40f77924bd21308d09b0340b34774c967fa599e4da2547ceb811330d95ae8372

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Size

168KB
MD5

7320e5b0d9cb34d976c5034bf92bd85c
SHA1

556bb4b3b7d6570c5a44a4b0e4373bc9b92cd393
SHA256

40f77924bd21308d09b0340b34774c967fa599e4da2547ceb811330d95ae8372
SHA512

c7ac2af63403a3c5f666c43f5657949a6af199893377b6b0af80567284f7d1b0d1ff5dfd3502ec04a2d57503869756637ad3379cd5b2ee94b3ff645a5328e1db
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001221f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001233c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001233c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001233c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015e01-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001233c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60E35428-7309-4aa8-9D6E-574DE44039D6}\stubpath = "C:\\Windows\\{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe"	{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}\stubpath = "C:\\Windows\\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe"	{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}\stubpath = "C:\\Windows\\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe"	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}\stubpath = "C:\\Windows\\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe"	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6B39F9-A96C-49bb-8480-9086FF996522}	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92936A10-1BCB-475c-A704-D4E38475DA0C}\stubpath = "C:\\Windows\\{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe"	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}	{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2ABF888-3791-4248-8F35-9C5C091494AD}	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}\stubpath = "C:\\Windows\\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe"	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}\stubpath = "C:\\Windows\\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe"	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6B39F9-A96C-49bb-8480-9086FF996522}\stubpath = "C:\\Windows\\{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe"	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92936A10-1BCB-475c-A704-D4E38475DA0C}	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}	{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}\stubpath = "C:\\Windows\\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe"	{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2ABF888-3791-4248-8F35-9C5C091494AD}\stubpath = "C:\\Windows\\{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe"	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}\stubpath = "C:\\Windows\\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe"	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60E35428-7309-4aa8-9D6E-574DE44039D6}	{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
804	{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
1684	{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
2064	{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
2992	{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
File created	C:\Windows\{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
File created	C:\Windows\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe	{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
File created	C:\Windows\{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
File created	C:\Windows\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
File created	C:\Windows\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
File created	C:\Windows\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
File created	C:\Windows\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
File created	C:\Windows\{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
File created	C:\Windows\{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe	{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
File created	C:\Windows\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe	{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
Token: SeIncBasePriorityPrivilege	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
Token: SeIncBasePriorityPrivilege	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
Token: SeIncBasePriorityPrivilege	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
Token: SeIncBasePriorityPrivilege	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
Token: SeIncBasePriorityPrivilege	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
Token: SeIncBasePriorityPrivilege	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
Token: SeIncBasePriorityPrivilege	804	{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
Token: SeIncBasePriorityPrivilege	1684	{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
Token: SeIncBasePriorityPrivilege	2064	{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2996	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	28
PID 2504 wrote to memory of 2996	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	28
PID 2504 wrote to memory of 2996	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	28
PID 2504 wrote to memory of 2996	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	28
PID 2504 wrote to memory of 2092	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	29
PID 2504 wrote to memory of 2092	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	29
PID 2504 wrote to memory of 2092	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	29
PID 2504 wrote to memory of 2092	2504	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	29
PID 2996 wrote to memory of 2564	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	30
PID 2996 wrote to memory of 2564	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	30
PID 2996 wrote to memory of 2564	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	30
PID 2996 wrote to memory of 2564	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	30
PID 2996 wrote to memory of 2108	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	31
PID 2996 wrote to memory of 2108	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	31
PID 2996 wrote to memory of 2108	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	31
PID 2996 wrote to memory of 2108	2996	{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe	31
PID 2564 wrote to memory of 2540	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	34
PID 2564 wrote to memory of 2540	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	34
PID 2564 wrote to memory of 2540	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	34
PID 2564 wrote to memory of 2540	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	34
PID 2564 wrote to memory of 2468	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	35
PID 2564 wrote to memory of 2468	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	35
PID 2564 wrote to memory of 2468	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	35
PID 2564 wrote to memory of 2468	2564	{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe	35
PID 2540 wrote to memory of 2336	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	36
PID 2540 wrote to memory of 2336	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	36
PID 2540 wrote to memory of 2336	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	36
PID 2540 wrote to memory of 2336	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	36
PID 2540 wrote to memory of 592	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	37
PID 2540 wrote to memory of 592	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	37
PID 2540 wrote to memory of 592	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	37
PID 2540 wrote to memory of 592	2540	{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe	37
PID 2336 wrote to memory of 2724	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	38
PID 2336 wrote to memory of 2724	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	38
PID 2336 wrote to memory of 2724	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	38
PID 2336 wrote to memory of 2724	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	38
PID 2336 wrote to memory of 2696	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	39
PID 2336 wrote to memory of 2696	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	39
PID 2336 wrote to memory of 2696	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	39
PID 2336 wrote to memory of 2696	2336	{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe	39
PID 2724 wrote to memory of 1128	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	40
PID 2724 wrote to memory of 1128	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	40
PID 2724 wrote to memory of 1128	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	40
PID 2724 wrote to memory of 1128	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	40
PID 2724 wrote to memory of 1072	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	41
PID 2724 wrote to memory of 1072	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	41
PID 2724 wrote to memory of 1072	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	41
PID 2724 wrote to memory of 1072	2724	{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe	41
PID 1128 wrote to memory of 1844	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	42
PID 1128 wrote to memory of 1844	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	42
PID 1128 wrote to memory of 1844	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	42
PID 1128 wrote to memory of 1844	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	42
PID 1128 wrote to memory of 920	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	43
PID 1128 wrote to memory of 920	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	43
PID 1128 wrote to memory of 920	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	43
PID 1128 wrote to memory of 920	1128	{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe	43
PID 1844 wrote to memory of 804	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	44
PID 1844 wrote to memory of 804	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	44
PID 1844 wrote to memory of 804	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	44
PID 1844 wrote to memory of 804	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	44
PID 1844 wrote to memory of 2488	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	45
PID 1844 wrote to memory of 2488	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	45
PID 1844 wrote to memory of 2488	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	45
PID 1844 wrote to memory of 2488	1844	{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
  C:\Windows\{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
    C:\Windows\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
      C:\Windows\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
        
        C:\Windows\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
        
        C:\Windows\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
        
        C:\Windows\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
        
        C:\Windows\{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
        
        C:\Windows\{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
        
        C:\Windows\{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
        
        C:\Windows\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe
        
        C:\Windows\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7C8~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60E35~1.EXE > nul
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92936~1.EXE > nul
        10⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A6B3~1.EXE > nul
        9⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EF3E~1.EXE > nul
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD61B~1.EXE > nul
        7⤵
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E885A~1.EXE > nul
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA8EE~1.EXE > nul
        5⤵
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E4FF~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2ABF~1.EXE > nul
    3⤵
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A6B39F9-A96C-49bb-8480-9086FF996522}.exe

Filesize
168KB

MD5
2c6a0faf0b56081742ab93ae4e6445a4

SHA1
18ec2c9ff5f022d1ba37b8094d2337ec6168eb39

SHA256
a6dd3c04746b5167ee04cc7248caead8d3cf914845eda0efbbf409880662dbc7

SHA512
ba55d16c07a522a724973818cf474d825e95bf9c4664cf400db6c04b6b5f0b285a7ccef707d001135e305b76d6e4f7dbaf3d487e8ef1d7fc0408b7b7f51013c5

Download Submit
C:\Windows\{2E4FF158-7DB2-4bc4-B4D2-3AD7E46C9DED}.exe

Filesize
168KB

MD5
5910fe4aa7585189742a8554706ff756

SHA1
8f6b01e8663c62e4db91ece7fcdafeb9f20b67fb

SHA256
23c70c3f1844cc008d88f876f5a32f4d50b7a531da6478c86c94b0ab4220650f

SHA512
41771f43c869b851a897d62f097a849050808bcfd70bfb89432088a0c5c62ddad43d1f961acb050217d8fbd5c40a9f0e98ae02cf3e605f7e0e86cafd5cb0f5d0

Download Submit
C:\Windows\{60E35428-7309-4aa8-9D6E-574DE44039D6}.exe

Filesize
168KB

MD5
2eeba6dae915233bfae75a920227667b

SHA1
fa6012dcb6dc6ff1eb64d888fcc6ac0deebfbfda

SHA256
a26ee8fc7e6830fad59c1364d81104f574497f51e1151c0231f8aafd78208642

SHA512
f1b5af6f810e54619d12a8ced826de9a185a9e4a0d3d48842ad5d6595ef626f2e8c721cbe79b8f3f8796aec41529ca287342fa4141d4924c60481666f5e9f471

Download Submit
C:\Windows\{8A7C86EE-BACB-4eef-BD38-8FC0EC397940}.exe

Filesize
168KB

MD5
45913401f6ddc18ff68f833b7e60ccba

SHA1
b1c5c7451156a8cdaf558834f1230a3c447c4fe1

SHA256
2b0c863a11efcc1bd62b6db04b1cd47de2ba03709189f0370c45ef9fca28076b

SHA512
118cc300c8671d7a87605c5a7b9c852048946b6be9ee9657edd2ec516558d717633ac20790df2f85d64d5f4e7c72db8157c78eeb91a03fe9f94f7a497e4c275d

Download Submit
C:\Windows\{8EF3E9D5-68F7-49c6-96BD-9EC7E7031B2D}.exe

Filesize
168KB

MD5
8527ddcc77d13c7741ead79160792f79

SHA1
5c5f0b5482a0957b019bf53a7c7c0cffc1ba2d84

SHA256
abddc97a81e57159979ef691939459537160f5c83fc93e1b8dd687cbdc1448d6

SHA512
d3aa4c404c137890e2a4b65ede4fcbb65fa6d19914d0bceb2285e447752eaf873e37a7cf062b4c7ab42a8365e12924bbb38cc258aca1260e64eda873198ef896

Download Submit
C:\Windows\{92936A10-1BCB-475c-A704-D4E38475DA0C}.exe

Filesize
168KB

MD5
1df697b387509c64f67b2b89b96da7ad

SHA1
38e1af58d817fa83ea4e68b202fdf8cd989a59e1

SHA256
d6561eb95f11445935d23d412a56e15dfc1fb5367a6209de3292290c0289a3d1

SHA512
6e696646f884f062e49257a02f6782216755d451d3182d4614b4d71d96b988c976315d90603e9c73c1c86cec6304e443c44dcb9bc6801288a9a365de429f87ea

Download Submit
C:\Windows\{C80DB8B4-4DF5-417f-A566-2F04F97CD7F1}.exe

Filesize
168KB

MD5
7d4e283fecdb72344542900ed2b71696

SHA1
651147b8f2bbf1d06a4b5779f2be97e2b7264f2f

SHA256
075e0432b1bd2c065817ddc5b1884665366c6e3885b1dc4c1f5c711e42a3148b

SHA512
8070a4fd3060e3c1123c781c985a6611e851f09531b15de4d71fbcffb5dbcada8b0382db209cd62df8f5db368c5aff55b9c625fbcb36ca50e087f1c9d383e33e

Download Submit
C:\Windows\{CD61B04F-9313-4bb6-95B0-4C07F74B5844}.exe

Filesize
168KB

MD5
381766ad365717283aff9f3ecb13f63a

SHA1
3e478659bf4638a3a0dd9231f2bdc6677a3a471c

SHA256
398d4a281b7343362313f1440dcc4b6e9ee268b6180dde4c01dc3cc5e847334f

SHA512
85b4d41a113bc178074e7acdd3a9fdfb8e0fcae86f756ffd4f797d12917028e9f9887f01b76041778541a55fc91b0dd34224221670d804d45a05a5bb278802a5

Download Submit
C:\Windows\{E885A07B-CB62-4741-9120-A61C0BAA5DA1}.exe

Filesize
168KB

MD5
91ed9fc370c8a0baf5e853c073af2e09

SHA1
71fdc458bd10e02a32af57a209d0fd341231c62f

SHA256
a412962187b2505ef020e81ac321c56d5b6ea03c2b5f962150381d33e3dc85c9

SHA512
c5c1184070f7a6cc0382ec26503d7b31cb834bf8d94868bb5fc2b18e39535e5042568eb448a86035524063676423db073501c01a2d885c4e9f7d131f864016d2

Download Submit
C:\Windows\{EA8EE379-BCB3-4d00-A41E-49E9A109CC54}.exe

Filesize
168KB

MD5
6101b85e57d8b3c87e81aaade0604246

SHA1
928642524a10d1f3ad861eab23975a055a1330a4

SHA256
d17802d35a3bf59e0dca36075d3e5c95a1e85d155fb5914c048093980d9252a1

SHA512
059ef1810f30e111bb64e51f5d8e3c9edb97d8f5d26e64a5a7d87bcbe147f0c8cf25dda09c0460c707742f9195c49423bc9a90c335072ac5c52f8cf91537d61c

Download Submit
C:\Windows\{F2ABF888-3791-4248-8F35-9C5C091494AD}.exe

Filesize
168KB

MD5
1d60f592e83e42f3538c9b0ad5395ab4

SHA1
b942a02410e9b14e2d528bb64896b35dbdb62988

SHA256
c95cb01a2e4fe244fb8a94fe1ad356f4aa4bf8db0d85fa51524b3f2689df4991

SHA512
c84803d1ac7d7eba91ff1a921e497ee712fd2b966e9f025804169f71dc8c7d4fb3aa9809fc464fbc986f1695ff6d4c71d573deeb73ce3b5e63a2c55b403339a1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads