147eb49c968fb4a12d6805cf978a18f8696d71a33b4cc0fee7f57dc107e415cc

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Size

380KB
MD5

d5a6933bf904dce7ba800c2a8fabe032
SHA1

d15143ee8de0c1459344ccc456db8e56a6bb6a0e
SHA256

147eb49c968fb4a12d6805cf978a18f8696d71a33b4cc0fee7f57dc107e415cc
SHA512

ae397a66e2a0381ebd96783075bcbf596c8e01542cc943c5b14baed41b08a6f60eba8e2b33aeeefe740493bb27e4059440ed621014e81ee654c37c5c4cffe5a5
SSDEEP

3072:mEGh0o7lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGdl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a32-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016cc8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ce9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016cc8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016cc8-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016cc8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016cc8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cc8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}\stubpath = "C:\\Windows\\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe"	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC034624-EE87-442f-8EB5-0CE9D2E57682}	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}\stubpath = "C:\\Windows\\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe"	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}\stubpath = "C:\\Windows\\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe"	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}	{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}\stubpath = "C:\\Windows\\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe"	{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB23813D-67F4-4914-8550-50D0890AC0EE}\stubpath = "C:\\Windows\\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe"	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0261E6-7ADF-4679-A271-0C4026E84C87}	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0261E6-7ADF-4679-A271-0C4026E84C87}\stubpath = "C:\\Windows\\{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe"	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB23813D-67F4-4914-8550-50D0890AC0EE}	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}\stubpath = "C:\\Windows\\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe"	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}	{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}\stubpath = "C:\\Windows\\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe"	{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}	{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}\stubpath = "C:\\Windows\\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe"	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC034624-EE87-442f-8EB5-0CE9D2E57682}\stubpath = "C:\\Windows\\{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe"	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}\stubpath = "C:\\Windows\\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe"	{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
1620	{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
1612	{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
2268	{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe
1432	{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
File created	C:\Windows\{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
File created	C:\Windows\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
File created	C:\Windows\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
File created	C:\Windows\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
File created	C:\Windows\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe	{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
File created	C:\Windows\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe	{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
File created	C:\Windows\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
File created	C:\Windows\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
File created	C:\Windows\{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
File created	C:\Windows\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe	{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
Token: SeIncBasePriorityPrivilege	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
Token: SeIncBasePriorityPrivilege	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
Token: SeIncBasePriorityPrivilege	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
Token: SeIncBasePriorityPrivilege	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
Token: SeIncBasePriorityPrivilege	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
Token: SeIncBasePriorityPrivilege	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
Token: SeIncBasePriorityPrivilege	1620	{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
Token: SeIncBasePriorityPrivilege	1612	{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
Token: SeIncBasePriorityPrivilege	2268	{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1404	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	28
PID 2224 wrote to memory of 1404	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	28
PID 2224 wrote to memory of 1404	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	28
PID 2224 wrote to memory of 1404	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	28
PID 2224 wrote to memory of 2480	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	29
PID 2224 wrote to memory of 2480	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	29
PID 2224 wrote to memory of 2480	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	29
PID 2224 wrote to memory of 2480	2224	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	29
PID 1404 wrote to memory of 2616	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	30
PID 1404 wrote to memory of 2616	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	30
PID 1404 wrote to memory of 2616	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	30
PID 1404 wrote to memory of 2616	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	30
PID 1404 wrote to memory of 2812	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	31
PID 1404 wrote to memory of 2812	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	31
PID 1404 wrote to memory of 2812	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	31
PID 1404 wrote to memory of 2812	1404	{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe	31
PID 2616 wrote to memory of 2392	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	34
PID 2616 wrote to memory of 2392	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	34
PID 2616 wrote to memory of 2392	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	34
PID 2616 wrote to memory of 2392	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	34
PID 2616 wrote to memory of 2432	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	35
PID 2616 wrote to memory of 2432	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	35
PID 2616 wrote to memory of 2432	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	35
PID 2616 wrote to memory of 2432	2616	{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe	35
PID 2392 wrote to memory of 2276	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	37
PID 2392 wrote to memory of 2276	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	37
PID 2392 wrote to memory of 2276	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	37
PID 2392 wrote to memory of 2276	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	37
PID 2392 wrote to memory of 1928	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	36
PID 2392 wrote to memory of 1928	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	36
PID 2392 wrote to memory of 1928	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	36
PID 2392 wrote to memory of 1928	2392	{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe	36
PID 2276 wrote to memory of 2696	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	39
PID 2276 wrote to memory of 2696	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	39
PID 2276 wrote to memory of 2696	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	39
PID 2276 wrote to memory of 2696	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	39
PID 2276 wrote to memory of 2732	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	38
PID 2276 wrote to memory of 2732	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	38
PID 2276 wrote to memory of 2732	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	38
PID 2276 wrote to memory of 2732	2276	{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe	38
PID 2696 wrote to memory of 928	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	41
PID 2696 wrote to memory of 928	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	41
PID 2696 wrote to memory of 928	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	41
PID 2696 wrote to memory of 928	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	41
PID 2696 wrote to memory of 1688	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	40
PID 2696 wrote to memory of 1688	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	40
PID 2696 wrote to memory of 1688	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	40
PID 2696 wrote to memory of 1688	2696	{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe	40
PID 928 wrote to memory of 2764	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	43
PID 928 wrote to memory of 2764	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	43
PID 928 wrote to memory of 2764	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	43
PID 928 wrote to memory of 2764	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	43
PID 928 wrote to memory of 1956	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	42
PID 928 wrote to memory of 1956	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	42
PID 928 wrote to memory of 1956	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	42
PID 928 wrote to memory of 1956	928	{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe	42
PID 2764 wrote to memory of 1620	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	45
PID 2764 wrote to memory of 1620	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	45
PID 2764 wrote to memory of 1620	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	45
PID 2764 wrote to memory of 1620	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	45
PID 2764 wrote to memory of 1092	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	44
PID 2764 wrote to memory of 1092	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	44
PID 2764 wrote to memory of 1092	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	44
PID 2764 wrote to memory of 1092	2764	{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
  C:\Windows\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
    C:\Windows\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
      C:\Windows\{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC034~1.EXE > nul
        5⤵
        
        PID:1928
    - - C:\Windows\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
        
        C:\Windows\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{727D8~1.EXE > nul
        6⤵
        
        PID:2732
      - C:\Windows\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
        
        C:\Windows\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB238~1.EXE > nul
        7⤵
        
        PID:1688
        
        C:\Windows\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
        
        C:\Windows\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C596~1.EXE > nul
        8⤵
        
        PID:1956
        
        C:\Windows\{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
        
        C:\Windows\{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD026~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
        
        C:\Windows\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D55A8~1.EXE > nul
        10⤵
        
        PID:1504
        
        C:\Windows\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
        
        C:\Windows\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D1E~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe
        
        C:\Windows\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79A23~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe
        
        C:\Windows\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{05D58~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C07~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D5849C-70E4-4530-B5EC-CFC7548B1E4D}.exe

Filesize
380KB

MD5
605f346f2b15bf4ef1d1404c209b1e1f

SHA1
2abbdd73557f3b7f062e07483ecf37a4a4a0eba7

SHA256
61c2fc072cc378f04ff59dc68c966bef47a211b6f89242699b80a8cbd913fc5c

SHA512
ca10dc60ec362e62576e5cdcafc04ae2257897ef5bc0e7cff3ac6e2524bc40a98d05f8941eade7ed2b662fe3452860ee1963efd1c6d279e228341f676733a574

Download Submit
C:\Windows\{6C596B8F-6FC1-4704-B9BC-81554A946DE8}.exe

Filesize
380KB

MD5
b265905a7cec57ce6fbf3ccebe524336

SHA1
e06ae924d552a04d836c59ecb3918e31cd6c2356

SHA256
6840df7868bca60af33b8cfd2251975be0c6371b5f17bceb80cc94aec272cb89

SHA512
391cd5b1f5247a3cd00c95c7bf70645d043616d2a3f03532473165b35cf121146470cb38af879ceec68605f03d8f2ca890f09e0f66b7a90003b0222549c6c5d7

Download Submit
C:\Windows\{727D8040-77D0-40e2-BD4D-C1FD4D1058E1}.exe

Filesize
380KB

MD5
82414980dc044ab46221710644c9b24b

SHA1
fad5d82fac68e596037fb060f6feacbf9d4468ce

SHA256
cac70e28786fe9fbbd36127a356ce48f8c7017ed577f90ddb8012df786bb7f07

SHA512
d5c4ecd37cf65daa02e1599be211ed2caaea716e9ffe741af1c691ef6fca4369a961ca31925cb3efc4ab499a3a9ddf0e7dc56c3bb8fbad1b60d5d42adb12261b

Download Submit
C:\Windows\{77D1E287-15E5-4eeb-8EF8-428D0532CAD1}.exe

Filesize
380KB

MD5
abcca03a1e1d9426974a2adaa332b0f7

SHA1
b968ec770ad5562945fb99e99927f660b27857f5

SHA256
641d864fc4500959482b1b611680df3e1f97dfcb0741dad99330f3ddb37e228b

SHA512
3fab2e9003195220b8f005ab8f737bfbddd1275221aa7485e5a71af99b4ceacd6c40c1ea5e4541aa3e8e6fbaefc0e6246327e794c0e059c7c11bf15900b93d03

Download Submit
C:\Windows\{79A23DAB-0A75-4803-B795-DEEC44A7FB95}.exe

Filesize
380KB

MD5
4dfc83aa89d8a402a6c143006874be3a

SHA1
8ed92d987c212d11571a76f9f0114033b4a82479

SHA256
2a8cb0e0d120b3f02198ba86cfb58b2a734d9e855ce6d79628c04e8e2fd4bc34

SHA512
f075aab5a210c7bbc0f1fc435729620e506c5632845cef961a34eab9d2d2fed60360e360d9d87aeca2d46c0f41442a8066c4b54df133216010ca6fec10c396b4

Download Submit
C:\Windows\{A6F63364-1CC9-4d2f-8955-2C34C47452A8}.exe

Filesize
380KB

MD5
c201b513c257d2a5cafd206f411095be

SHA1
43c72fc75c280b3dcd0eb3c132f359f9d533c81a

SHA256
0cbcc157b44a2d5da61b73b8567045ae436e5c354716c67772af9f5705c8ba4c

SHA512
5295b14184ceab90a2ec191168244c8eb7d90de8c1f0a3f8ed8ef4df3cb26f7fdc4fd4a51cfb0173884aee8f9164c10a0cebc1de07f74b12f761bc214b5c4552

Download Submit
C:\Windows\{C4C0761E-296C-41ec-A8EA-2F5F05E35A5A}.exe

Filesize
380KB

MD5
c44e078580909ea24a747c82e3522558

SHA1
3893e683b0b17c6f556d746e9fbc95629a993c96

SHA256
7a656ad4386192f2346a5d58af8073d348a45cad3a85e9bb22c4c28b756a7f91

SHA512
429a2675825f1105130a675ce2ad237552484e3de6c69788353a3c639fef083263055a29885ba670815650f499d6427dcd8e6d1b58e084008a2182b198ceb77a

Download Submit
C:\Windows\{CC034624-EE87-442f-8EB5-0CE9D2E57682}.exe

Filesize
380KB

MD5
1ec96f03c2478fef1b9b756bf4028b11

SHA1
8a4ae906fa3b3458b9e8421089ed1257e0eb2a03

SHA256
7ec78dfa16dda211fca23d80b097cf747abf1d909c77dd6aa173bf4f1060c2cd

SHA512
8c0a875375c3953dc9111547ac3e93df80cdc962ec342e3b8f6e42bccda82a4f86b6d56156f4d330d8876595b1185a5792d3f983a731d07cc4c75e0dce89ace6

Download Submit
C:\Windows\{D55A8117-B1EA-40c7-9E43-3BAE528A6D5B}.exe

Filesize
380KB

MD5
6671c9e77197f7393beab77bed1958ec

SHA1
59acd8ee1e18c1edcc9138ad2a8db531623dd472

SHA256
6fc96e6f65830f0b661c912791c4d05d536b1d28ea2a03d15d9838e698ea7fec

SHA512
b43faacdcce6ad42887701439ba71827ec1526463b800da0c5177799b14f42b903d1dc851949c51800dad1c367bcf6613736b5869ce1a45b5a3932f9c6589e99

Download Submit
C:\Windows\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe

Filesize
317KB

MD5
06aa69d1fcb781c9b575f4dd9b5e5b1b

SHA1
abcf55c53835bf1cc0ce94adaf85da1e522751c4

SHA256
d0220ec5b29e3cf515a883b3851e670a4ced777a4f537184860728df15964fa1

SHA512
c9771d731a5022084e53d9c3c7f24d41459864488aae00d379505b0d0b7cef1834a2473e62922abfde80f27773f2bfd8809da5776b03cc5d68c0672cff84fe1f

Download Submit
C:\Windows\{DB23813D-67F4-4914-8550-50D0890AC0EE}.exe

Filesize
380KB

MD5
c1a19d728e2f812ae6d19cc52ea17d88

SHA1
8349666ea547cf825df2cee2aa0e64240dd4b610

SHA256
c88b1e20eb754f9535501c0f7a8bc330833d6f3b579026950eead2cd727d1ad6

SHA512
83087b6a3b2ef9cd90041416b031e39ccf9ad66044855a0a68db6e9ffe53a470f75f998907a3f5993a9c72e25e7fa746c4e7221c4b29ba8d11740f760c502cf7

Download Submit
C:\Windows\{DD0261E6-7ADF-4679-A271-0C4026E84C87}.exe

Filesize
380KB

MD5
1dd3f00dc6ab868fdfb90f62ccdbd773

SHA1
dc3b99a81b23063aa9904b4d4d6601673861efbd

SHA256
87fca745ee575e26632c5f136dbb142542140a40a2db98f486c6144abb54e900

SHA512
7f10caac2b1eb744e0e6ddbfe14ad732abd28dc5b1a51f5d5ac07c5748d2778a28574586e23208bf0e9d7f6c84c5af3542632af9ab3a58e3ad4d55b1df3c1d07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads