e683577304c4d8b5554b2c4c5c165276d641fab

SHA512
48fd0d9c76dd3e47342dfa5166b1bc4d7aa6da7253723f1807e3c91720ba827501d4655a0d50a24f827aa0b57f0c66edda4249f3d6653833d8b092d4634e9d88

Download Submit
C:\Windows\{7CE92C96-5DED-4c51-90A8-FC401E14E3A8}.exe

Filesize
197KB

MD5
02aa748fdc9d43b8dc200be86fc98b14

SHA1
057a0a5753b104805339f1938152757cefd377bf

SHA256
f4e1acd9b656438b5f7ac1e8234cf7d8b9b15d84b3bd3dd8940303155591ff14

SHA512
f553ee0219b06f648ebec5ae8e4430a47fba016c40c49ac50f63b7055dc9d5017a91e54eb6118ae983b2137be025d88286803a1c8517149c34a6980f33c3f2cd

Download Submit
C:\Windows\{8DDD226E-691A-4383-9B0B-7D6A44CA4CE2}.exe

Filesize
197KB

MD5
e1c68ca3c8c1e0a8973023689a5a23e0

SHA1
ce62c7c3a297d083d0b35bfd767ec398bec333da

SHA256
b4e2b3f48e58a4fd08b989314d44c78617fd422e28e9cb80fca025ddae5a7d5a

SHA512
5644dfb84d190570fb872e61fc04b67ca41e58e6b01d562e818cc0a93e1a36d6a9c9d723cae2d41eb5ae447428d50eba18e85c84e17d4c3ebea24f0bfa454f05

Download Submit
C:\Windows\{93AF39B1-504A-405d-9838-AFCCC1A7CA07}.exe

Filesize
197KB

MD5
3320d4a7519ae98531f261f0676adb53

SHA1
6c0925ad5bb17fa7e5d8ffb6aa1ee711e91ecb88

SHA256
3d2978ab6a9becf15384ee82ee2aef11c78927f48513ed67d13773c0a40eb582

SHA512
753791f76ebb834f8b835ad3018bebb096b25f947e9df01831e6c49928f85543a7c12df06bef8f70c7da09b25156d16ee71d728eaebbdbd16c3684c71c46f600

Download Submit
C:\Windows\{95EAF9B5-BDD0-46a8-992C-CABD1F6CD435}.exe

Filesize
197KB

MD5
ed83ebf7695e097f87a223937a85d07f

SHA1
262561d6d5614e96ed57a3ab9665f7b49f7420fa

SHA256
4724cd559ae3d2624941ed9d0ad515e73786bc84c32ba1ae50ef3a5c23f093ed

SHA512
d61b2f198b10302cc452e95f25caf87d4b7cbf4e17326c77b08ab700518a67fb2ae1a0dca2b87e6f98f920e49f388ab26966ec566237f433ad2987bf7fa9f010

Download Submit
C:\Windows\{B47BAD9B-E3B4-4ddc-BEDE-740E275CE65A}.exe

Filesize
197KB

MD5
ea56c49631212bef88c8ed3100d11f6a

SHA1
1e2d299343f92619df8a3fbc40d86fb48abd77bb

SHA256
aec051601e313b80feba0de81d0eeddcd654a043c841e655e182aec090fe28a8

SHA512
a49447bbd5e9b47fd3dc38f0295e9a27eff36d4e9abff46280e7ba085785bbeb26c23f74bdcd7bda4fa1e692c4a654f087d42353eb78cb4848b31e6e5b1fbef0

Download Submit
C:\Windows\{BD0349DD-1807-4ca9-9957-C976C74B3149}.exe

Filesize
197KB

MD5
c3f8f8c438a68967740d56a855f1b1a5

SHA1
7d82aaa73f406151cfd42275a62edf688ec94e41

SHA256
6cb13c077366e95e62994505db90255380512bc30df8d8b0f15d922226d80add

SHA512
a9a45f92627ac97caa57fc60347101d45c8606250c649b608227ec3fc2cabc7d6f239de711b804456ed283269b7500987f270cfc1f9a1fe066a8df59f892895c

Download Submit
C:\Windows\{C0C1578C-72C0-4ece-B442-F23E5F3A15EF}.exe

Filesize
197KB

MD5
011a310d9e1ff14c26ae92f4bfa39d8d

SHA1
e36a9f2aea4682514c3fc17db1918f4f6f74688c

SHA256
e63e49e45f7c3b1b1c1bc5d78b95d54fd382091d405f93bb860ef00618f705cb

SHA512
8d07c4b9a19f2307e0e561834c93ee1bd75e009c962c1f6070eff9ad1415510e65df65bba5ca763f414d42fc1ffed3f4037c300a08662d138b89e1c10230b8ce

Download Submit
C:\Windows\{C2D43C54-7F48-440d-BD37-EB17B34046E5}.exe

Filesize
197KB

MD5
90c361c62c9b0a161158cb29d7670df0

SHA1
bbcebbece54f148aadad8e5e74b7f702c0043704

SHA256
ec6ba3dc87c96c591373714c043f4bb57756987c55c79472d26ba39f6d141cb5

SHA512
3436979a4ce9fc6c875e24cb009e936fd0e2b31fa95d479bacf04d6b564bb1007c63e52050959fc41d2cd0662692e08e588e03999992e591256e79ff713c67fa

Download Submit
C:\Windows\{F8F1E880-D4DD-40fe-BC82-A4707D656847}.exe

Filesize
197KB

MD5
a298238690c4e9273c5f2fddf48e8868

SHA1
99d263f1c4e4b15861ad4bef56593e0c3e0b5d1b

SHA256
de0fe6ef5b1120e06bfaaaee38b157d7f26bf63a649dfed03bd799f2294cffdf

SHA512
97e5469056c7ceeefc4173aa1df57237e4623c3984bd15cf0506ea44df046d76bbc618ca806d28d51b0826cf81bfb7c9683112be2d8ffe6c4c356284de8bfba7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads