c0d2380a52f9c355b2595fc8b57196f05f8f04eef641f857362ca5199e1de52d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Size

380KB
MD5

6c2c95a0759f3d6f5b451a640b7953b3
SHA1

c5fe6e15725a5b36aba685774bf86fae7cd90ce3
SHA256

c0d2380a52f9c355b2595fc8b57196f05f8f04eef641f857362ca5199e1de52d
SHA512

fe9f18fdcc8585921fc6ae1cd8209d22eafc33544e9cac6c584e2a1da3797724f48d9d62c0b999e4e243bed55d0d0bd2e73bc8275ca88f6617438635ce1510e5
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012261-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000132dc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000010f1d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8599A65B-C7C6-49be-85AB-531D2044C83B}	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8599A65B-C7C6-49be-85AB-531D2044C83B}\stubpath = "C:\\Windows\\{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe"	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}\stubpath = "C:\\Windows\\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe"	{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18069B45-6B3A-41dd-BB1A-E0847E517794}\stubpath = "C:\\Windows\\{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe"	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}\stubpath = "C:\\Windows\\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe"	{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}\stubpath = "C:\\Windows\\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe"	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}\stubpath = "C:\\Windows\\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe"	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18069B45-6B3A-41dd-BB1A-E0847E517794}	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11861DF0-6D57-433e-AA61-03FC723A1A04}	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11861DF0-6D57-433e-AA61-03FC723A1A04}\stubpath = "C:\\Windows\\{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe"	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}	{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}	{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}\stubpath = "C:\\Windows\\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe"	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D289D90-CFAD-454b-B780-5FD663722A6A}	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D289D90-CFAD-454b-B780-5FD663722A6A}\stubpath = "C:\\Windows\\{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe"	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}\stubpath = "C:\\Windows\\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe"	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D49B769-419A-4308-85FE-B142BCB6570F}	{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D49B769-419A-4308-85FE-B142BCB6570F}\stubpath = "C:\\Windows\\{5D49B769-419A-4308-85FE-B142BCB6570F}.exe"	{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
1196	{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
1020	{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
2472	{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
2360	{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
File created	C:\Windows\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
File created	C:\Windows\{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
File created	C:\Windows\{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
File created	C:\Windows\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe	{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
File created	C:\Windows\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe	{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
File created	C:\Windows\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
File created	C:\Windows\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
File created	C:\Windows\{5D49B769-419A-4308-85FE-B142BCB6570F}.exe	{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
File created	C:\Windows\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
File created	C:\Windows\{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
Token: SeIncBasePriorityPrivilege	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
Token: SeIncBasePriorityPrivilege	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
Token: SeIncBasePriorityPrivilege	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
Token: SeIncBasePriorityPrivilege	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
Token: SeIncBasePriorityPrivilege	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
Token: SeIncBasePriorityPrivilege	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
Token: SeIncBasePriorityPrivilege	1196	{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
Token: SeIncBasePriorityPrivilege	1020	{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
Token: SeIncBasePriorityPrivilege	2472	{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2684	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	28
PID 2492 wrote to memory of 2684	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	28
PID 2492 wrote to memory of 2684	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	28
PID 2492 wrote to memory of 2684	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	28
PID 2492 wrote to memory of 2704	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	29
PID 2492 wrote to memory of 2704	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	29
PID 2492 wrote to memory of 2704	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	29
PID 2492 wrote to memory of 2704	2492	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	29
PID 2684 wrote to memory of 2980	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	30
PID 2684 wrote to memory of 2980	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	30
PID 2684 wrote to memory of 2980	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	30
PID 2684 wrote to memory of 2980	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	30
PID 2684 wrote to memory of 2168	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	31
PID 2684 wrote to memory of 2168	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	31
PID 2684 wrote to memory of 2168	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	31
PID 2684 wrote to memory of 2168	2684	{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe	31
PID 2980 wrote to memory of 1664	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	35
PID 2980 wrote to memory of 1664	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	35
PID 2980 wrote to memory of 1664	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	35
PID 2980 wrote to memory of 1664	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	35
PID 2980 wrote to memory of 3056	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	34
PID 2980 wrote to memory of 3056	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	34
PID 2980 wrote to memory of 3056	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	34
PID 2980 wrote to memory of 3056	2980	{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe	34
PID 1664 wrote to memory of 1948	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	36
PID 1664 wrote to memory of 1948	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	36
PID 1664 wrote to memory of 1948	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	36
PID 1664 wrote to memory of 1948	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	36
PID 1664 wrote to memory of 696	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	37
PID 1664 wrote to memory of 696	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	37
PID 1664 wrote to memory of 696	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	37
PID 1664 wrote to memory of 696	1664	{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe	37
PID 1948 wrote to memory of 2872	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	39
PID 1948 wrote to memory of 2872	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	39
PID 1948 wrote to memory of 2872	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	39
PID 1948 wrote to memory of 2872	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	39
PID 1948 wrote to memory of 2924	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	38
PID 1948 wrote to memory of 2924	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	38
PID 1948 wrote to memory of 2924	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	38
PID 1948 wrote to memory of 2924	1948	{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe	38
PID 2872 wrote to memory of 2948	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	41
PID 2872 wrote to memory of 2948	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	41
PID 2872 wrote to memory of 2948	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	41
PID 2872 wrote to memory of 2948	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	41
PID 2872 wrote to memory of 2148	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	40
PID 2872 wrote to memory of 2148	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	40
PID 2872 wrote to memory of 2148	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	40
PID 2872 wrote to memory of 2148	2872	{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe	40
PID 2948 wrote to memory of 1744	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	43
PID 2948 wrote to memory of 1744	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	43
PID 2948 wrote to memory of 1744	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	43
PID 2948 wrote to memory of 1744	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	43
PID 2948 wrote to memory of 2512	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	42
PID 2948 wrote to memory of 2512	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	42
PID 2948 wrote to memory of 2512	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	42
PID 2948 wrote to memory of 2512	2948	{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe	42
PID 1744 wrote to memory of 1196	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	45
PID 1744 wrote to memory of 1196	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	45
PID 1744 wrote to memory of 1196	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	45
PID 1744 wrote to memory of 1196	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	45
PID 1744 wrote to memory of 1096	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	44
PID 1744 wrote to memory of 1096	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	44
PID 1744 wrote to memory of 1096	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	44
PID 1744 wrote to memory of 1096	1744	{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
  C:\Windows\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
    C:\Windows\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F72D1~1.EXE > nul
      4⤵
      PID:3056
  - - C:\Windows\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
      C:\Windows\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
        
        C:\Windows\{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D289~1.EXE > nul
        6⤵
        
        PID:2924
      - C:\Windows\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
        
        C:\Windows\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{239A9~1.EXE > nul
        7⤵
        
        PID:2148
        
        C:\Windows\{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
        
        C:\Windows\{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18069~1.EXE > nul
        8⤵
        
        PID:2512
        
        C:\Windows\{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
        
        C:\Windows\{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8599A~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
        
        C:\Windows\{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11861~1.EXE > nul
        10⤵
        
        PID:1396
        
        C:\Windows\{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
        
        C:\Windows\{5D49B769-419A-4308-85FE-B142BCB6570F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D49B~1.EXE > nul
        11⤵
        
        PID:3004
        
        C:\Windows\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
        
        C:\Windows\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe
        
        C:\Windows\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65EDC~1.EXE > nul
        12⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2DCA~1.EXE > nul
        5⤵
        
        PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F6AB2~1.EXE > nul
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11861DF0-6D57-433e-AA61-03FC723A1A04}.exe

Filesize
380KB

MD5
a9e88304f1260a7f02e7a884aae801a7

SHA1
c49b3f66757396db6e23f92a2f88d02a241d60d6

SHA256
eee5f953fb139d37155d153241ec8b972aed2ddc26d8df7483dc693c666293f4

SHA512
56db91134bd001edacaf229407b72cdb254099e9efc780d6d517e4bbb4a120653737cf0cc3d7e3015389667454c9dd74ec92794d9063839a774ea7703e0ea1ea

Download Submit
C:\Windows\{18069B45-6B3A-41dd-BB1A-E0847E517794}.exe

Filesize
380KB

MD5
f3ad7de8b898dab0c2ed3c0d11af0584

SHA1
f4889e7d629211985f4828bcb5dab4bde5c4e22f

SHA256
688ccda309318d27bcf2c5ac0ffcff93430f62e5ba6e6d14dbe7b2983a8de0fc

SHA512
aaea6468cbef26a06af3d2bfc99af8c4223521e8cb46deb2edca4a02331842040b8d081df16c63c3069e57d53f62eabdb19c726f755907dd65c6775831a41b34

Download Submit
C:\Windows\{239A9CF8-0A75-4f73-951E-5AFC60BCF5F4}.exe

Filesize
380KB

MD5
88a0ad91c9229cb808d62bd5e4a984bd

SHA1
ba553c00b7627440ba4bffbca0a8dbde8685ea6e

SHA256
311bfd99f8a34b7a582553df1a7d00d2281bac1973fc327e5e48997c490eea4f

SHA512
145b66a274f9be3ddde8e71e3c1746c2febfe6c15344b2178933da3ff8471c80196778f71c0ea51781cdc2ada851a53c8c080efccfa22dad114f0f201e9cd6b3

Download Submit
C:\Windows\{23FE37F7-3BA8-455c-8BA2-92C375E8495C}.exe

Filesize
380KB

MD5
6592168ab91df4eccc3574421543079d

SHA1
f7baba35d44b069e8a480ae56875c159be90a748

SHA256
96d8ff1824320c92c1f7223b41e046834039b5d6b0216af455424ac738276c63

SHA512
8c77cd749f2e3590f3473b3f0c7cc1124029e4c898c7f74fae88a78cdc5abfe9b96adcd7ce045bff8ca92d492e734268a0f7e917e2f2847e2ba9f9e543ffe875

Download Submit
C:\Windows\{5D49B769-419A-4308-85FE-B142BCB6570F}.exe

Filesize
380KB

MD5
66e72bb7a9a22bf9b0e2153caf02195d

SHA1
2488a2b05d327979a5bba463a3e42753b6f9975d

SHA256
ce1d77cef5d0fd4445f11c10ad9a79b7189931351179a74569b72b023d9089cf

SHA512
169a1ea8f710ecbad2676b3c405866cc74574bc8a4194cdc2cf42a49a7858394d9ca329e9223671147095ed4f7f402267fecc2a430e0528bcd4d7c8915775669

Download Submit
C:\Windows\{65EDCEC6-0AA4-416c-AC6E-88DCD320B655}.exe

Filesize
380KB

MD5
53810fead3b9d58655794349c5099cca

SHA1
a497e94fc0156cf30dad9f789ac0cfe15061d98d

SHA256
881aaf649f21122e02a9f8582c4e2fea9c87b012740ddd8511d956774b79bb55

SHA512
c3f18a7b7f2a82ea0be7004f4b2100d9f7d1499f306fee08fc2b695a1ca9a2a86b39e459d87fbe96d4cd17326f5e42b0b57eb46675ef2307f2540782dc72839d

Download Submit
C:\Windows\{8599A65B-C7C6-49be-85AB-531D2044C83B}.exe

Filesize
380KB

MD5
7299b1b3d9256613c98b69a686d9434e

SHA1
41295b833564b21fb722cefeab1e920f8b609b70

SHA256
2c17618d5940e745bf9efe7c5408fc94f2510cca06a44bdc8001663cfedf01fd

SHA512
616d8cc66905655c33c0f26b9ff9978b1e1808b80aa3bd79bbe1c2744350f63bb78b6a3b4617eef1ab728529673de35aae9c8b0222db0a431d46857424a0ed7f

Download Submit
C:\Windows\{8D289D90-CFAD-454b-B780-5FD663722A6A}.exe

Filesize
380KB

MD5
8c0324585fa75875c8c264d324f5b686

SHA1
d6eb17c2715a11de70df7ae15b9787f2daf31e97

SHA256
e89b1b5171f36499ff2fee674a717aa7d62e1d943cae9269f9b6b256a70b2e3b

SHA512
8e81bd6f9b8f7954c083dd59e6621c574e7445a1419fdcfa496c8e3b1e774946ed165b487fa9f494e397b21004b24d965b0bfa0bf8bc937e3a8b475eae40b944

Download Submit
C:\Windows\{D2DCA7BA-33C0-4c41-8553-248E0A9B07BF}.exe

Filesize
380KB

MD5
a03bb82466befb25cd0699d70de5ff1d

SHA1
4e4c8a2c1af7b5389f5ebf742d37db8c603e01ab

SHA256
e0d8151d3dc6ded5acfde674f54f28523d32b0168c0caba075e8f53be715084c

SHA512
eb7a45529091dbe453e4f9d6cb090c50d12a1b68a7a01c683bd9611d465824ea6b2ec01efe21725f1a9b200646c8ced0bf3229b9e6098e1d55eba48c44090b8e

Download Submit
C:\Windows\{F6AB2355-D3D1-4bc2-AF8C-2FDD60A3DE24}.exe

Filesize
380KB

MD5
03fb9b4c8b8aa6ec5c04cd7c443b4202

SHA1
910b8110c969ed7c10213d5e9eaaf01877e15ccf

SHA256
d16613d653a1df4390dcd56cb0e3736842e9a55a574b779fe732ebf00013f52c

SHA512
ea1103ab42ee7939e3af3a411ac00a842334ba3c9f5cc5250b5401ad4990fbfddba996ae0a974073b6290aeea46625184e866762e82448c632e0ce0382aff73b

Download Submit
C:\Windows\{F72D1A62-1B46-4e4a-8198-18F722FC81CC}.exe

Filesize
380KB

MD5
8380467252f74895bd964a645b536368

SHA1
b739901e73090acb6a860ad39118576e6508103c

SHA256
ca42f934f469b1196b4f7b951ad1c3e17f09af2d1dbeecceae8b7396e6f849b0

SHA512
3112b580153e620f18d2beb7dbdd8e1d2328e7933c09c914804b0366674e335b6ce9e42935b147044ae00c25a6633889cb0feabc8684a1e755ab87b7bf08b1a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads