31c20f14a067954491e8a8b1c3878c86c474d6eb4443eb12cb7626ffc89932e3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Size

168KB
MD5

8dde4259a21d9d6c67d104d580d3207a
SHA1

631f10f8b70b576af50c9a8bc1f868310c1dc15a
SHA256

31c20f14a067954491e8a8b1c3878c86c474d6eb4443eb12cb7626ffc89932e3
SHA512

70e000a370b9ae83264f729e392484a4db71a23be594bbb943565e8424e2c53b69c40817bb96d43ae3c174f07f7e2ca932aa67f4758e491db7a8e3a635e5ba8a
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015c4c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c4c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cbd-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c4c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c4c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015c4c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DC7164-2D55-45bc-9C01-16F769D00650}	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DC7164-2D55-45bc-9C01-16F769D00650}\stubpath = "C:\\Windows\\{01DC7164-2D55-45bc-9C01-16F769D00650}.exe"	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FB82DA6-00B7-42c4-B008-F783129F734A}\stubpath = "C:\\Windows\\{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe"	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}\stubpath = "C:\\Windows\\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe"	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27D532F-6080-496d-9C19-C9E053EE663C}	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CB73660-75A9-4607-8247-90B49ED33D58}	{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}\stubpath = "C:\\Windows\\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe"	{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}\stubpath = "C:\\Windows\\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe"	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}\stubpath = "C:\\Windows\\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe"	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27D532F-6080-496d-9C19-C9E053EE663C}\stubpath = "C:\\Windows\\{D27D532F-6080-496d-9C19-C9E053EE663C}.exe"	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CB73660-75A9-4607-8247-90B49ED33D58}\stubpath = "C:\\Windows\\{5CB73660-75A9-4607-8247-90B49ED33D58}.exe"	{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}	{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}\stubpath = "C:\\Windows\\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe"	{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}\stubpath = "C:\\Windows\\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe"	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FB82DA6-00B7-42c4-B008-F783129F734A}	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}\stubpath = "C:\\Windows\\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe"	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}	{5CB73660-75A9-4607-8247-90B49ED33D58}.exe

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
1456	{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
2212	{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
1236	{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
908	{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
File created	C:\Windows\{5CB73660-75A9-4607-8247-90B49ED33D58}.exe	{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
File created	C:\Windows\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe	{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
File created	C:\Windows\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
File created	C:\Windows\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
File created	C:\Windows\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
File created	C:\Windows\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
File created	C:\Windows\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
File created	C:\Windows\{D27D532F-6080-496d-9C19-C9E053EE663C}.exe	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
File created	C:\Windows\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe	{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
File created	C:\Windows\{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
Token: SeIncBasePriorityPrivilege	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
Token: SeIncBasePriorityPrivilege	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
Token: SeIncBasePriorityPrivilege	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
Token: SeIncBasePriorityPrivilege	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
Token: SeIncBasePriorityPrivilege	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
Token: SeIncBasePriorityPrivilege	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
Token: SeIncBasePriorityPrivilege	1456	{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
Token: SeIncBasePriorityPrivilege	2212	{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
Token: SeIncBasePriorityPrivilege	1236	{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2420	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	28
PID 2912 wrote to memory of 2420	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	28
PID 2912 wrote to memory of 2420	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	28
PID 2912 wrote to memory of 2420	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	28
PID 2912 wrote to memory of 2468	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	29
PID 2912 wrote to memory of 2468	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	29
PID 2912 wrote to memory of 2468	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	29
PID 2912 wrote to memory of 2468	2912	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	29
PID 2420 wrote to memory of 2588	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	30
PID 2420 wrote to memory of 2588	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	30
PID 2420 wrote to memory of 2588	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	30
PID 2420 wrote to memory of 2588	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	30
PID 2420 wrote to memory of 872	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	31
PID 2420 wrote to memory of 872	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	31
PID 2420 wrote to memory of 872	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	31
PID 2420 wrote to memory of 872	2420	{01DC7164-2D55-45bc-9C01-16F769D00650}.exe	31
PID 2588 wrote to memory of 2624	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	32
PID 2588 wrote to memory of 2624	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	32
PID 2588 wrote to memory of 2624	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	32
PID 2588 wrote to memory of 2624	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	32
PID 2588 wrote to memory of 2496	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	33
PID 2588 wrote to memory of 2496	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	33
PID 2588 wrote to memory of 2496	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	33
PID 2588 wrote to memory of 2496	2588	{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe	33
PID 2624 wrote to memory of 1016	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	36
PID 2624 wrote to memory of 1016	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	36
PID 2624 wrote to memory of 1016	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	36
PID 2624 wrote to memory of 1016	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	36
PID 2624 wrote to memory of 2644	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	37
PID 2624 wrote to memory of 2644	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	37
PID 2624 wrote to memory of 2644	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	37
PID 2624 wrote to memory of 2644	2624	{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe	37
PID 1016 wrote to memory of 2736	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	38
PID 1016 wrote to memory of 2736	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	38
PID 1016 wrote to memory of 2736	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	38
PID 1016 wrote to memory of 2736	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	38
PID 1016 wrote to memory of 2220	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	39
PID 1016 wrote to memory of 2220	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	39
PID 1016 wrote to memory of 2220	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	39
PID 1016 wrote to memory of 2220	1016	{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe	39
PID 2736 wrote to memory of 1768	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	40
PID 2736 wrote to memory of 1768	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	40
PID 2736 wrote to memory of 1768	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	40
PID 2736 wrote to memory of 1768	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	40
PID 2736 wrote to memory of 2396	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	41
PID 2736 wrote to memory of 2396	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	41
PID 2736 wrote to memory of 2396	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	41
PID 2736 wrote to memory of 2396	2736	{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe	41
PID 1768 wrote to memory of 2300	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	42
PID 1768 wrote to memory of 2300	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	42
PID 1768 wrote to memory of 2300	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	42
PID 1768 wrote to memory of 2300	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	42
PID 1768 wrote to memory of 2516	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	43
PID 1768 wrote to memory of 2516	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	43
PID 1768 wrote to memory of 2516	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	43
PID 1768 wrote to memory of 2516	1768	{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe	43
PID 2300 wrote to memory of 1456	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	44
PID 2300 wrote to memory of 1456	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	44
PID 2300 wrote to memory of 1456	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	44
PID 2300 wrote to memory of 1456	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	44
PID 2300 wrote to memory of 1136	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	45
PID 2300 wrote to memory of 1136	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	45
PID 2300 wrote to memory of 1136	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	45
PID 2300 wrote to memory of 1136	2300	{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
  C:\Windows\{01DC7164-2D55-45bc-9C01-16F769D00650}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
    C:\Windows\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
      C:\Windows\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
        
        C:\Windows\{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
        
        C:\Windows\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
        
        C:\Windows\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
        
        C:\Windows\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
        
        C:\Windows\{D27D532F-6080-496d-9C19-C9E053EE663C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
        
        C:\Windows\{5CB73660-75A9-4607-8247-90B49ED33D58}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
        
        C:\Windows\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe
        
        C:\Windows\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe
        12⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0181A~1.EXE > nul
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CB73~1.EXE > nul
        11⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D27D5~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4B47~1.EXE > nul
        9⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA3C~1.EXE > nul
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{149BD~1.EXE > nul
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FB82~1.EXE > nul
        6⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04EBE~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9093A~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01DC7~1.EXE > nul
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0181A508-28E0-4ac5-A7B8-0DCCB37D5C57}.exe

Filesize
168KB

MD5
753a002bfddf26bc54793c4d5e326ee6

SHA1
c7e316023e781ed25c54c30d59d998f7084433b0

SHA256
5a6387460e769cfc263e17903630017ddf70e75c4083f676f038cb70264d6739

SHA512
4289d9484be93830f2dbb07aa7b449f085fe062300194b5d6a2185d8324c45dfcd10c90fd994c7b7516acc55690c9a97ca4beb598b77c71fea91cd535180bbc2

Download Submit
C:\Windows\{01DC7164-2D55-45bc-9C01-16F769D00650}.exe

Filesize
168KB

MD5
b4422147e343dd6dd82e854e3d7a9ba5

SHA1
8a9e226671bc34134b6d235d91d63e907e023630

SHA256
5384013ed61784d2ae3aa93625541cc996d8b5a1a5532e07a5b0bdbfc1e2d1e3

SHA512
42e31d4184ce1214ece184b61f63fe1bd397d5f8b7cd32602f02c833b30eb6eb6b7ed567ddca636a20ae870a72d4ace1862b959dd7ec5280414aec28d43e13a0

Download Submit
C:\Windows\{04EBE387-40E4-4e9c-B0DF-0EC0C7E21229}.exe

Filesize
168KB

MD5
22d24189b75ff5cf6b9bc4a059d0ee18

SHA1
fc2085e12645c3fbbdfc3df07a3268aebe0adad2

SHA256
b612a06796974ed70bfb32ea087ecdd00d9f8e83cb923fd5851ad263ddcb7350

SHA512
76404b33983539890582948e42886b6d957e0de112997c102ee1086517344c397da6604e5abaf0e0ddfddb8b7ab6df702fddafd800ba51256e00f97620b3af7a

Download Submit
C:\Windows\{149BD869-9CBF-411c-91AA-69D7F50FA0CE}.exe

Filesize
168KB

MD5
41b4a5d8b41b531bfc1337cfdb3e9118

SHA1
5d185729965ee3085def6894958f90f1f4a833de

SHA256
9ccc4f8b5c3cd5f29b976417871e7d245547eeb78e7b5a5fe85d4c7d31c85fba

SHA512
765610372478599696a7bd4da4f45b7e1d781bbf8c0206b986e6ac60e5dfe865b5bd7db51cd76de7c0b17805dec4c26af8aaf1042434f9a9094492214987c697

Download Submit
C:\Windows\{1FB82DA6-00B7-42c4-B008-F783129F734A}.exe

Filesize
168KB

MD5
2583ca8e285e00708c87a1a67d94093e

SHA1
6e1f32457d307ffc5e56c851cc21dacf76c53df6

SHA256
da2ec9df269dd06845eddfa168b68cfa0a80769cd5e4562e24b66591f61be9b1

SHA512
5e12aad18a4199bcaeac2d66f843740c85460ab4714d4dd3bf97849b9e99c82817034b5251ed9e95f788936aee4e68856199ce09373e17d14a7c94d819186fa7

Download Submit
C:\Windows\{2844D2A5-CE9C-4c84-B1E0-5044F1444014}.exe

Filesize
168KB

MD5
7aa7aec938931299e75e5fc8e973cec2

SHA1
a4735229b1bc9d954f49fe222db269c3c44524c4

SHA256
2d28a26ab0994d20f1a12805f7270f10d3fd88ba7ba4f1620df133fc45f07f8c

SHA512
2b824e55c4d73fa352ae095e4f2f4f6eb24a2c6984b9cbe7a34e192a36471c158a61356efe98584a3b59ad8dde26826877e88834db52a64ab159e6764b7d3f77

Download Submit
C:\Windows\{5CB73660-75A9-4607-8247-90B49ED33D58}.exe

Filesize
168KB

MD5
562b2a605c959f711b372c87675a2fab

SHA1
a8418d99e39bc8208ddb5bb15168f4c87bedd707

SHA256
77ff3ff26276ae36172ae420ac4313ee89be7c31fe1ebed8410d95bafc2ff117

SHA512
0d79dd386bcc980f25a9645104ed618b39518f6d66b1d61580154705e4dc7bfcb0074d3377e9bc46e2b30d4158a804705ebf51d61da137d7bb19c69b30cdaff7

Download Submit
C:\Windows\{9093A61A-3C0B-41c7-8CF5-81946E3672DC}.exe

Filesize
168KB

MD5
8d49d648c24f2cd899e3dd365ba86afc

SHA1
f45acf71fca79c9922190dc8ed36c243ef0ec694

SHA256
8550a6f0f55c293ddd8af8f1047666027a0886aa32368aec9c4b631076683f0c

SHA512
ebdc13fd733aab9170138c8ef97326ce58ee440f4322f38d6c8dc0b62be13e1ebcd740ced0f53f7276b73cd1585d4baf0e337696ef1cd427a36ef1a884cc5401

Download Submit
C:\Windows\{CEA3C75A-24E1-4cb6-8FFA-18CCB5B8ECB0}.exe

Filesize
168KB

MD5
c8f21c36aa2c23af60e3ef8b418a6352

SHA1
4ea395e31482f7597f8fbfd71e273e3a92e0d7df

SHA256
d1574bb36435f87e333b4e900afed1c4f1184bb03305ceb32b991e309c319e64

SHA512
ed8ced7987d68a9d9dd95aa9d5a115e4684bf1513f3b008cd6bc9312b56e79890f954fdf20713e6d60ff7c863229f116eae4c1ebead936f374d0d2c198fae784

Download Submit
C:\Windows\{D27D532F-6080-496d-9C19-C9E053EE663C}.exe

Filesize
168KB

MD5
401d4f1f5b79dfd9edb925e18bce07c0

SHA1
f90b6e067c98d84f48a46dc516316b727d9ae710

SHA256
ca6dc63e69f820d5055bcdcab3564347d977440009a6afabdd1134675c1231a2

SHA512
1bde5a9da73d03b193c8909c5180203f0fcbc6a6a592485412f52ea5bc92f94bdd80e78892761c102d5c595d51a336c9d68a3990012c9e91062bb93d79f208d7

Download Submit
C:\Windows\{F4B474F1-B5B2-4843-B15A-150FFDE27C8B}.exe

Filesize
168KB

MD5
b285bc3a53f572eeab64ac4c005a1299

SHA1
d5daf02cff0e913bc6278df5dc58a5f544769fab

SHA256
632b1c4b77c0f5af03d1cd8156346f5ab32c8d2f1c3f030a6d49666b136b97af

SHA512
6771e5e10794acde12c1fb8239d3f2200062851fdfb36faf1c0ea876209c17f3de7d2d3eeeb739a2b7048803e6fca10de230df79b9f1d990b634b2b4f19ca2f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads