1d03b791839bc0c6af588d939248d51867cf05d0cdb94c470d0ba3cc5ff90897

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
Size

168KB
MD5

01e1bac24386cf9cda40638423083a85
SHA1

e5821df0da6db92a57ebe6bc03a3781c7a567461
SHA256

1d03b791839bc0c6af588d939248d51867cf05d0cdb94c470d0ba3cc5ff90897
SHA512

46bd4c088fc0d7f2a8776792c87fd3a4177533000d0313fc9d7469568d6c95e2394044c7c0ff5a58fbbc625fff9739cb20c7e2385b17b89848907c0bcc0c976f
SSDEEP

1536:1EGh0oIlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oIlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012226-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c65-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015d85-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c65-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000015d85-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}\stubpath = "C:\\Windows\\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe"	{65C03350-BE01-4884-BBC6-A540C541A192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8862865-10DE-4354-86E0-2C20F085D4DB}\stubpath = "C:\\Windows\\{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe"	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACACFC8-FD92-412f-AFFF-279710815E55}	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACACFC8-FD92-412f-AFFF-279710815E55}\stubpath = "C:\\Windows\\{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe"	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C03350-BE01-4884-BBC6-A540C541A192}\stubpath = "C:\\Windows\\{65C03350-BE01-4884-BBC6-A540C541A192}.exe"	{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}\stubpath = "C:\\Windows\\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe"	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}\stubpath = "C:\\Windows\\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe"	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}\stubpath = "C:\\Windows\\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe"	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}	{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}\stubpath = "C:\\Windows\\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe"	{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C03350-BE01-4884-BBC6-A540C541A192}	{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}\stubpath = "C:\\Windows\\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe"	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}	{65C03350-BE01-4884-BBC6-A540C541A192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}\stubpath = "C:\\Windows\\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe"	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}\stubpath = "C:\\Windows\\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe"	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8862865-10DE-4354-86E0-2C20F085D4DB}	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
872	{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
1232	{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
2104	{65C03350-BE01-4884-BBC6-A540C541A192}.exe
2256	{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
File created	C:\Windows\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
File created	C:\Windows\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
File created	C:\Windows\{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
File created	C:\Windows\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe	{65C03350-BE01-4884-BBC6-A540C541A192}.exe
File created	C:\Windows\{65C03350-BE01-4884-BBC6-A540C541A192}.exe	{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
File created	C:\Windows\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
File created	C:\Windows\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
File created	C:\Windows\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
File created	C:\Windows\{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
File created	C:\Windows\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe	{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
Token: SeIncBasePriorityPrivilege	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
Token: SeIncBasePriorityPrivilege	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
Token: SeIncBasePriorityPrivilege	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
Token: SeIncBasePriorityPrivilege	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
Token: SeIncBasePriorityPrivilege	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
Token: SeIncBasePriorityPrivilege	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
Token: SeIncBasePriorityPrivilege	872	{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
Token: SeIncBasePriorityPrivilege	1232	{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
Token: SeIncBasePriorityPrivilege	2104	{65C03350-BE01-4884-BBC6-A540C541A192}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2500	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	28
PID 1364 wrote to memory of 2500	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	28
PID 1364 wrote to memory of 2500	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	28
PID 1364 wrote to memory of 2500	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	28
PID 1364 wrote to memory of 3016	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	29
PID 1364 wrote to memory of 3016	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	29
PID 1364 wrote to memory of 3016	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	29
PID 1364 wrote to memory of 3016	1364	2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe	29
PID 2500 wrote to memory of 2632	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	30
PID 2500 wrote to memory of 2632	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	30
PID 2500 wrote to memory of 2632	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	30
PID 2500 wrote to memory of 2632	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	30
PID 2500 wrote to memory of 2592	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	31
PID 2500 wrote to memory of 2592	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	31
PID 2500 wrote to memory of 2592	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	31
PID 2500 wrote to memory of 2592	2500	{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe	31
PID 2632 wrote to memory of 2472	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	34
PID 2632 wrote to memory of 2472	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	34
PID 2632 wrote to memory of 2472	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	34
PID 2632 wrote to memory of 2472	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	34
PID 2632 wrote to memory of 2888	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	35
PID 2632 wrote to memory of 2888	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	35
PID 2632 wrote to memory of 2888	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	35
PID 2632 wrote to memory of 2888	2632	{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe	35
PID 2472 wrote to memory of 864	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	36
PID 2472 wrote to memory of 864	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	36
PID 2472 wrote to memory of 864	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	36
PID 2472 wrote to memory of 864	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	36
PID 2472 wrote to memory of 324	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	37
PID 2472 wrote to memory of 324	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	37
PID 2472 wrote to memory of 324	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	37
PID 2472 wrote to memory of 324	2472	{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe	37
PID 864 wrote to memory of 3068	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	38
PID 864 wrote to memory of 3068	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	38
PID 864 wrote to memory of 3068	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	38
PID 864 wrote to memory of 3068	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	38
PID 864 wrote to memory of 2144	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	39
PID 864 wrote to memory of 2144	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	39
PID 864 wrote to memory of 2144	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	39
PID 864 wrote to memory of 2144	864	{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe	39
PID 3068 wrote to memory of 2108	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	40
PID 3068 wrote to memory of 2108	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	40
PID 3068 wrote to memory of 2108	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	40
PID 3068 wrote to memory of 2108	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	40
PID 3068 wrote to memory of 2236	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	41
PID 3068 wrote to memory of 2236	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	41
PID 3068 wrote to memory of 2236	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	41
PID 3068 wrote to memory of 2236	3068	{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe	41
PID 2108 wrote to memory of 1664	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	42
PID 2108 wrote to memory of 1664	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	42
PID 2108 wrote to memory of 1664	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	42
PID 2108 wrote to memory of 1664	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	42
PID 2108 wrote to memory of 2008	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	43
PID 2108 wrote to memory of 2008	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	43
PID 2108 wrote to memory of 2008	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	43
PID 2108 wrote to memory of 2008	2108	{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe	43
PID 1664 wrote to memory of 872	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	44
PID 1664 wrote to memory of 872	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	44
PID 1664 wrote to memory of 872	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	44
PID 1664 wrote to memory of 872	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	44
PID 1664 wrote to memory of 2664	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	45
PID 1664 wrote to memory of 2664	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	45
PID 1664 wrote to memory of 2664	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	45
PID 1664 wrote to memory of 2664	1664	{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_01e1bac24386cf9cda40638423083a85_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
  C:\Windows\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
    C:\Windows\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
      C:\Windows\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
        
        C:\Windows\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
        
        C:\Windows\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
        
        C:\Windows\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
        
        C:\Windows\{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
        
        C:\Windows\{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
        
        C:\Windows\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\{65C03350-BE01-4884-BBC6-A540C541A192}.exe
        
        C:\Windows\{65C03350-BE01-4884-BBC6-A540C541A192}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe
        
        C:\Windows\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C03~1.EXE > nul
        12⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2129~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8862~1.EXE > nul
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACAC~1.EXE > nul
        9⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6954~1.EXE > nul
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB645~1.EXE > nul
        7⤵
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5427A~1.EXE > nul
        6⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A43E~1.EXE > nul
        5⤵
        
        PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E6C~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32F2B~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A43E8E7-A14F-4123-B7A2-FEA2621FDF1B}.exe

Filesize
168KB

MD5
6c3273efb8b64e8329c5cecd341ca346

SHA1
0b4eec796019862b4ac5e358c1b9ed3729aa1877

SHA256
5e9e497147054b7f568071419f438479234bb5de60bc53d1f6558c1d3470cc0b

SHA512
139aa6a0b33d41fbeb3bf21718c15247a27e0c2c799b8b72003090ec54ba82b8b02bbbb5499cc2f108cabb11c846a94e2ed1f97af1be26f515c3b8126493c468

Download Submit
C:\Windows\{32F2BF69-8A8A-4a7f-9586-26F8223ECCA5}.exe

Filesize
168KB

MD5
abe31f05389d50b8a5f89c796964b866

SHA1
984766dabf2433432eeadf37a366015c2c99e132

SHA256
c754fab55a78ae1896a34625d73cfc76e96bb6704aee9129bd7cdc6592f017af

SHA512
885d9ecd990e611e6b0648e54bf6a3843d6b28978589c85dca89cc67de35b87b98ca3cd005448c8de5f4e8fc53a63d43eb285c3df293733517faefbfe3ee1999

Download Submit
C:\Windows\{3ACACFC8-FD92-412f-AFFF-279710815E55}.exe

Filesize
168KB

MD5
c692d331ad19e2b4255e9970d74cba48

SHA1
4b95fb0a6e0dbcc72d6e298df214c9d228f13763

SHA256
248938bf07133eae83078d8a2311ca27b665f709bb4d997523b10c3586dadfb1

SHA512
249bcdd76e241aaf388b31608767ac052335cb4dd7ac814ca6ece84e84db991b7fb3b49207800cd5ef17f32ea8e4137fb90527b392bf73de78b47b21f218137b

Download Submit
C:\Windows\{5427AB9A-D570-483b-AAB4-0CB0166AAC4D}.exe

Filesize
168KB

MD5
e694350a2da6f34c136fa942bfc9344a

SHA1
471d2f23dd693b7e135c7cdebe0ee6ab3654c496

SHA256
3b84a36023d1064d0981fb6a77f869ef33f8632ed9ffd65e62dc6a7ff5d7d587

SHA512
e03d8c2dba3de922c77411a9c8e99b70985d625a3478cd27ba1d1e0bac32a90b582219e083302dadcfe732f38994f131e86855498d6aa9b77fd4bc77387e1af2

Download Submit
C:\Windows\{65C03350-BE01-4884-BBC6-A540C541A192}.exe

Filesize
168KB

MD5
e365d512611948b48f8e22215ed720dc

SHA1
5310214c04707570417e2519ef5434ea436cb787

SHA256
eed3b73e42caf13c2e72e0801ddad02a90850ecd25968263748984c8c6300b39

SHA512
4ac533e150d02d10e3d47f71969f2f848724e0d6580f507daf6ef23ca30a3956b4940ef694b9e6fb75780c337a9b6e2e836d10f676544229af4cf79946331551

Download Submit
C:\Windows\{C2129546-BA37-4b7c-9CC8-A8911BF3C7C3}.exe

Filesize
168KB

MD5
0a15d27cf4c93b84757e4e5522b5af65

SHA1
9ffd4a40576f9e49e59b5c6f321fdaf6146a1b4e

SHA256
cbec936ebe8d3b9fdb4860f84ce3b813794c98bb2fc577349370c8a13317eb18

SHA512
8bdc5d4396d92bb5694dcc50665a5a15c7d56dcb533a58acbca1d378b4ff0983b4cb18ee3ba07d9bdbd82acd3773cfb3f80537ac281023236ceb82b977052908

Download Submit
C:\Windows\{D8862865-10DE-4354-86E0-2C20F085D4DB}.exe

Filesize
168KB

MD5
9fbdcd83210fc6900c42045a226444e1

SHA1
43fe445fec2eda43cf715ea19ca7a249b6da86bb

SHA256
d01b9e734ca0c04134607357cd728836d1fe25b6d0650a2c770a07ac8bb3c1f9

SHA512
c7d9b9dbdcb49e648c8a5a97beed7335df04bf7712171c5ab1a072d3773f629bb93d8d73de13e7de4b929796a006732d08b5bac7e0c1189acc9012e19b1325f7

Download Submit
C:\Windows\{E0442009-547E-4727-8FEB-21F5CDDD9BE3}.exe

Filesize
168KB

MD5
db7efcdfcd42f44d686c004415cfbcc2

SHA1
b533754fb22539080c17a0a91fcd15d6cbadf804

SHA256
9232e8fa210ec83a37e8e7fc3a23fb4cce69eb391f817f63f73e5cafdc8c2368

SHA512
146f32b1e9aee36a6560a3bcaebeff57a72f4b8fdc6ee2bff4f67981d79dd77259cd9cbbb9e35ae646370789c29f2dbc7ccd78850b53dd021163f677e52114b2

Download Submit
C:\Windows\{F2E6C82F-44A3-427f-8950-F3D6F7A8E1FA}.exe

Filesize
168KB

MD5
2b7065edd7850fb3f1561614e7df3773

SHA1
35a4d7bfd8ea24f49816c628d799c7e2b1346794

SHA256
9cfffc7b22328a9a013c192e9f78bef33c3f0c3e3faab78bff456b947176705b

SHA512
a3c07b19599f4ab831dfd5851efc407298106c733b1b9da2b9f9d040b7d2e19c99c03a01a20110d903625ca587a5eb61ac05f0df36b1fe03d16b932d4e79843f

Download Submit
C:\Windows\{F69548C7-5ADF-425f-AAA1-CF964540ABB9}.exe

Filesize
168KB

MD5
fd9d7d7c4f7d2cb34ad6020196e64ffc

SHA1
173c1ec87fea5d1d786fdef0ae3c502094b0c3fe

SHA256
9fa6a9405870f0c96cf493371cce70ad3d5adbad86a62fe4b13d376896b84a17

SHA512
348e69f2dc8057a6b157173fc80d69f2aba77f724f3f128d5a149d7e1d154b8e5594232e4233d9d5d405bf3484c86760c465b2e2367f3912833cdbc8019ca7f0

Download Submit
C:\Windows\{FB6454F0-9DD3-4857-BED8-1E3270D1FBE4}.exe

Filesize
168KB

MD5
18fe75526bb0d7f60b24be5e6d2c58f3

SHA1
c713280c6dfbf45b37496d7f4ccb9c5f75bbabc3

SHA256
0fdbea547381ba027de864aec81f76ebbfb6632d228791587506082c13311b7c

SHA512
5354654d93715368d03cd871c4e5b5b6a23bd273ff71616e49680ecd9abd7ed5a8defc76213c1f1d0897fd78a5501506ac6e0fcb8f3688861bd436d4552f5d10

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads