178b77f54ee8618b22708f08994e0ff23740939ccd9554f891a7b4d097c3c09d

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
Size

168KB
MD5

5a233bf975f70f2fef1446fe4a9649a5
SHA1

f412e9f2e746ab8d65ff879f622be564f7d3de98
SHA256

178b77f54ee8618b22708f08994e0ff23740939ccd9554f891a7b4d097c3c09d
SHA512

664dccbf8a9d10ae870939cab93d3ea0083f9ca9e8d8066eb821547042c91f5ddbb0927d6dfde3dfc28a4de1e07d49ab528b871f7b6cda6b146b71f9cc574b19
SSDEEP

1536:1EGh0ovli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000144e9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014817-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F43548-CA20-4e79-931D-DB58D02B7ED4}\stubpath = "C:\\Windows\\{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe"	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908ECD0E-64FC-427e-8174-179A615A992B}\stubpath = "C:\\Windows\\{908ECD0E-64FC-427e-8174-179A615A992B}.exe"	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D5308F3-716A-4210-8A1E-31AD615BE987}	{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}	{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}\stubpath = "C:\\Windows\\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe"	{9E103620-2903-46de-9637-64A33E019080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}\stubpath = "C:\\Windows\\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe"	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}\stubpath = "C:\\Windows\\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe"	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D5308F3-716A-4210-8A1E-31AD615BE987}\stubpath = "C:\\Windows\\{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe"	{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}\stubpath = "C:\\Windows\\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe"	{908ECD0E-64FC-427e-8174-179A615A992B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}\stubpath = "C:\\Windows\\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe"	{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}\stubpath = "C:\\Windows\\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe"	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E103620-2903-46de-9637-64A33E019080}	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908ECD0E-64FC-427e-8174-179A615A992B}	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}	{908ECD0E-64FC-427e-8174-179A615A992B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E70495D-769E-473c-AC89-D83BC9A6C210}	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E70495D-769E-473c-AC89-D83BC9A6C210}\stubpath = "C:\\Windows\\{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe"	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E103620-2903-46de-9637-64A33E019080}\stubpath = "C:\\Windows\\{9E103620-2903-46de-9637-64A33E019080}.exe"	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}	{9E103620-2903-46de-9637-64A33E019080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F43548-CA20-4e79-931D-DB58D02B7ED4}	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
2732	{9E103620-2903-46de-9637-64A33E019080}.exe
1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
1924	{908ECD0E-64FC-427e-8174-179A615A992B}.exe
384	{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
2892	{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe
1504	{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
File created	C:\Windows\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe	{908ECD0E-64FC-427e-8174-179A615A992B}.exe
File created	C:\Windows\{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe	{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
File created	C:\Windows\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
File created	C:\Windows\{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
File created	C:\Windows\{9E103620-2903-46de-9637-64A33E019080}.exe	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
File created	C:\Windows\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	{9E103620-2903-46de-9637-64A33E019080}.exe
File created	C:\Windows\{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
File created	C:\Windows\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
File created	C:\Windows\{908ECD0E-64FC-427e-8174-179A615A992B}.exe	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
File created	C:\Windows\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe	{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
Token: SeIncBasePriorityPrivilege	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
Token: SeIncBasePriorityPrivilege	2732	{9E103620-2903-46de-9637-64A33E019080}.exe
Token: SeIncBasePriorityPrivilege	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
Token: SeIncBasePriorityPrivilege	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
Token: SeIncBasePriorityPrivilege	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
Token: SeIncBasePriorityPrivilege	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
Token: SeIncBasePriorityPrivilege	1924	{908ECD0E-64FC-427e-8174-179A615A992B}.exe
Token: SeIncBasePriorityPrivilege	384	{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
Token: SeIncBasePriorityPrivilege	2892	{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2744	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	28
PID 2976 wrote to memory of 2744	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	28
PID 2976 wrote to memory of 2744	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	28
PID 2976 wrote to memory of 2744	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	28
PID 2976 wrote to memory of 3024	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	29
PID 2976 wrote to memory of 3024	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	29
PID 2976 wrote to memory of 3024	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	29
PID 2976 wrote to memory of 3024	2976	2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe	29
PID 2744 wrote to memory of 2608	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	30
PID 2744 wrote to memory of 2608	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	30
PID 2744 wrote to memory of 2608	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	30
PID 2744 wrote to memory of 2608	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	30
PID 2744 wrote to memory of 2112	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	31
PID 2744 wrote to memory of 2112	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	31
PID 2744 wrote to memory of 2112	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	31
PID 2744 wrote to memory of 2112	2744	{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe	31
PID 2608 wrote to memory of 2732	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	32
PID 2608 wrote to memory of 2732	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	32
PID 2608 wrote to memory of 2732	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	32
PID 2608 wrote to memory of 2732	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	32
PID 2608 wrote to memory of 2680	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	33
PID 2608 wrote to memory of 2680	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	33
PID 2608 wrote to memory of 2680	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	33
PID 2608 wrote to memory of 2680	2608	{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe	33
PID 2732 wrote to memory of 1428	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	36
PID 2732 wrote to memory of 1428	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	36
PID 2732 wrote to memory of 1428	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	36
PID 2732 wrote to memory of 1428	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	36
PID 2732 wrote to memory of 1948	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	37
PID 2732 wrote to memory of 1948	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	37
PID 2732 wrote to memory of 1948	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	37
PID 2732 wrote to memory of 1948	2732	{9E103620-2903-46de-9637-64A33E019080}.exe	37
PID 1428 wrote to memory of 2492	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	38
PID 1428 wrote to memory of 2492	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	38
PID 1428 wrote to memory of 2492	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	38
PID 1428 wrote to memory of 2492	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	38
PID 1428 wrote to memory of 2552	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	39
PID 1428 wrote to memory of 2552	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	39
PID 1428 wrote to memory of 2552	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	39
PID 1428 wrote to memory of 2552	1428	{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe	39
PID 2492 wrote to memory of 1540	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	40
PID 2492 wrote to memory of 1540	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	40
PID 2492 wrote to memory of 1540	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	40
PID 2492 wrote to memory of 1540	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	40
PID 2492 wrote to memory of 1824	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	41
PID 2492 wrote to memory of 1824	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	41
PID 2492 wrote to memory of 1824	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	41
PID 2492 wrote to memory of 1824	2492	{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe	41
PID 1540 wrote to memory of 1624	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	42
PID 1540 wrote to memory of 1624	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	42
PID 1540 wrote to memory of 1624	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	42
PID 1540 wrote to memory of 1624	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	42
PID 1540 wrote to memory of 2636	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	43
PID 1540 wrote to memory of 2636	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	43
PID 1540 wrote to memory of 2636	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	43
PID 1540 wrote to memory of 2636	1540	{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe	43
PID 1624 wrote to memory of 1924	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	44
PID 1624 wrote to memory of 1924	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	44
PID 1624 wrote to memory of 1924	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	44
PID 1624 wrote to memory of 1924	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	44
PID 1624 wrote to memory of 1052	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	45
PID 1624 wrote to memory of 1052	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	45
PID 1624 wrote to memory of 1052	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	45
PID 1624 wrote to memory of 1052	1624	{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_5a233bf975f70f2fef1446fe4a9649a5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
  C:\Windows\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
    C:\Windows\{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{9E103620-2903-46de-9637-64A33E019080}.exe
      C:\Windows\{9E103620-2903-46de-9637-64A33E019080}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
        
        C:\Windows\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
        
        C:\Windows\{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
        
        C:\Windows\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
        
        C:\Windows\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{908ECD0E-64FC-427e-8174-179A615A992B}.exe
        
        C:\Windows\{908ECD0E-64FC-427e-8174-179A615A992B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
        
        C:\Windows\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe
        
        C:\Windows\{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe
        
        C:\Windows\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D530~1.EXE > nul
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B950E~1.EXE > nul
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{908EC~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7138~1.EXE > nul
        9⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D4A9~1.EXE > nul
        8⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F43~1.EXE > nul
        7⤵
        
        PID:1824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40E0D~1.EXE > nul
        6⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E103~1.EXE > nul
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E704~1.EXE > nul
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70429~1.EXE > nul
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17F43548-CA20-4e79-931D-DB58D02B7ED4}.exe

Filesize
168KB

MD5
492ae6dcded9108b13f00132df96adac

SHA1
b9a53f199a249de24a1fc687ccf6e0b4ccee6641

SHA256
195fd9e987bf6cf7e9886cef84b1fb207dec1593c9a10ce56d73371d0852375d

SHA512
25007cc5cca687a66105294228b025d6bb89c06a2109d978edc472b874f7ba78b6fc4d1659e38229a035caa14fb47cbbb048aa247d9923031d967f0547393cfd

Download Submit
C:\Windows\{2D5308F3-716A-4210-8A1E-31AD615BE987}.exe

Filesize
168KB

MD5
986e325d680bafdcfe7bb7f6a015f440

SHA1
2939cb0924692934db38472925f06a076a151321

SHA256
4d7a6e8fa5eb24e7c07b159e3bf71321533813f0570b206abcbacbc7c01e575e

SHA512
ec4a7574b02c41cc812223ae43397be302daf9b4759e2e9c76190c438b8a7bfae60849e8592e84392fd07f16c89b24be54616ea2e87eb5159951bcf3191ca200

Download Submit
C:\Windows\{3E70495D-769E-473c-AC89-D83BC9A6C210}.exe

Filesize
168KB

MD5
7efdf6ef854a5e6ebb8017458fff7dea

SHA1
1f6444cd6f1caba47b02a999b04707b6ee425ce2

SHA256
01eb211b96143d91f3388c5114c131cefdff9ec301e375dcb0efa92e02bf2b7a

SHA512
8081d3300fa201c1ab46ce8ff61faf6a257b2088a9d538536246f063745543b5b28374bc5597877fcbbfc7d6f6d6faf4d2a8f230ac01b7c049f76106c70329c9

Download Submit
C:\Windows\{40E0DEF6-3388-4448-BA61-E21FA463A1BA}.exe

Filesize
168KB

MD5
4c5f88d2e00d4d946afd85b414c16266

SHA1
8a4c9c92ac810cc4e69c5a811030ab48a30d632c

SHA256
533725bded0f143cfbc3edda67bbbd5c3b5034fa744578af9e585f062c908c3b

SHA512
57945731c10dacd68ec9a1a14a4b636b981f0ca00a85191c46b6a75d7ae196c15d8f9c0a56c490911a8847d3b938b436e0e6af5e02171796922de795db319a83

Download Submit
C:\Windows\{70429EF2-456F-4cc5-BD00-CBB9DD6ECB17}.exe

Filesize
168KB

MD5
3ddd116ba13e736a36afa2536922c828

SHA1
694295273b7edd78bf20603bd2145319cc976a4f

SHA256
d2e775a074fe6bb5b140e91fd5759f4996154ce73c1a303b8f0b64a1c2f70d61

SHA512
8c97322f53376b93ff059b98b4d954ce27f447c16a3ae4f31bb97e42e8db51afc98473b5467da11aa8ba42e412cee4402807075364046eb4bf0341a2c119ab04

Download Submit
C:\Windows\{908ECD0E-64FC-427e-8174-179A615A992B}.exe

Filesize
168KB

MD5
e14d3319c050d2111bcb2a5fbf2eeaca

SHA1
84e7519904dcb4e70325e864d7f1852580625eaf

SHA256
668ca452ba4310948b4be52e3350a1df3eb33157832a84f1bd83cd3b87e7ba4a

SHA512
da8f2de4b50e89a5551a3f8825c2ddd5605b6d5f4bc5c7ab6a69b946b766840adfcb46426e04a089b7389863794bf9806e35b1c19ee90aff15355461cfafdc3e

Download Submit
C:\Windows\{9D4A92DF-8FBA-40bd-8D25-BECA50848A60}.exe

Filesize
168KB

MD5
28b5412de6eb3971b2c6fc122420a448

SHA1
4a1904b4ae3b3c089e834c6b11c33ed396830676

SHA256
6b1891663601cbda53ae515be0238e8f9c3129ca5b38aced56a06a345f537255

SHA512
8c213c057bb86acb0766b91cb6e651c9b263f5097516e5d5b0206f7fa2584317dcadb4e7445c39aa7efca8e8b0378d98bd407dd2607a8c42e06d67dcb40601f9

Download Submit
C:\Windows\{9E103620-2903-46de-9637-64A33E019080}.exe

Filesize
168KB

MD5
06a5b51b595f4c10e1eb8aef95a57c05

SHA1
87defabca7bbc2b0df9e9f4a086b32fed7f3d707

SHA256
b771e50adf73bbea3131582c4a63d8a77cad4bbf4eb487354592bfd76923a3d9

SHA512
e13b436cfe394fb3457590e168c583e7b9a8356e23f04302a1045a951a7ce9afc32d10176f74a21a87f8aee88825d0ae150cd3a23093a9e3b853b4ac2c156c6d

Download Submit
C:\Windows\{B713823C-03BC-4bbf-BEF9-BB422A07BC21}.exe

Filesize
168KB

MD5
eafbcff24a1bce0d21b389f2aed3fe22

SHA1
190fb799497cd10b3a456522c2106eecdd250310

SHA256
afa90d16eb86b7945c87e04181fdde65b36ee6c79815984ae9bc418fb620aac7

SHA512
db1481efd2fa7da819c2d0d68cb88d00ea9ca826e5706e9f6582957812c7659f48fd6cf7138ddd71cb149e00f4f208aaf11062f23a174dda42d6991718178aa7

Download Submit
C:\Windows\{B950EE29-F01C-4daa-8A8A-B39E048A1AEF}.exe

Filesize
168KB

MD5
19d9be6b4070a207618e4d5e2b028d76

SHA1
8cfc1aebfc389ca578b2257db2f874f38c403c38

SHA256
7bf5e16b54a7e671287b49bd17c8b891380dc246426403434947bfd1da84ac59

SHA512
93db3a178f872242a36447ac9e91fdbbcfb86e98daf55cdb58e4d4194e4809ac5fe01ccd4e6663dab023897a223a0ba87653bf400b785068647b95f543fc42c3

Download Submit
C:\Windows\{E70D790E-F7ED-48a4-BD48-A16F60639CF8}.exe

Filesize
168KB

MD5
0ade0b3da44562a52128a9be3f6b23dd

SHA1
e9e52f4f0b6c351e9ea30b10def6c9fba2a8c053

SHA256
4aa4cc1442a0e1faa905c547c24d8b511fc254bdb5db9a3c366b45431ae0cb3f

SHA512
abe346213dc303b844ff935834045b9fc831cf997c86019e4b2fb1c4b0c92115f3aa374edc3f1c5456a22d395ae7cfb6741448f85d9c7d20235865a1afa35377

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads