fe1acba790122ce63abc5fa35cad6ebafc3c860b3728219ec96299cf7f6171c3

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe
Size

408KB
MD5

81dc8193fe2505a6338493b007d5e9b6
SHA1

66267fe5e4c2363202161f75cd6c212429e6ebf0
SHA256

fe1acba790122ce63abc5fa35cad6ebafc3c860b3728219ec96299cf7f6171c3
SHA512

92045158bdfe5e84714884c4f341ee254d5c08e5b8e7d1672dfb5fcf5c3ab5e0701d269a9f38ddacb250b928b79c2876e8a578d69eec09367420dcff61a9b94a
SSDEEP

3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGDldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44C159E-A409-47d6-BD37-1D65491C92D5}\stubpath = "C:\\Windows\\{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe"	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007E41DE-2D6E-4e33-B45C-276937677AB4}\stubpath = "C:\\Windows\\{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe"	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}\stubpath = "C:\\Windows\\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe"	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}	{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{166319F0-7289-4b0a-B6CF-57F0A07341E8}\stubpath = "C:\\Windows\\{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe"	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44C159E-A409-47d6-BD37-1D65491C92D5}	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}\stubpath = "C:\\Windows\\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe"	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01A196F-04C0-421b-8A91-9C2A60126262}	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007E41DE-2D6E-4e33-B45C-276937677AB4}	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}\stubpath = "C:\\Windows\\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe"	{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}	{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}\stubpath = "C:\\Windows\\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe"	{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}	{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}\stubpath = "C:\\Windows\\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe"	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{166319F0-7289-4b0a-B6CF-57F0A07341E8}	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01A196F-04C0-421b-8A91-9C2A60126262}\stubpath = "C:\\Windows\\{F01A196F-04C0-421b-8A91-9C2A60126262}.exe"	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}\stubpath = "C:\\Windows\\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe"	{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}\stubpath = "C:\\Windows\\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe"	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
1644	{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
1016	{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
2096	{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
1392	{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe	{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
File created	C:\Windows\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
File created	C:\Windows\{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
File created	C:\Windows\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
File created	C:\Windows\{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
File created	C:\Windows\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
File created	C:\Windows\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe	{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
File created	C:\Windows\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe
File created	C:\Windows\{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
File created	C:\Windows\{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
File created	C:\Windows\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe	{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
Token: SeIncBasePriorityPrivilege	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
Token: SeIncBasePriorityPrivilege	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
Token: SeIncBasePriorityPrivilege	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
Token: SeIncBasePriorityPrivilege	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
Token: SeIncBasePriorityPrivilege	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
Token: SeIncBasePriorityPrivilege	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
Token: SeIncBasePriorityPrivilege	1644	{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
Token: SeIncBasePriorityPrivilege	1016	{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
Token: SeIncBasePriorityPrivilege	2096	{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2508	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	28
PID 3044 wrote to memory of 2508	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	28
PID 3044 wrote to memory of 2508	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	28
PID 3044 wrote to memory of 2508	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	28
PID 3044 wrote to memory of 2560	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	29
PID 3044 wrote to memory of 2560	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	29
PID 3044 wrote to memory of 2560	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	29
PID 3044 wrote to memory of 2560	3044	2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe	29
PID 2508 wrote to memory of 2544	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	31
PID 2508 wrote to memory of 2544	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	31
PID 2508 wrote to memory of 2544	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	31
PID 2508 wrote to memory of 2544	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	31
PID 2508 wrote to memory of 3004	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	30
PID 2508 wrote to memory of 3004	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	30
PID 2508 wrote to memory of 3004	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	30
PID 2508 wrote to memory of 3004	2508	{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe	30
PID 2544 wrote to memory of 2596	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	33
PID 2544 wrote to memory of 2596	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	33
PID 2544 wrote to memory of 2596	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	33
PID 2544 wrote to memory of 2596	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	33
PID 2544 wrote to memory of 2468	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	32
PID 2544 wrote to memory of 2468	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	32
PID 2544 wrote to memory of 2468	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	32
PID 2544 wrote to memory of 2468	2544	{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe	32
PID 2596 wrote to memory of 1816	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	36
PID 2596 wrote to memory of 1816	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	36
PID 2596 wrote to memory of 1816	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	36
PID 2596 wrote to memory of 1816	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	36
PID 2596 wrote to memory of 2728	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	37
PID 2596 wrote to memory of 2728	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	37
PID 2596 wrote to memory of 2728	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	37
PID 2596 wrote to memory of 2728	2596	{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe	37
PID 1816 wrote to memory of 2796	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	39
PID 1816 wrote to memory of 2796	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	39
PID 1816 wrote to memory of 2796	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	39
PID 1816 wrote to memory of 2796	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	39
PID 1816 wrote to memory of 1040	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	38
PID 1816 wrote to memory of 1040	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	38
PID 1816 wrote to memory of 1040	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	38
PID 1816 wrote to memory of 1040	1816	{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe	38
PID 2796 wrote to memory of 1820	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	40
PID 2796 wrote to memory of 1820	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	40
PID 2796 wrote to memory of 1820	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	40
PID 2796 wrote to memory of 1820	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	40
PID 2796 wrote to memory of 1192	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	41
PID 2796 wrote to memory of 1192	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	41
PID 2796 wrote to memory of 1192	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	41
PID 2796 wrote to memory of 1192	2796	{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe	41
PID 1820 wrote to memory of 1752	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	42
PID 1820 wrote to memory of 1752	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	42
PID 1820 wrote to memory of 1752	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	42
PID 1820 wrote to memory of 1752	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	42
PID 1820 wrote to memory of 660	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	43
PID 1820 wrote to memory of 660	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	43
PID 1820 wrote to memory of 660	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	43
PID 1820 wrote to memory of 660	1820	{F01A196F-04C0-421b-8A91-9C2A60126262}.exe	43
PID 1752 wrote to memory of 1644	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	44
PID 1752 wrote to memory of 1644	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	44
PID 1752 wrote to memory of 1644	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	44
PID 1752 wrote to memory of 1644	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	44
PID 1752 wrote to memory of 2484	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	45
PID 1752 wrote to memory of 2484	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	45
PID 1752 wrote to memory of 2484	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	45
PID 1752 wrote to memory of 2484	1752	{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_81dc8193fe2505a6338493b007d5e9b6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
  C:\Windows\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E530E~1.EXE > nul
    3⤵
    PID:3004
- - C:\Windows\{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
    C:\Windows\{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16631~1.EXE > nul
      4⤵
      PID:2468
  - - C:\Windows\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
      C:\Windows\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
        
        C:\Windows\{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B44C1~1.EXE > nul
        6⤵
        
        PID:1040
      - C:\Windows\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
        
        C:\Windows\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
        
        C:\Windows\{F01A196F-04C0-421b-8A91-9C2A60126262}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
        
        C:\Windows\{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
        
        C:\Windows\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
        
        C:\Windows\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
        
        C:\Windows\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe
        
        C:\Windows\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{842CE~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EA0~1.EXE > nul
        11⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B647~1.EXE > nul
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{007E4~1.EXE > nul
        9⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F01A1~1.EXE > nul
        8⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E6C9~1.EXE > nul
        7⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11F80~1.EXE > nul
        5⤵
        
        PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{007E41DE-2D6E-4e33-B45C-276937677AB4}.exe

Filesize
408KB

MD5
0afab8431c658abcb85d04e3c940754b

SHA1
1f4c4dafc9164c9fa8d5514dc4ea3d4eae578782

SHA256
964a5f2ecb61ffde5d1f511e1e68818efe1d4ab9084ead3536bfc56348171645

SHA512
9e7a1f5654015e0c730484879e755bbc7c66f431c8b75fb8ee1ac4596135deb5ada7d4ffc18634db172e5b7bf596e7437e60921a991fe6fe55b97e366f99f47e

Download Submit
C:\Windows\{11F80FB6-9AE9-47c4-8A2D-A72E1F9A1969}.exe

Filesize
408KB

MD5
056955a8de49e66fae4ab307976388e3

SHA1
fad4759500b7128f0e9d384e63db6b2d89f00e15

SHA256
d890d2006132c6d600a686acb7b1f30b5f02e2a872051e251bf6010b041a9a14

SHA512
cabe23c9c060175d42446a09c8b2b35d7a7653c90f5de0d7744a638ed363adec6f59ed768c2d4f764712644f6736b5c7ba5fb20c33dcb368039b1118bcee7df0

Download Submit
C:\Windows\{166319F0-7289-4b0a-B6CF-57F0A07341E8}.exe

Filesize
408KB

MD5
bbd12a54f4596f0bdbfaa7ff9f4eebe4

SHA1
f1966ad5de5eb371da5f6eb706cff6dd943ce87e

SHA256
0ec710924744c7ae6215efaa589eddf1eca933e8cafb423a4442c54f989a9785

SHA512
849fc5b316c9180e1f4690e1c101d2d22463b3c91e2a50a595420883d51604e9640394ac4dfc4c1813c8f0e46b686df592767466cac28cc1ba35a4511f6c88cc

Download Submit
C:\Windows\{3B6470A3-D91D-4c5d-B70A-737A4EC66251}.exe

Filesize
408KB

MD5
dc95245a40dbb9508f1aa7eef5a774db

SHA1
4902ca0fdba6372e52fc586a6bced2d50559e3b0

SHA256
a252112b655ea684527ac5db31b5a28b6d85c0128d5a43649830d678fca34aa4

SHA512
510c6c15c479db4671edd705c5fd204ec10e7da768c6aa30cc0b9c0d98afd17b45185dd89019a791b1cd9d84144acba7765e1c2c0e725b7ac1a796e168342ebc

Download Submit
C:\Windows\{58F2B496-E50F-4a2d-A44F-750EB2E0CC95}.exe

Filesize
408KB

MD5
ca565eb4f67aae50f0f7bae009c68282

SHA1
00bdb1f5e854e6483839d9abbaa110639d876d25

SHA256
bb9ec36f7d720600027ed9d6c7e4c5ee694387877b343c279c43c6e2b127bde4

SHA512
ed09bc0f21912ba74d8544e623c92c878b740963e51cf3ff47e9f1f6d723af58f7e4ea42a4089962d1e02aed5c8b6d98a4fdc5b46f5bb26978aa05adb27a29b4

Download Submit
C:\Windows\{6E6C90C2-B271-4cfc-9A4D-3CC2F6AABB5F}.exe

Filesize
408KB

MD5
41189261b0b45487c5074eb7b38279d5

SHA1
8bf481e4fd1abcd4d1c1d68d2cb8e68517dd66ea

SHA256
905343b04503b8ea14e366db5a1eaa25fdca437c358a53cda85c25b8b8957ebf

SHA512
73193d847b1b4a9718dffff5a576aa2d30452675c29c50ded8ae24a2727adaf8d995554ad71d3960152020936754359b0c1868a921039aa615fc1d01c0bfdbe7

Download Submit
C:\Windows\{842CE52B-9B8F-4c2b-AC2D-9C814B2FAD48}.exe

Filesize
408KB

MD5
104bd86c8dec170f652e57a8e4819eb4

SHA1
db93c0bff6c1afded89da3bbb8b873d9012061d2

SHA256
1ecf68dbfbd2ac1797c63034a3ae165dace013e81c26a00dc0f788aff3986358

SHA512
8c5faf49b6a6bad9a5ebdad88e033d5d5004e82feab90541c8236201f56255416235272f36d18dfec418dbc7481f39dd90a528aa9c0c47649a43f4e018413f3e

Download Submit
C:\Windows\{B44C159E-A409-47d6-BD37-1D65491C92D5}.exe

Filesize
408KB

MD5
913da4407bb3cc5b66918b35c2966cf2

SHA1
02e2bbf8feee05544c8b00ff11f3b3261996ba86

SHA256
856c85c939be1b7265024662252007954ff0ad994077beaf45efd9ca726ad6eb

SHA512
edff99f69462bb06cde89ade2f6e864eeb30b63957ebf5cd3018047293d7c20adf83ac3270a80efa00d47b1b32397173fefa6f01e417eaf63536871e8ab5daae

Download Submit
C:\Windows\{E530E085-C7B5-4d1f-BB64-BC55BA04AD5B}.exe

Filesize
408KB

MD5
8ad08aaf00ed130603fd51b1631e512a

SHA1
79c274c2d57b0e976c4a82124f1df86bfdae9a08

SHA256
c49153f102ebb50d443f2eb2569df0aab00fd14658f216ca5e0b89bab0c12f23

SHA512
63ba2703b185eb2f7c68c5c7f9b8922e883caa8814f52c2b70065c7b8a09a3aeb903e4279eda53d481e669db8b8a75404e31b464ed8db3ef7bb193dc73d2e2f6

Download Submit
C:\Windows\{E7EA0DFD-712E-4b18-A730-10E43A6F8CB6}.exe

Filesize
408KB

MD5
96062dd44ff16eb3f7ec87b59b3b4aad

SHA1
59e40a63fcdc1b035b709de2051c80f26d820021

SHA256
0da32696f6b00367601ddd0021c42732b0afa2b96c7d534d02601f77e00df930

SHA512
3921d190995d14d809f424379474fe18336ffe0cd8d83c2dc5d128df1035ff6baba18dcfc858852c10a41b3cc7684f6e73f9aac6a04c1a2c6265a14ae84ce50a

Download Submit
C:\Windows\{F01A196F-04C0-421b-8A91-9C2A60126262}.exe

Filesize
408KB

MD5
d75722a19c316a69af19ec8143ab3077

SHA1
66a6fcb145fe8bc10e5604c490ef98400f164352

SHA256
ec52163385dd635f6fd5590dbe9082eed44dd6a50470a77d84d1a093c75a99e0

SHA512
3c0d0b97bb4668cf02265e2f1ee79b64da174675c6a21d6f2302a932581d1e8ebba21b3678a0f259ee2ebe6993e58e04cccfa214d305ea6243448b23481fcb59

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads