4a30a93c0e2f23d037dfcdc297630f75fc6a68a82474a545746153e82f86bae2

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Size

168KB
MD5

e9c6200c1c6475a57578d300c0d0ae67
SHA1

041fdae48a8f53670a5aa6e3af6845ef1e2d0b3a
SHA256

4a30a93c0e2f23d037dfcdc297630f75fc6a68a82474a545746153e82f86bae2
SHA512

26f2a72385d8181a8e6ec7b9aea0e8a78ef8f3154dcc3109f23b51e7cf2d7bbb488f54323b016738ace2ca3d73c7b9c8b8dace0bc0b9a30de111a26a179c93c6
SSDEEP

1536:1EGh0ollq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ollqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000001490f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000001490f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d00000001490f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e00000001490f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001490f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9359BD0-160F-4c58-B3CA-875DBD51D498}\stubpath = "C:\\Windows\\{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe"	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0AC535F-2116-4c43-B675-5FF88AE53207}	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{956F561A-FC58-41f4-BCCA-00039067C043}	{19B0388C-590F-4b19-B680-D647EE430394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}	{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}	{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9359BD0-160F-4c58-B3CA-875DBD51D498}	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0AC535F-2116-4c43-B675-5FF88AE53207}\stubpath = "C:\\Windows\\{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe"	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B0388C-590F-4b19-B680-D647EE430394}\stubpath = "C:\\Windows\\{19B0388C-590F-4b19-B680-D647EE430394}.exe"	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}\stubpath = "C:\\Windows\\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe"	{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}\stubpath = "C:\\Windows\\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe"	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEE4D25-323B-489d-BC92-AA0707773E8E}	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEE4D25-323B-489d-BC92-AA0707773E8E}\stubpath = "C:\\Windows\\{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe"	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB89009B-D83E-4fb6-815E-E75DF7477E43}	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB89009B-D83E-4fb6-815E-E75DF7477E43}\stubpath = "C:\\Windows\\{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe"	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B0388C-590F-4b19-B680-D647EE430394}	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}	{956F561A-FC58-41f4-BCCA-00039067C043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}\stubpath = "C:\\Windows\\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe"	{956F561A-FC58-41f4-BCCA-00039067C043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}	{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}\stubpath = "C:\\Windows\\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe"	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{956F561A-FC58-41f4-BCCA-00039067C043}\stubpath = "C:\\Windows\\{956F561A-FC58-41f4-BCCA-00039067C043}.exe"	{19B0388C-590F-4b19-B680-D647EE430394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}\stubpath = "C:\\Windows\\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe"	{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}\stubpath = "C:\\Windows\\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}.exe"	{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe

Deletes itself 1 IoCs

pid	Process
2144	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe
1540	{956F561A-FC58-41f4-BCCA-00039067C043}.exe
1308	{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
2380	{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
2288	{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
File created	C:\Windows\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
File created	C:\Windows\{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
File created	C:\Windows\{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
File created	C:\Windows\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe	{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
File created	C:\Windows\{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
File created	C:\Windows\{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
File created	C:\Windows\{19B0388C-590F-4b19-B680-D647EE430394}.exe	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
File created	C:\Windows\{956F561A-FC58-41f4-BCCA-00039067C043}.exe	{19B0388C-590F-4b19-B680-D647EE430394}.exe
File created	C:\Windows\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe	{956F561A-FC58-41f4-BCCA-00039067C043}.exe
File created	C:\Windows\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe	{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
File created	C:\Windows\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}.exe	{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
Token: SeIncBasePriorityPrivilege	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
Token: SeIncBasePriorityPrivilege	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
Token: SeIncBasePriorityPrivilege	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
Token: SeIncBasePriorityPrivilege	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
Token: SeIncBasePriorityPrivilege	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
Token: SeIncBasePriorityPrivilege	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe
Token: SeIncBasePriorityPrivilege	1540	{956F561A-FC58-41f4-BCCA-00039067C043}.exe
Token: SeIncBasePriorityPrivilege	1308	{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
Token: SeIncBasePriorityPrivilege	2380	{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2440	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	28
PID 2000 wrote to memory of 2440	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	28
PID 2000 wrote to memory of 2440	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	28
PID 2000 wrote to memory of 2440	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	28
PID 2000 wrote to memory of 2144	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	29
PID 2000 wrote to memory of 2144	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	29
PID 2000 wrote to memory of 2144	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	29
PID 2000 wrote to memory of 2144	2000	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	29
PID 2440 wrote to memory of 2700	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	30
PID 2440 wrote to memory of 2700	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	30
PID 2440 wrote to memory of 2700	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	30
PID 2440 wrote to memory of 2700	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	30
PID 2440 wrote to memory of 2728	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	31
PID 2440 wrote to memory of 2728	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	31
PID 2440 wrote to memory of 2728	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	31
PID 2440 wrote to memory of 2728	2440	{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe	31
PID 2700 wrote to memory of 2644	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	34
PID 2700 wrote to memory of 2644	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	34
PID 2700 wrote to memory of 2644	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	34
PID 2700 wrote to memory of 2644	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	34
PID 2700 wrote to memory of 3024	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	35
PID 2700 wrote to memory of 3024	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	35
PID 2700 wrote to memory of 3024	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	35
PID 2700 wrote to memory of 3024	2700	{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe	35
PID 2644 wrote to memory of 1584	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	36
PID 2644 wrote to memory of 1584	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	36
PID 2644 wrote to memory of 1584	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	36
PID 2644 wrote to memory of 1584	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	36
PID 2644 wrote to memory of 592	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	37
PID 2644 wrote to memory of 592	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	37
PID 2644 wrote to memory of 592	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	37
PID 2644 wrote to memory of 592	2644	{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe	37
PID 1584 wrote to memory of 1588	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	38
PID 1584 wrote to memory of 1588	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	38
PID 1584 wrote to memory of 1588	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	38
PID 1584 wrote to memory of 1588	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	38
PID 1584 wrote to memory of 764	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	39
PID 1584 wrote to memory of 764	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	39
PID 1584 wrote to memory of 764	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	39
PID 1584 wrote to memory of 764	1584	{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe	39
PID 1588 wrote to memory of 2884	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	40
PID 1588 wrote to memory of 2884	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	40
PID 1588 wrote to memory of 2884	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	40
PID 1588 wrote to memory of 2884	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	40
PID 1588 wrote to memory of 2504	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	41
PID 1588 wrote to memory of 2504	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	41
PID 1588 wrote to memory of 2504	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	41
PID 1588 wrote to memory of 2504	1588	{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe	41
PID 2884 wrote to memory of 2496	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	42
PID 2884 wrote to memory of 2496	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	42
PID 2884 wrote to memory of 2496	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	42
PID 2884 wrote to memory of 2496	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	42
PID 2884 wrote to memory of 768	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	43
PID 2884 wrote to memory of 768	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	43
PID 2884 wrote to memory of 768	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	43
PID 2884 wrote to memory of 768	2884	{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe	43
PID 2496 wrote to memory of 1540	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	44
PID 2496 wrote to memory of 1540	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	44
PID 2496 wrote to memory of 1540	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	44
PID 2496 wrote to memory of 1540	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	44
PID 2496 wrote to memory of 1512	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	45
PID 2496 wrote to memory of 1512	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	45
PID 2496 wrote to memory of 1512	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	45
PID 2496 wrote to memory of 1512	2496	{19B0388C-590F-4b19-B680-D647EE430394}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
  C:\Windows\{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
    C:\Windows\{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
      C:\Windows\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
        
        C:\Windows\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
        
        C:\Windows\{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
        
        C:\Windows\{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{19B0388C-590F-4b19-B680-D647EE430394}.exe
        
        C:\Windows\{19B0388C-590F-4b19-B680-D647EE430394}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{956F561A-FC58-41f4-BCCA-00039067C043}.exe
        
        C:\Windows\{956F561A-FC58-41f4-BCCA-00039067C043}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
        
        C:\Windows\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
        
        C:\Windows\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe
        
        C:\Windows\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0321~1.EXE > nul
        13⤵
        
        PID:2184
        
        C:\Windows\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}.exe
        
        C:\Windows\{C6FC58D6-FFB5-4b62-8113-0CEA1512E8D2}.exe
        13⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B49~1.EXE > nul
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C85B3~1.EXE > nul
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{956F5~1.EXE > nul
        10⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19B03~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB890~1.EXE > nul
        8⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBEE4~1.EXE > nul
        7⤵
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E829~1.EXE > nul
        6⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6D5~1.EXE > nul
        5⤵
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0AC5~1.EXE > nul
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9359~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19B0388C-590F-4b19-B680-D647EE430394}.exe

Filesize
168KB

MD5
ee765e2f74a196dd56d65e3fd0612127

SHA1
d9ea13b5fb6696af8d05e6800f3fe406111db954

SHA256
fbc2f216a54b8f0013ada80f3f3e030ad246821299967c75d9e3a76e4923011b

SHA512
e9445c80bb24c27c57bc4cfe7f25ba486f1cd09dae43a0a21ca18d24e7db19f835e6051fb04dab93b2d8c55a13d3a948bb4563155ee4d953a2e11325bcdb3d05

Download Submit
C:\Windows\{956F561A-FC58-41f4-BCCA-00039067C043}.exe

Filesize
168KB

MD5
598a7a4e35d40926a632afb5141e5d1c

SHA1
2edd809fbc464b8242e5acbdbec0578ffb94ec33

SHA256
dd7fca1630998799eea5afd095049c76e3793c7fc660c066d726e9f1df6290c5

SHA512
bf6b58de590135341dd23ef1a325ec73ab128a4a95a80862342caae02a8bbdc2047a6abe5121d77e3e2cfc6174cfe86017b2e31be6708e5288f7aad0b86c229b

Download Submit
C:\Windows\{9E8290E3-7987-43d0-84C4-E6D5AB0B2B84}.exe

Filesize
168KB

MD5
6f7f1725718bcbf920203a731e430ed9

SHA1
5599e89c6930c8720233d6dfe82f305bb1284719

SHA256
24e5428a3c1f41c615a34ad37fb85cc885c360de66ecf2c5e6e34c02f38cde26

SHA512
38852faca85e58aacae450f7ee2c81bcfd3c5816ecb3c54b7d95d6b48f70cab9669f6e5911be29a27d986c75703c4905a11a4ab01ab472dc917244fb333622a5

Download Submit
C:\Windows\{BB89009B-D83E-4fb6-815E-E75DF7477E43}.exe

Filesize
168KB

MD5
3e34a6b6d0ba3e8c76e7a79ee7b04292

SHA1
28aefe4c14cd4017e71efc7adfdad9eb4acca9fe

SHA256
a226c97dd59b18c57b1973fe4417ca9fd7227978c27144a91b5d872860c01257

SHA512
77b25c4431627db9545d6144223aa4baa2b535fb6051d705f32f533e69eef17d65622059fb98363450e64ab1a72d8aa0bb6ba3aef505c89654d419f340156724

Download Submit
C:\Windows\{BD6D55B3-5089-4e6d-9A3F-5C6904F8854C}.exe

Filesize
168KB

MD5
8982a7d68484f992241bb2943acbb6a3

SHA1
6356b09486ce6c60bd99e8e0271bb50fc8db5034

SHA256
a0e61a2124c5b5838057678eec00f45fed399c28e5f75afe13d547e54167be9d

SHA512
3fbbcaed52fdd5c3557ee29ba4cd06c258246e0259a274cf404f162eb3fb03c8f15e9d7dbe15924bda2ea5701b3f8b90f7be672b364743003ea10d1a6f9d541f

Download Submit
C:\Windows\{C85B3DF3-9BD9-438d-AE8B-3DC9127FBE64}.exe

Filesize
168KB

MD5
232bf278cf318f79795113201e517d0d

SHA1
55b538aa2f47f0bc1486aeea99b235eb18560a12

SHA256
2c053f5a229a1873bd4c719b2c5b9a39a44802964ee02a75a37041f0b35c17e1

SHA512
49559b3c33ca846ce74b508c0e0f0e42412e8af8a9769eeece12665be5931a99c7d316d9dc243960578afe29ee6e20f9aefaae0fe11b6f47e456db4b290f04c1

Download Submit
C:\Windows\{D0AC535F-2116-4c43-B675-5FF88AE53207}.exe

Filesize
168KB

MD5
b1f468ef041a22b7b249076c33802ffe

SHA1
1971a5f0dd6a70e2e6e750c910f2e10ae47639a1

SHA256
98642b67cac1e2c7d56fa01fd2b4039675d599ad8d98a60462e59a4590e09ef7

SHA512
fd048ddc97bb4ce51e07cb07f081c6f42c85e2c5c7ebd79a5959a4695590e3fd845400c755d3e1ffb20227b853250c885250e5e165007212841456f13b6e150f

Download Submit
C:\Windows\{E5B499A8-AB54-4a5f-95DC-782185F7C09C}.exe

Filesize
168KB

MD5
6a60b358baea3c157a3a0527e1dfdfa5

SHA1
5b278051422700b4d14de87f0c227d1062a119e3

SHA256
5fa4b4b9ce0e4a725049af621dfa024319f5157191bb6ac77454a1c6df93deae

SHA512
f75593c0c0778af8b66c9c69dbf7cd4854a7344d3dcee2897432fb9d6e2fd3af843bfac8f03daa6ec4f0e50b1c95d026dee40444bbdf56ce7b816ce254e53c12

Download Submit
C:\Windows\{E9359BD0-160F-4c58-B3CA-875DBD51D498}.exe

Filesize
168KB

MD5
e27d376117df78e019e06148a3bfd4b0

SHA1
fdbff00faef09d75cd2e7c8da23762435b04e225

SHA256
22562d2d6bade8fdcbd2da7caef61568db76281fb3596cef01d73974e8c0adb1

SHA512
59f9ebfd410bcb63fd8e21aa6fd0a6b874d56c20a2f94305c44e56a9e17e2638372cd71971a4fdb58dcf5db2f9554f427bf92a3fc387585876b099c60c126d10

Download Submit
C:\Windows\{F03219F7-38D3-45fd-A9BE-5DAE963C724D}.exe

Filesize
168KB

MD5
08914bf5b5acf048dcc8f2774743f0df

SHA1
a25cd9b8d14bde7bd52055c920e80a74ac296c83

SHA256
07019c15b1e545f78e713b137df1f84596b1348b75898b48590d327d8fe560f8

SHA512
b3c66a9d1e80a3f5834824af86d8395b6e9d79f7c081313af23be8a754446c2d2908394fcd91d565cbdb4af03519c29d55c237e223067252daecee8e0d00dc8b

Download Submit
C:\Windows\{FBEE4D25-323B-489d-BC92-AA0707773E8E}.exe

Filesize
168KB

MD5
ec19c79b184fd3cba654c50050c4c58c

SHA1
27788d7a9e93e031aa24717163ec5c4964c8320c

SHA256
474bc37361163c1950b9f6a19dd14926cd2124ef9f8e19a95d3eb4514d0d6434

SHA512
5d3a4d499e7c670ea8c2bae6b1c660f7f57a70322c610890b27112a11940604a42fb6267d34dbff1d9a76dacfdb83522b29d2a1312482dbc20c3afd2842109ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads