8191f547bdd0427432b61f5113ae3cebe9cf499d704bf7de1a1d87e03605d99d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Size

204KB
MD5

4fb61422520bf75476643055e70d62cb
SHA1

c54a9a96b802439fa103f06af05d47a36521e8ca
SHA256

8191f547bdd0427432b61f5113ae3cebe9cf499d704bf7de1a1d87e03605d99d
SHA512

cce3ae025bcda82ad24b4b796c463b1e6cad9954482445d01c5c50d6ab2a8ee27e383735249c842a226a0ecae51f43768196710bac67ae1551ffe920b0d74853
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015cfa-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015d23-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015cfa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000160a7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015cfa-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015cfa-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015cfa-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9B3825-C74B-4561-B620-87FFB6D3E302}\stubpath = "C:\\Windows\\{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe"	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}\stubpath = "C:\\Windows\\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe"	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B522A4C-21A0-424a-BC53-B85AEC205315}	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9B3825-C74B-4561-B620-87FFB6D3E302}	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}\stubpath = "C:\\Windows\\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe"	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA92098-1AA8-4fef-9167-EBB601E62B09}	{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}	{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FEED59-F621-4a91-AF0A-9B67BF123006}\stubpath = "C:\\Windows\\{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe"	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89217784-CD4F-4381-BAB2-516D43147E51}\stubpath = "C:\\Windows\\{89217784-CD4F-4381-BAB2-516D43147E51}.exe"	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}\stubpath = "C:\\Windows\\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe"	{89217784-CD4F-4381-BAB2-516D43147E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}\stubpath = "C:\\Windows\\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe"	{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}\stubpath = "C:\\Windows\\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe"	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}	{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}\stubpath = "C:\\Windows\\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe"	{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B522A4C-21A0-424a-BC53-B85AEC205315}\stubpath = "C:\\Windows\\{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe"	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FEED59-F621-4a91-AF0A-9B67BF123006}	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89217784-CD4F-4381-BAB2-516D43147E51}	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}	{89217784-CD4F-4381-BAB2-516D43147E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA92098-1AA8-4fef-9167-EBB601E62B09}\stubpath = "C:\\Windows\\{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe"	{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe
948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
1300	{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
2560	{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
1988	{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe
1412	{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe	{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
File created	C:\Windows\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe	{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
File created	C:\Windows\{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe	{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe
File created	C:\Windows\{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
File created	C:\Windows\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	{89217784-CD4F-4381-BAB2-516D43147E51}.exe
File created	C:\Windows\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
File created	C:\Windows\{89217784-CD4F-4381-BAB2-516D43147E51}.exe	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
File created	C:\Windows\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
File created	C:\Windows\{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
File created	C:\Windows\{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
File created	C:\Windows\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
Token: SeIncBasePriorityPrivilege	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
Token: SeIncBasePriorityPrivilege	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
Token: SeIncBasePriorityPrivilege	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
Token: SeIncBasePriorityPrivilege	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe
Token: SeIncBasePriorityPrivilege	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
Token: SeIncBasePriorityPrivilege	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
Token: SeIncBasePriorityPrivilege	1300	{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
Token: SeIncBasePriorityPrivilege	2560	{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
Token: SeIncBasePriorityPrivilege	1988	{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2988	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	28
PID 2024 wrote to memory of 2988	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	28
PID 2024 wrote to memory of 2988	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	28
PID 2024 wrote to memory of 2988	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	28
PID 2024 wrote to memory of 1640	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	29
PID 2024 wrote to memory of 1640	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	29
PID 2024 wrote to memory of 1640	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	29
PID 2024 wrote to memory of 1640	2024	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	29
PID 2988 wrote to memory of 2644	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	30
PID 2988 wrote to memory of 2644	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	30
PID 2988 wrote to memory of 2644	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	30
PID 2988 wrote to memory of 2644	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	30
PID 2988 wrote to memory of 2692	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	31
PID 2988 wrote to memory of 2692	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	31
PID 2988 wrote to memory of 2692	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	31
PID 2988 wrote to memory of 2692	2988	{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe	31
PID 2644 wrote to memory of 2596	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	33
PID 2644 wrote to memory of 2596	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	33
PID 2644 wrote to memory of 2596	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	33
PID 2644 wrote to memory of 2596	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	33
PID 2644 wrote to memory of 2836	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	32
PID 2644 wrote to memory of 2836	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	32
PID 2644 wrote to memory of 2836	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	32
PID 2644 wrote to memory of 2836	2644	{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe	32
PID 2596 wrote to memory of 2540	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	37
PID 2596 wrote to memory of 2540	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	37
PID 2596 wrote to memory of 2540	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	37
PID 2596 wrote to memory of 2540	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	37
PID 2596 wrote to memory of 2772	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	36
PID 2596 wrote to memory of 2772	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	36
PID 2596 wrote to memory of 2772	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	36
PID 2596 wrote to memory of 2772	2596	{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe	36
PID 2540 wrote to memory of 320	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	39
PID 2540 wrote to memory of 320	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	39
PID 2540 wrote to memory of 320	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	39
PID 2540 wrote to memory of 320	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	39
PID 2540 wrote to memory of 1276	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	38
PID 2540 wrote to memory of 1276	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	38
PID 2540 wrote to memory of 1276	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	38
PID 2540 wrote to memory of 1276	2540	{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe	38
PID 320 wrote to memory of 948	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	41
PID 320 wrote to memory of 948	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	41
PID 320 wrote to memory of 948	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	41
PID 320 wrote to memory of 948	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	41
PID 320 wrote to memory of 784	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	40
PID 320 wrote to memory of 784	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	40
PID 320 wrote to memory of 784	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	40
PID 320 wrote to memory of 784	320	{89217784-CD4F-4381-BAB2-516D43147E51}.exe	40
PID 948 wrote to memory of 1528	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	42
PID 948 wrote to memory of 1528	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	42
PID 948 wrote to memory of 1528	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	42
PID 948 wrote to memory of 1528	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	42
PID 948 wrote to memory of 2552	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	43
PID 948 wrote to memory of 2552	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	43
PID 948 wrote to memory of 2552	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	43
PID 948 wrote to memory of 2552	948	{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe	43
PID 1528 wrote to memory of 1300	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	44
PID 1528 wrote to memory of 1300	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	44
PID 1528 wrote to memory of 1300	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	44
PID 1528 wrote to memory of 1300	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	44
PID 1528 wrote to memory of 1288	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	45
PID 1528 wrote to memory of 1288	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	45
PID 1528 wrote to memory of 1288	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	45
PID 1528 wrote to memory of 1288	1528	{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
  C:\Windows\{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
    C:\Windows\{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02FEE~1.EXE > nul
      4⤵
      PID:2836
  - - C:\Windows\{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
      C:\Windows\{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB9B3~1.EXE > nul
        5⤵
        
        PID:2772
    - - C:\Windows\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
        
        C:\Windows\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F49F6~1.EXE > nul
        6⤵
        
        PID:1276
      - C:\Windows\{89217784-CD4F-4381-BAB2-516D43147E51}.exe
        
        C:\Windows\{89217784-CD4F-4381-BAB2-516D43147E51}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89217~1.EXE > nul
        7⤵
        
        PID:784
        
        C:\Windows\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
        
        C:\Windows\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
        
        C:\Windows\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
        
        C:\Windows\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC6EE~1.EXE > nul
        10⤵
        
        PID:2100
        
        C:\Windows\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
        
        C:\Windows\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe
        
        C:\Windows\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F431B~1.EXE > nul
        12⤵
        
        PID:2280
        
        C:\Windows\{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe
        
        C:\Windows\{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe
        12⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC19A~1.EXE > nul
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDC6B~1.EXE > nul
        9⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8CE9~1.EXE > nul
        8⤵
        
        PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6B522~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02FEED59-F621-4a91-AF0A-9B67BF123006}.exe

Filesize
204KB

MD5
ce89afb10e0819cd843574b75d8a2465

SHA1
29f5857bb7d4b2ff3f6a39f321645e68fb921a37

SHA256
b906bde72c54399fc6f6cc1ff9fc7ba8adbeffddee01e164f59a4c2845cead6f

SHA512
83cb0b8b77b8e4a695d783e6553906e39c878a0ddcf5e2fb6cf559752bae0293da9e5bcc52a7b51df92fb3d0e7fd0403afda90ca999b66bcee0e4cf6a725c428

Download Submit
C:\Windows\{6B522A4C-21A0-424a-BC53-B85AEC205315}.exe

Filesize
204KB

MD5
710dafc17f97b7239dbe72383bead10f

SHA1
44ccec7952b9dbcd7ad15649e9aedb1662d8c269

SHA256
ae003866400d272d1da5c2197bb8a18eeaf993387a44011c36c5ddc4a2abe361

SHA512
95148786ecdb25fffb563e88c6ddcf4f1022cc317ea3ec2b4531dd6f5e2f587d83bd8e1ec609e3280388ec401d87e70e199cc61f8a9d3c68f63e125565ba8b71

Download Submit
C:\Windows\{89217784-CD4F-4381-BAB2-516D43147E51}.exe

Filesize
204KB

MD5
e54c5dbf22f682acdcab1001a5337caa

SHA1
b207277817ac5711ac6c84e35564d6c6992fcfb6

SHA256
9fb4aac85383c8f9737e460db1b3a16dd5d2c3b3acd9ffd787dc01ffe9d5f129

SHA512
11b1c9d61e0e6f0935c49060461523ba949e315dd4a2f1816da26e3b7f8381f973b87a5843e44a89b4a9dc9ef653b8a2fad48fbaf2abc38f308165ac04fb6350

Download Submit
C:\Windows\{BB9B3825-C74B-4561-B620-87FFB6D3E302}.exe

Filesize
204KB

MD5
d098bae6e13c321d4f2e5b4c1b3a50e2

SHA1
9fa8483e64249e92e5489ab11eb9c3129af66ea4

SHA256
febc0b0a424f72dc184c17da79aed2b3b471aa4d1259ae8fff0327b1980059cc

SHA512
4dc1f6b2a522f54e652bd1290231d475f9d0e45f49bd1105b0f2760f32fa9ab4d5ce3dc115e7db6619979248350611e333fcb4adf2238e49eec77764c41b296a

Download Submit
C:\Windows\{C8CE99A8-D8E1-426e-BF2B-88C5F80E8192}.exe

Filesize
204KB

MD5
c2e9575fb0aca075b64552d8ae7fb80f

SHA1
c71827c6819344123c84392fd4ea25ee90047410

SHA256
dd1e2d2b06dde8f4164360f33f8bf052b03c0dcf44714e985772436e567cd302

SHA512
b5b3daecbc2faa6f7dffada756ff084ec19c4255cb77dd63d4c35bbe5bda4421b9d3a3ce71dd999c72f143c81fc0da25d4a838b409b1eb18650bf100719be9a4

Download Submit
C:\Windows\{DFA92098-1AA8-4fef-9167-EBB601E62B09}.exe

Filesize
204KB

MD5
9439a6cdf34c2679438dcb9a82a92bc9

SHA1
3a8e9e00f7ea062bbb8c02a407b8d854bc738d0b

SHA256
2fd7e24508fe84d86f8c20e6b2b11d3a9edc41041f3da1b44ed5e0f84c6f2363

SHA512
119bfce9b363bd9d36e817eed982b961dd09f393298f37e1a840107923092614cb38d2c0905a6c45c9b9d3da6184065964010a8fd4ad1e46a07b198c11dd05a9

Download Submit
C:\Windows\{EC6EE43F-C40F-4002-B4E6-19DB33CAB433}.exe

Filesize
204KB

MD5
e3635c238e86493ddf45776a88de6635

SHA1
a6aed0bc0968fdbc8bbe246711a2dd76cf06a2e6

SHA256
fe968e765f203b25a03cacb560908063723fcfc91be59ea09f5ab58c6eb681d3

SHA512
40fcdd0817b9de7771ccf0f24693711d552e80a4b1cbcbcb3943976e98a0b537507a9ba0eba6d9c2368ce086c6afb28458553d20fe57db7db984ac19925a597a

Download Submit
C:\Windows\{F431B2BD-0EF4-4eef-B95D-9D0D27D9BEA5}.exe

Filesize
204KB

MD5
8a137d0c1b9c458853b14eddef65f1de

SHA1
3790c36ca5f99b00a15974b6c8ef3dd128690579

SHA256
7ca042d6e1f7e1766b210f250be8d31992b0c917941ea4b66aedaa6a158b17a9

SHA512
06369bd29e18a18e3936b6ecf18ee55fe3b1ae816fec9d4a2a624902efe9899e611d80afec8b967026e630ae880d7c6c7bed2c2c5ad7700b2b3d5d605bd8bc43

Download Submit
C:\Windows\{F49F6356-1DB9-41b4-AEF2-CFF42DAAB010}.exe

Filesize
204KB

MD5
74966e3e4166d4b96a43f406811e6fb1

SHA1
37415aa277905680e28d070dd098a08b2863270f

SHA256
43855819ecbc9254c136e6b6a099b5652d7a7cc044152a5399082002e01cc4dd

SHA512
64ae8197a4e383cd2f31e5a7e4db678a4aa793c2add698ac34e675f32be94bf2ae73b3e40ff622b7e28d9d8d6c54c0878633bfc25159a9cecc4cec1d83258f15

Download Submit
C:\Windows\{FC19A1A7-BAFE-45c8-B198-955DBACDBA2B}.exe

Filesize
204KB

MD5
721943078ff70d2db3c8082a8d6de766

SHA1
345052a00a81ff74ad0a4ed299328d5ff5e59ecc

SHA256
2635836a042c269321a96d4e464f9469f1ed78e285fd216d8dfa5db0b8fb5b03

SHA512
919ce0cfd62a5994004432929b1503ca54bd37069605243aaba1fe40abf72e099938883139776235629c1d8e97ddbb17e0d798826322918c77f51ac534323abb

Download Submit
C:\Windows\{FDC6BFD7-7940-49b2-A10E-3C98DF33AE81}.exe

Filesize
204KB

MD5
0e9263a6d75e241d597fb6ad5d40ce8d

SHA1
752ca2f46ac69b5898b4aadff0a86b8b3777e361

SHA256
da17450e1071b9447c4d2b60e30d36a612007dac8bda7ae7751edba51c3ee640

SHA512
fea1ed7dcc1026e8544c11fa063ad602764cfa5a8ee2caa793a0cd28fb5786e8b406c51c1ebce9b3d32ff93fb0a36e4e3d4850463ecc93afb551358451bf026e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads