c457486470c11b5b4217a9a031f8629ceee9cf17d41b7f32d81a4e8449ea5e32

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Size

180KB
MD5

d2d197af32dcae541b18353dda396ce9
SHA1

c887f4f5a1f8547dcf3aaf15b761323a8d3d6ca2
SHA256

c457486470c11b5b4217a9a031f8629ceee9cf17d41b7f32d81a4e8449ea5e32
SHA512

20a33303a724537f8feb6b7830a0a466b6bc252ccbab3729568b191b91e9f5b817d93b7d88594c91d4fb732c4d47217ac4ff79989fd2bea5e5382d32aad628f6
SSDEEP

3072:jEGh0otlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGDl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000143f9-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143f9-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014534-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143f9-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000143f9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014a5b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000143f9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000143f9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000143f9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49F9DEF-F888-4d44-8A62-774786188E85}	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}\stubpath = "C:\\Windows\\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe"	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}\stubpath = "C:\\Windows\\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe"	{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61D5CA1C-BC43-4204-9BC2-5242471E0700}	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61D5CA1C-BC43-4204-9BC2-5242471E0700}\stubpath = "C:\\Windows\\{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe"	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}\stubpath = "C:\\Windows\\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe"	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6D94DF-BB84-4a58-9368-025899F910A8}	{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6D94DF-BB84-4a58-9368-025899F910A8}\stubpath = "C:\\Windows\\{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe"	{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}\stubpath = "C:\\Windows\\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe"	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49F9DEF-F888-4d44-8A62-774786188E85}\stubpath = "C:\\Windows\\{D49F9DEF-F888-4d44-8A62-774786188E85}.exe"	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}\stubpath = "C:\\Windows\\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe"	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}\stubpath = "C:\\Windows\\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe"	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}	{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}\stubpath = "C:\\Windows\\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe"	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}\stubpath = "C:\\Windows\\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe"	{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}	{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe

Deletes itself 1 IoCs

pid	Process
1208	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
2828	{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
1652	{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
324	{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
2436	{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
File created	C:\Windows\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe	{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
File created	C:\Windows\{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe	{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
File created	C:\Windows\{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
File created	C:\Windows\{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
File created	C:\Windows\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
File created	C:\Windows\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
File created	C:\Windows\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
File created	C:\Windows\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
File created	C:\Windows\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe	{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
File created	C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
Token: SeIncBasePriorityPrivilege	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
Token: SeIncBasePriorityPrivilege	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
Token: SeIncBasePriorityPrivilege	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
Token: SeIncBasePriorityPrivilege	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
Token: SeIncBasePriorityPrivilege	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
Token: SeIncBasePriorityPrivilege	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
Token: SeIncBasePriorityPrivilege	2828	{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
Token: SeIncBasePriorityPrivilege	1652	{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
Token: SeIncBasePriorityPrivilege	324	{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2348	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	28
PID 2864 wrote to memory of 2348	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	28
PID 2864 wrote to memory of 2348	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	28
PID 2864 wrote to memory of 2348	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	28
PID 2864 wrote to memory of 1208	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	29
PID 2864 wrote to memory of 1208	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	29
PID 2864 wrote to memory of 1208	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	29
PID 2864 wrote to memory of 1208	2864	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	29
PID 2348 wrote to memory of 2656	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	31
PID 2348 wrote to memory of 2656	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	31
PID 2348 wrote to memory of 2656	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	31
PID 2348 wrote to memory of 2656	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	31
PID 2348 wrote to memory of 2872	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	30
PID 2348 wrote to memory of 2872	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	30
PID 2348 wrote to memory of 2872	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	30
PID 2348 wrote to memory of 2872	2348	{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe	30
PID 2656 wrote to memory of 2868	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	33
PID 2656 wrote to memory of 2868	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	33
PID 2656 wrote to memory of 2868	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	33
PID 2656 wrote to memory of 2868	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	33
PID 2656 wrote to memory of 1180	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	32
PID 2656 wrote to memory of 1180	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	32
PID 2656 wrote to memory of 1180	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	32
PID 2656 wrote to memory of 1180	2656	{D49F9DEF-F888-4d44-8A62-774786188E85}.exe	32
PID 2868 wrote to memory of 2800	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	37
PID 2868 wrote to memory of 2800	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	37
PID 2868 wrote to memory of 2800	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	37
PID 2868 wrote to memory of 2800	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	37
PID 2868 wrote to memory of 3012	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	36
PID 2868 wrote to memory of 3012	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	36
PID 2868 wrote to memory of 3012	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	36
PID 2868 wrote to memory of 3012	2868	{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe	36
PID 2800 wrote to memory of 1552	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	38
PID 2800 wrote to memory of 1552	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	38
PID 2800 wrote to memory of 1552	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	38
PID 2800 wrote to memory of 1552	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	38
PID 2800 wrote to memory of 2516	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	39
PID 2800 wrote to memory of 2516	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	39
PID 2800 wrote to memory of 2516	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	39
PID 2800 wrote to memory of 2516	2800	{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe	39
PID 1552 wrote to memory of 2444	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	40
PID 1552 wrote to memory of 2444	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	40
PID 1552 wrote to memory of 2444	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	40
PID 1552 wrote to memory of 2444	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	40
PID 1552 wrote to memory of 2176	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	41
PID 1552 wrote to memory of 2176	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	41
PID 1552 wrote to memory of 2176	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	41
PID 1552 wrote to memory of 2176	1552	{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe	41
PID 2444 wrote to memory of 2768	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	42
PID 2444 wrote to memory of 2768	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	42
PID 2444 wrote to memory of 2768	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	42
PID 2444 wrote to memory of 2768	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	42
PID 2444 wrote to memory of 2756	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	43
PID 2444 wrote to memory of 2756	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	43
PID 2444 wrote to memory of 2756	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	43
PID 2444 wrote to memory of 2756	2444	{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe	43
PID 2768 wrote to memory of 2828	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	44
PID 2768 wrote to memory of 2828	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	44
PID 2768 wrote to memory of 2828	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	44
PID 2768 wrote to memory of 2828	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	44
PID 2768 wrote to memory of 1316	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	45
PID 2768 wrote to memory of 1316	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	45
PID 2768 wrote to memory of 1316	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	45
PID 2768 wrote to memory of 1316	2768	{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
  C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1A6E~1.EXE > nul
    3⤵
    PID:2872
- - C:\Windows\{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
    C:\Windows\{D49F9DEF-F888-4d44-8A62-774786188E85}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D49F9~1.EXE > nul
      4⤵
      PID:1180
  - - C:\Windows\{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
      C:\Windows\{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D5C~1.EXE > nul
        5⤵
        
        PID:3012
    - - C:\Windows\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
        
        C:\Windows\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
        
        C:\Windows\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
        
        C:\Windows\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
        
        C:\Windows\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
        
        C:\Windows\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
        
        C:\Windows\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
        
        C:\Windows\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe
        
        C:\Windows\{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2152~1.EXE > nul
        12⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB6A~1.EXE > nul
        11⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65A38~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B08C6~1.EXE > nul
        9⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF330~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B685~1.EXE > nul
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CFFE~1.EXE > nul
        6⤵
        
        PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3B685FBD-9266-4e99-8815-DEC4EA6DD126}.exe

Filesize
180KB

MD5
f79a546b51c4618b1c19fbd9d7fab79a

SHA1
64cad1e9ff13844a320188da0c942d6c728f5a36

SHA256
acfc35668f95dba2a4084364b876bbcf09c660efd54daa0105d0a40feecd0556

SHA512
a08017f1f3f542753c4c38809da38b4539bdbbafd98a73774836d80d11dcc5123ef9c7cb92fe903a6773cea04aa86ce8c2c8441f3f89af53bceb0881ffa113e7

Download Submit
C:\Windows\{61D5CA1C-BC43-4204-9BC2-5242471E0700}.exe

Filesize
180KB

MD5
66dfd610ba3d2b12660193c1c7a46a95

SHA1
4d9fec90674fcc977ffc3a4341abf32d82fc6920

SHA256
4bdd997c711f00064aa22551b24e47ed0f629ec7877156b0c97da691c5cf099b

SHA512
6aeffd694f0667387b13cac9e521c97a8e72e11f029aa8eee2534a4fc637cbab4bb31f0545d522d4a5713a33f40c77388c9128e5362e50108ae8b37ebfb4345f

Download Submit
C:\Windows\{65A38766-1FC6-46a8-A13F-E903E44DCFDA}.exe

Filesize
180KB

MD5
b5ec7f9645100e0902c9ffff347ec1b1

SHA1
c5d24102a5e1ee07f41686731295c3e424fcf5a5

SHA256
32e2eb6913dccec0868e4b53b174c7463edb881d8211c030b79e9242e86c98ef

SHA512
01f0af766e61a1aff5d68ca944c71164c1ab430207a50c6fc2dd4fa98859a29ffa860e3b0a38f7b47e214d1ede8a3565cf5a937fc152265c45e2a81b3cda7504

Download Submit
C:\Windows\{7CFFEFEF-6DE1-48a9-9E99-2A6892CE517E}.exe

Filesize
180KB

MD5
02438fe4b5108ea75a58b541c3f3553c

SHA1
ee2b64b94f62be5a021f746c9512d3de1e4562ea

SHA256
8e099077e841e2343d958a06aaa43716eff0886fc3c642b3587d5a540ca58259

SHA512
ebc58886c360571f65d7dea4f724220adc16dc4d986ea3a345c2dd9adfca7a555a6a7386e9c41449426c5d3fca541091e756bf4d99d29ddc598621a4618c3b3d

Download Submit
C:\Windows\{B08C6C33-D529-4942-A4DB-B28DAD5E3D85}.exe

Filesize
180KB

MD5
56b48dd80fc0c8587530e2bdd13f03d3

SHA1
0725dc87b7b828feff780ba2e3142f74f14569bf

SHA256
7f06704b3efb5f940c043f1d682dce0ac93de513d44dc23a20120881719a1cf7

SHA512
bdbaa24c0f311dc2603e65a49e5e98a8e9383660bef996e617150574ca4bc1f7358a8c3899de3acba6dd4fe02ff85981687ae5fd714ef4a23e78ba7b8df024cb

Download Submit
C:\Windows\{CF3300E5-0098-425f-B75A-EDBE58B4C1CF}.exe

Filesize
180KB

MD5
50ed7bc43e3be59bafbdb4aae0284afc

SHA1
ef8aa85f735fc73a9f4be6bc20f1973cfca0f1bf

SHA256
4dec50e9d4871e8a5a37bd75fb705947a65a7896f397b4c1b3af8deec1319280

SHA512
89f769debb881eb93f8993da545faefaa5944beb33d2c69a8f1d6fc7f45f69ea1617660f71f93d484e04cadceb2aa34d42a32bd113ac3ecd17c1feec6359c243

Download Submit
C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe

Filesize
114KB

MD5
aab88f38bc0a086584258dfff3d5b4e0

SHA1
d4180f33e4bc17827c9cfcb04f40665ceaf35748

SHA256
18c3d996033ca059beea477c854489c6efcd7eac6f7789b45349a5c26d032ac2

SHA512
e082a16d2a166a270804c61bddf3b7d9fe55acd04e2c1955ac245a5c5c268b2898ebe57c41385b7d916d56d80ee12aedf9851086427cf6a3036041f33c0e660b

Download Submit
C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe

Filesize
82KB

MD5
ef79efa611da2af6f28395ac622115d2

SHA1
36d7ca54f6aec7edb71b6c3178364005ff466c29

SHA256
f401c52534bb4f997eca89a85145bc500cf4f47367255e64833d6b19302d0218

SHA512
75605ce6a854e84b4aacc054eaa6ba94582e6df761885494fcd429285b0fba8d385e0cd99337179cd81b640afdc9c9487037ff88dba295b441a3caf0dbe5e846

Download Submit
C:\Windows\{D1A6EABC-95E0-4729-AEB5-7D49955B429D}.exe

Filesize
180KB

MD5
7589847a8469b9ce086df98e2a68f40c

SHA1
ac0cc500263fc404b79169e631e6513a0d8c7233

SHA256
edc9238edf23cdbe8bf9ab682b584228a76bc138b3a8a3cb4c609742f3fa63d0

SHA512
c29458b1e4f54b229292077eefe6812e6e3634ecebdd691dcd80decc64b5abf94d0cacc518e20425089a75dde59541dac7fc23a77ea36a4cf2d314218f4b01b5

Download Submit
C:\Windows\{D215226F-6B3A-4797-B35F-1ACEDDCF2042}.exe

Filesize
180KB

MD5
7fbffc3d91e56c2caf870be0adf118e6

SHA1
c6cbfd283c10707b66c407932d55d6a37f29bd78

SHA256
375c2420c0aa18d0108086d9d30c8dfefc15b2007566d4751e5f95e6bdac818d

SHA512
19a3fc7059859675124b7c1cb386b6a32f7aa06403cc4fa21cc2482dadcb6edc045e13464871fcaad33827685adce9ff069b542f48c012739ab2bd2b49e9eabd

Download Submit
C:\Windows\{D49F9DEF-F888-4d44-8A62-774786188E85}.exe

Filesize
180KB

MD5
397662d65365364a74edeceef51658f0

SHA1
e06ab820cde06b8a0ebf3f30d992824b8f62ea12

SHA256
7b73442674ddbb0e185da1208fbd5d266e7d4be1504e92fea0f9abe0633e84fa

SHA512
fb1387478008fb50d786a3fd6320ba704ff41cb8cd0d8fe317d667fd41c67e7ac3f603c4c8c895c58f570da5d38ccb96708568c37645d11cb13dad06f01daf50

Download Submit
C:\Windows\{DBB6AF6A-96EC-4da3-B67E-D62C93EA88C0}.exe

Filesize
180KB

MD5
b41753ba7ec63779c89b63f357976a26

SHA1
f7d717d1ad82ce19cb0a7a81d5c6725ba775b7bc

SHA256
c7eb04265550c232a4e77faec2880829d0cb7c8efba26859fba25724b06966c3

SHA512
52e99fd38d627599db834019445d722c53b5d6eb2f3498be9d5b88d9f3309a43bb44044f8b439bd0bd3a6117f698783e59acf6c56983063990e589b7f4f30648

Download Submit
C:\Windows\{DF6D94DF-BB84-4a58-9368-025899F910A8}.exe

Filesize
180KB

MD5
90cdd0a3ed4539530b8a0d83a6b5a24b

SHA1
dbf8d20f2d3ee5f9dac0d585edc25c3d6e9020eb

SHA256
7386fd8c889121125b14ba25df94225556bd37ce8815c963576f3a1e89074c7f

SHA512
372bf9c7811f560eaa12d30618b537465f17228ade7fd244a92c4c80f26e23c2804ef8799f57da2c72eef3fbcdef5d6446bdba6be69487c5e9099ee4c6aeee6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads