89722c35fbe99a1c82470d4612ede6fcf6a70264712088ca151ae53650e7c895

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Size

204KB
MD5

e53d2d2a4804ae2092fd3686771f0c08
SHA1

df0e4c29e78df05f35c8261b5d27b4ad60d7810f
SHA256

89722c35fbe99a1c82470d4612ede6fcf6a70264712088ca151ae53650e7c895
SHA512

6a4d4bea85c095cf8213837612066701447d246fd442cab1d402767634b3ccd931b1906ce38887dad959d5c2b543053c258bcfb8e971d94491e2f5629f8c361a
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015c1e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015c1e-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122f6-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122f6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015c1e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015c3d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c45-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67827535-D720-4401-81FC-6C9CF6D26DE5}\stubpath = "C:\\Windows\\{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe"	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}\stubpath = "C:\\Windows\\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe"	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A984B742-5BFF-47e6-AE15-1E8D620B0547}	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A984B742-5BFF-47e6-AE15-1E8D620B0547}\stubpath = "C:\\Windows\\{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe"	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91FAF075-41D0-4050-ABBF-7585E690A7B3}	{19D782ED-547B-4225-B754-AE037896695E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67827535-D720-4401-81FC-6C9CF6D26DE5}	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEDD868F-55DD-4acd-B947-41493EE2249F}\stubpath = "C:\\Windows\\{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe"	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D66496-E843-4043-A4E6-68E8F4BC057E}	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}\stubpath = "C:\\Windows\\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe"	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D66496-E843-4043-A4E6-68E8F4BC057E}\stubpath = "C:\\Windows\\{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe"	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19D782ED-547B-4225-B754-AE037896695E}	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19D782ED-547B-4225-B754-AE037896695E}\stubpath = "C:\\Windows\\{19D782ED-547B-4225-B754-AE037896695E}.exe"	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91FAF075-41D0-4050-ABBF-7585E690A7B3}\stubpath = "C:\\Windows\\{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe"	{19D782ED-547B-4225-B754-AE037896695E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DB4DA1-5A39-4888-B880-281904FC51C9}	{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}\stubpath = "C:\\Windows\\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe"	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEDD868F-55DD-4acd-B947-41493EE2249F}	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}	{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}\stubpath = "C:\\Windows\\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe"	{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DB4DA1-5A39-4888-B880-281904FC51C9}\stubpath = "C:\\Windows\\{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe"	{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
1700	{19D782ED-547B-4225-B754-AE037896695E}.exe
1660	{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
2792	{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe
1468	{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
File created	C:\Windows\{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
File created	C:\Windows\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
File created	C:\Windows\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
File created	C:\Windows\{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
File created	C:\Windows\{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
File created	C:\Windows\{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe	{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe
File created	C:\Windows\{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
File created	C:\Windows\{19D782ED-547B-4225-B754-AE037896695E}.exe	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
File created	C:\Windows\{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe	{19D782ED-547B-4225-B754-AE037896695E}.exe
File created	C:\Windows\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe	{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
Token: SeIncBasePriorityPrivilege	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
Token: SeIncBasePriorityPrivilege	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
Token: SeIncBasePriorityPrivilege	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
Token: SeIncBasePriorityPrivilege	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
Token: SeIncBasePriorityPrivilege	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
Token: SeIncBasePriorityPrivilege	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
Token: SeIncBasePriorityPrivilege	1700	{19D782ED-547B-4225-B754-AE037896695E}.exe
Token: SeIncBasePriorityPrivilege	1660	{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
Token: SeIncBasePriorityPrivilege	2792	{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1316	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	28
PID 2232 wrote to memory of 1316	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	28
PID 2232 wrote to memory of 1316	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	28
PID 2232 wrote to memory of 1316	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	28
PID 2232 wrote to memory of 2572	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	29
PID 2232 wrote to memory of 2572	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	29
PID 2232 wrote to memory of 2572	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	29
PID 2232 wrote to memory of 2572	2232	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	29
PID 1316 wrote to memory of 2992	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	30
PID 1316 wrote to memory of 2992	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	30
PID 1316 wrote to memory of 2992	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	30
PID 1316 wrote to memory of 2992	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	30
PID 1316 wrote to memory of 2656	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	31
PID 1316 wrote to memory of 2656	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	31
PID 1316 wrote to memory of 2656	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	31
PID 1316 wrote to memory of 2656	1316	{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe	31
PID 2992 wrote to memory of 2104	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	34
PID 2992 wrote to memory of 2104	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	34
PID 2992 wrote to memory of 2104	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	34
PID 2992 wrote to memory of 2104	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	34
PID 2992 wrote to memory of 2904	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	35
PID 2992 wrote to memory of 2904	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	35
PID 2992 wrote to memory of 2904	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	35
PID 2992 wrote to memory of 2904	2992	{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe	35
PID 2104 wrote to memory of 2708	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	36
PID 2104 wrote to memory of 2708	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	36
PID 2104 wrote to memory of 2708	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	36
PID 2104 wrote to memory of 2708	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	36
PID 2104 wrote to memory of 584	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	37
PID 2104 wrote to memory of 584	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	37
PID 2104 wrote to memory of 584	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	37
PID 2104 wrote to memory of 584	2104	{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe	37
PID 2708 wrote to memory of 2696	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	38
PID 2708 wrote to memory of 2696	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	38
PID 2708 wrote to memory of 2696	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	38
PID 2708 wrote to memory of 2696	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	38
PID 2708 wrote to memory of 740	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	39
PID 2708 wrote to memory of 740	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	39
PID 2708 wrote to memory of 740	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	39
PID 2708 wrote to memory of 740	2708	{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe	39
PID 2696 wrote to memory of 1084	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	40
PID 2696 wrote to memory of 1084	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	40
PID 2696 wrote to memory of 1084	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	40
PID 2696 wrote to memory of 1084	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	40
PID 2696 wrote to memory of 2196	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	41
PID 2696 wrote to memory of 2196	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	41
PID 2696 wrote to memory of 2196	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	41
PID 2696 wrote to memory of 2196	2696	{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe	41
PID 1084 wrote to memory of 1628	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	42
PID 1084 wrote to memory of 1628	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	42
PID 1084 wrote to memory of 1628	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	42
PID 1084 wrote to memory of 1628	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	42
PID 1084 wrote to memory of 796	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	43
PID 1084 wrote to memory of 796	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	43
PID 1084 wrote to memory of 796	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	43
PID 1084 wrote to memory of 796	1084	{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe	43
PID 1628 wrote to memory of 1700	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	44
PID 1628 wrote to memory of 1700	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	44
PID 1628 wrote to memory of 1700	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	44
PID 1628 wrote to memory of 1700	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	44
PID 1628 wrote to memory of 1764	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	45
PID 1628 wrote to memory of 1764	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	45
PID 1628 wrote to memory of 1764	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	45
PID 1628 wrote to memory of 1764	1628	{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
  C:\Windows\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
    C:\Windows\{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
      C:\Windows\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
        
        C:\Windows\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
        
        C:\Windows\{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
        
        C:\Windows\{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
        
        C:\Windows\{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{19D782ED-547B-4225-B754-AE037896695E}.exe
        
        C:\Windows\{19D782ED-547B-4225-B754-AE037896695E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
        
        C:\Windows\{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe
        
        C:\Windows\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe
        
        C:\Windows\{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{034AC~1.EXE > nul
        12⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91FAF~1.EXE > nul
        11⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19D78~1.EXE > nul
        10⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D66~1.EXE > nul
        9⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A984B~1.EXE > nul
        8⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEDD8~1.EXE > nul
        7⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB04~1.EXE > nul
        6⤵
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B89A~1.EXE > nul
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67827~1.EXE > nul
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0DD41~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{034AC4F8-C72B-4aae-9E7A-3CC9D12EBEF4}.exe

Filesize
204KB

MD5
a07667cf8968a169caa763561aa03b9a

SHA1
7a70d9a6ee22272bf010576ad949903151e89e99

SHA256
0e5b4c5a50e0ae6ac8affb7ca221ca8990998e129228e253d9cbaff53b1f6442

SHA512
c6edbb539bf0a63a805acaa3fcfe1dac81a911dfecd01e2e27cdd5dea2a328e8a0b1a7eb87ba81bf49840db01b6fc3e14da90893b8ee23542748c1f7e5a4270e

Download Submit
C:\Windows\{0DD4165D-DB94-4196-B600-66CAB0DE2A2E}.exe

Filesize
204KB

MD5
c19f7d89fe4dd629a762c7daf0cdd796

SHA1
3d438c706bb93ace8f8968a7dbc6daa6fb9dff06

SHA256
132ef0304859f94d5855751e7bb65f1c349b49d524f0cfcf09dc594f1e0ecf1a

SHA512
d94578fb02d90f9faa84f747bb3b0c8f8e47dee04105443c6916329c3beeaddf79b83c800fb9fd5b0b3faeb6938d74876029cce9fe6ed4953f51a1e79c89435e

Download Submit
C:\Windows\{19D782ED-547B-4225-B754-AE037896695E}.exe

Filesize
204KB

MD5
2fdca2eb934f61269f8f6230984635bf

SHA1
37f71e3c217adec1aa859984d21c3c77af98ccd1

SHA256
a9d479004586dbaa3211e24bbdd9a1f74140c366cf2659d1067ddeebb51b588c

SHA512
5db87f85ff84ccd62f8113ed4ac79a292858f1a1c0cae8496a65e92fdff545506b7488dc06834e1d22d5bdfba9e0244ff1ccdd4967546ce823dbd3e410567933

Download Submit
C:\Windows\{67827535-D720-4401-81FC-6C9CF6D26DE5}.exe

Filesize
204KB

MD5
5631886cdcc7eadbc69f8fe421dec461

SHA1
bf0dba9e2b234b16ea9d7fc980621691a9b916c7

SHA256
67f1695a1dae9f818af32160970b38a51c8a4d10f6ec464edfee80527b2c4f35

SHA512
990a79478f0f8a00c83705af67689fcf0f4160f6d9aad0d6e3f61a6ea39491e2d7f31d64cea6f950ddbdb02219eab9485bcefa6bb402a75f0d186d2b082e1307

Download Submit
C:\Windows\{79DB4DA1-5A39-4888-B880-281904FC51C9}.exe

Filesize
204KB

MD5
589726f1edcdeb04ccf951a7c945be88

SHA1
f9417216ea3705c04757fa1cc438778c10a8e3a8

SHA256
a7a0a4a57683096d2538b8de09613dd3207b174a051829f4073890dd57523a14

SHA512
ec3b23aff0611736528603d894dc1f77586ed7da7a088efa7348368adb0d078ee28df39e71b932606fd062230cce4c63935f8364efab96a689a18db491bb2bcb

Download Submit
C:\Windows\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe

Filesize
204KB

MD5
912f1d339743ea6d7264125911dcde5d

SHA1
97ff4eec1c61492cecfd33809000f0a03d635bf0

SHA256
49c46f0223efd7a28fcc02c300e157837eb80d9221ada12bfcd20bec0cd323cc

SHA512
e9fbfcb2a3a72fdc2b4ca97ec6ff551c7b59a04c8392d3945d37b9e1376365ad39b1134dea445ba90028ee0341e3c2bfdeba2e8889df6ae6befcd063e6023b80

Download Submit
C:\Windows\{8B89A39A-00FB-4138-85F7-1CAD67E204B5}.exe

Filesize
69KB

MD5
34154e47cc9742e73c93867f5df112d3

SHA1
a54d3691734037cc1208bf0b4bb9746093677bba

SHA256
07a117ff3a562b02d75a58156edf08e2701c350502dbfeb684dd36197a4ee220

SHA512
e6c9a4c14fb3840ff3d5f20b946a614103b2b78745d87439fd93efe0ea16bcf75a94dcd2b3a3bfbe9ef3b90b00ac212ae7368b5445fc3a3b05dc9d8658140b51

Download Submit
C:\Windows\{91FAF075-41D0-4050-ABBF-7585E690A7B3}.exe

Filesize
204KB

MD5
d608ad0161fead71863e4b02905d6997

SHA1
a0cc8f0d15aa9128049c215ce83f2b9ffee83fae

SHA256
1559614628a9be7d23592233cbf396b6e3eec6e031bb062e75a8eedfac79b5e5

SHA512
9107bac428a67510bd09a1869ecb0652b60176485ba03b2394c7981650bcf5da078eca99b873ece685355e4fa0de6d0b894ef29389474565428f2badcf64b260

Download Submit
C:\Windows\{A984B742-5BFF-47e6-AE15-1E8D620B0547}.exe

Filesize
204KB

MD5
5d32a4a3aef8f1b2d0af72b3cb66162b

SHA1
665620e403108467b0a7af2389eeed91830a29f4

SHA256
cd4b6ed401bd21144eea55dba35002ebb3c0f7cb59a7700ad18b32969a0c942f

SHA512
24f805cb80381d54dd0bee5322538e0f4faa60bc1647b2ebbdcbdfa7c8437f50e604ccf8ae7606e010341220d13b1006fa212166ea50170f0902711a2e85da64

Download Submit
C:\Windows\{DEB0486E-BFDA-40d9-8017-A02B7B09B15B}.exe

Filesize
204KB

MD5
e2218deb2c5ffe67b1c8435f3881cd49

SHA1
5226e2a57be53ca24ab575a04edc419245e573fb

SHA256
c3f28fc2ea20f0e501e316a07047584a4ee6136f68eb49ad5ab55815e015e53b

SHA512
9cf4eb823b6f8a5e4536a248edb690c5167fe4aa1c037557d6221ba00a28289e9188da0caf6e348cea6adeab6f706c12118c9fbc7b94e5217e62471f9f21e561

Download Submit
C:\Windows\{F4D66496-E843-4043-A4E6-68E8F4BC057E}.exe

Filesize
204KB

MD5
9df8d5049bdc324bca64d76d8ee46cb8

SHA1
a52d61a7a4b9c30f273c7d16f4f62eeec3ed6117

SHA256
b70b090e9158ded54f72b59a5a005d984e1001d21bc685d3cde04dfbaa2e1369

SHA512
e5c5719a3d32a38c7916214e6f5859231190dfb7856e79272483304c34d71c7c901d3e391a5ba5415eeb0a88683dd3f2450f2950451fc208ee07b6feab0d4fd9

Download Submit
C:\Windows\{FEDD868F-55DD-4acd-B947-41493EE2249F}.exe

Filesize
204KB

MD5
b51cdfee388de29069dec65463d8f4a9

SHA1
729060c835e0f8e158a6aec01e80c702171a6b56

SHA256
c004faf4f9b312fb08b52d1a3af15bf491c37c23620fb35441dabf2e3a1a4e13

SHA512
d4cc588579f9c16f6d0c5a9221a7be5eaacc0cbaf471df977f1aa3aef0982a4ea90ba6302aca0e47f12d88dbf5ea38b2aff3aad1064702eaf3d1d4be6291ebf2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads