a52a35b2fcb4a9ea2bb6731e59c4ae5e0941302ca88f1e13fa5067b2fac99222

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Size

344KB
MD5

aa26920988f31cae055d298ad44e08db
SHA1

691b65fda5a4206aa09fbca72316e3d95d12f43c
SHA256

a52a35b2fcb4a9ea2bb6731e59c4ae5e0941302ca88f1e13fa5067b2fac99222
SHA512

9b456cb8f321cea1fb1a7715881d5ba5fa68eeea7f122972c4c6deeb3b9ebd4bcb1f7aefa484d29ee2658d50a4b93fb25b2a723c61b30d9db6186ce383bbb87d
SSDEEP

3072:mEGh0onlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGBlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d1a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d31-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016287-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001650c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016287-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000165ae-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000165ae-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}\stubpath = "C:\\Windows\\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe"	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}\stubpath = "C:\\Windows\\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe"	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}	{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D68B38-D9A2-4b10-B316-AFB76699418F}	{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D64D261-C63E-4ed7-9890-D225C8F8329F}	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D64D261-C63E-4ed7-9890-D225C8F8329F}\stubpath = "C:\\Windows\\{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe"	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}\stubpath = "C:\\Windows\\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe"	{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21823BE2-B42A-46cf-888F-C3962D4E27D5}	{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21823BE2-B42A-46cf-888F-C3962D4E27D5}\stubpath = "C:\\Windows\\{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe"	{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D68B38-D9A2-4b10-B316-AFB76699418F}\stubpath = "C:\\Windows\\{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe"	{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C051FA50-69FE-4915-828B-62CD8322BFCA}	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BD2BFC-D0C4-499c-B630-490399DC3371}	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}\stubpath = "C:\\Windows\\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe"	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214CC0CE-3A64-4154-A95D-8375264DF34F}	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214CC0CE-3A64-4154-A95D-8375264DF34F}\stubpath = "C:\\Windows\\{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe"	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C051FA50-69FE-4915-828B-62CD8322BFCA}\stubpath = "C:\\Windows\\{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe"	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BD2BFC-D0C4-499c-B630-490399DC3371}\stubpath = "C:\\Windows\\{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe"	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23B1909-A7A4-477b-9F43-692D985D4FC4}	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23B1909-A7A4-477b-9F43-692D985D4FC4}\stubpath = "C:\\Windows\\{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe"	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
1612	{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
2072	{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
2336	{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe
1332	{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
File created	C:\Windows\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
File created	C:\Windows\{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
File created	C:\Windows\{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
File created	C:\Windows\{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe	{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
File created	C:\Windows\{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
File created	C:\Windows\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
File created	C:\Windows\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
File created	C:\Windows\{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
File created	C:\Windows\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe	{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
File created	C:\Windows\{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe	{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
Token: SeIncBasePriorityPrivilege	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
Token: SeIncBasePriorityPrivilege	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
Token: SeIncBasePriorityPrivilege	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
Token: SeIncBasePriorityPrivilege	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
Token: SeIncBasePriorityPrivilege	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
Token: SeIncBasePriorityPrivilege	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
Token: SeIncBasePriorityPrivilege	1612	{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
Token: SeIncBasePriorityPrivilege	2072	{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
Token: SeIncBasePriorityPrivilege	2336	{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1940	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	28
PID 2044 wrote to memory of 2396	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	29
PID 1940 wrote to memory of 2588	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	30
PID 1940 wrote to memory of 2588	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	30
PID 1940 wrote to memory of 2588	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	30
PID 1940 wrote to memory of 2588	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	30
PID 1940 wrote to memory of 2684	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	31
PID 1940 wrote to memory of 2684	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	31
PID 1940 wrote to memory of 2684	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	31
PID 1940 wrote to memory of 2684	1940	{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe	31
PID 2588 wrote to memory of 2740	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	32
PID 2588 wrote to memory of 2740	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	32
PID 2588 wrote to memory of 2740	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	32
PID 2588 wrote to memory of 2740	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	32
PID 2588 wrote to memory of 2868	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	33
PID 2588 wrote to memory of 2868	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	33
PID 2588 wrote to memory of 2868	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	33
PID 2588 wrote to memory of 2868	2588	{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe	33
PID 2740 wrote to memory of 2556	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	36
PID 2740 wrote to memory of 2556	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	36
PID 2740 wrote to memory of 2556	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	36
PID 2740 wrote to memory of 2556	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	36
PID 2740 wrote to memory of 2796	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	37
PID 2740 wrote to memory of 2796	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	37
PID 2740 wrote to memory of 2796	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	37
PID 2740 wrote to memory of 2796	2740	{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe	37
PID 2556 wrote to memory of 840	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	38
PID 2556 wrote to memory of 840	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	38
PID 2556 wrote to memory of 840	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	38
PID 2556 wrote to memory of 840	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	38
PID 2556 wrote to memory of 1724	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	39
PID 2556 wrote to memory of 1724	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	39
PID 2556 wrote to memory of 1724	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	39
PID 2556 wrote to memory of 1724	2556	{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe	39
PID 840 wrote to memory of 1776	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	40
PID 840 wrote to memory of 1776	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	40
PID 840 wrote to memory of 1776	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	40
PID 840 wrote to memory of 1776	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	40
PID 840 wrote to memory of 2216	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	41
PID 840 wrote to memory of 2216	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	41
PID 840 wrote to memory of 2216	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	41
PID 840 wrote to memory of 2216	840	{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe	41
PID 1776 wrote to memory of 936	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	42
PID 1776 wrote to memory of 936	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	42
PID 1776 wrote to memory of 936	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	42
PID 1776 wrote to memory of 936	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	42
PID 1776 wrote to memory of 2804	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	43
PID 1776 wrote to memory of 2804	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	43
PID 1776 wrote to memory of 2804	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	43
PID 1776 wrote to memory of 2804	1776	{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe	43
PID 936 wrote to memory of 1612	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	44
PID 936 wrote to memory of 1612	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	44
PID 936 wrote to memory of 1612	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	44
PID 936 wrote to memory of 1612	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	44
PID 936 wrote to memory of 1536	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	45
PID 936 wrote to memory of 1536	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	45
PID 936 wrote to memory of 1536	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	45
PID 936 wrote to memory of 1536	936	{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
  C:\Windows\{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
    C:\Windows\{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
      C:\Windows\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
        
        C:\Windows\{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
        
        C:\Windows\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
        
        C:\Windows\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
        
        C:\Windows\{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
        
        C:\Windows\{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
        
        C:\Windows\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe
        
        C:\Windows\{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe
        
        C:\Windows\{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21823~1.EXE > nul
        12⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78BE2~1.EXE > nul
        11⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D64D~1.EXE > nul
        10⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{214CC~1.EXE > nul
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13F5D~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B0B~1.EXE > nul
        7⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E23B1~1.EXE > nul
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99D9A~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73BD2~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C051F~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13F5DD6E-E358-42eb-9756-1B7AD45BBC9D}.exe

Filesize
344KB

MD5
d9da3226f97383f5abb3f7a27d06f93c

SHA1
9869245111559cd591d5492d09ca18347bacc066

SHA256
43ce76a67aac723ae2bc6938ceabd8263b60705f830ea6849f15d3a95d2957eb

SHA512
565322f7c21f4bc4fe8d8f9bdbe65a7ea0624aea7c2c093e6be0bb3ba70729faef489df2f02fd0aa6c4ce5da161e4fce02df70e686c37c7cf0011c465fd439a5

Download Submit
C:\Windows\{1D64D261-C63E-4ed7-9890-D225C8F8329F}.exe

Filesize
344KB

MD5
3b76ad5b5fdd435aef0beb2a23a2a49a

SHA1
3cf1d12b148bac5fb2fccc0f80855667d965dca5

SHA256
fa1629aa19ee4e396398268f35c79936d5bfdccc6de71ea001b2633a632efae8

SHA512
cd4cdc1984d6b929266f4ee1e5162b7cc672c36da6632386699abe5e4f1b0cdd128dc3da4c96c7eca7db0fdceba3559260027e6be348d59dce778aa3b35171aa

Download Submit
C:\Windows\{214CC0CE-3A64-4154-A95D-8375264DF34F}.exe

Filesize
344KB

MD5
ed4c0c901c6187fe81105a315a399de4

SHA1
a6fdf28b4daf410c0c2efeccd7cab1ac45c4b894

SHA256
13a89169976cccbf650dfe0a29e96dbe9feae6da5a7ca1b1ee676f5e6e50e123

SHA512
a7dd06d90cc6605ca8848bcba6206ff1eb5a6a5ea345ae4a54dac2e8fd3706f9eb6aecb6844fe32471cf13827e9717a49c849cbb8292a5d82e876ad5beb040ae

Download Submit
C:\Windows\{21823BE2-B42A-46cf-888F-C3962D4E27D5}.exe

Filesize
344KB

MD5
374c4a7c4e3786573c2e1b8d08f24937

SHA1
f1adaba7eb2d0fd5b572720fd9d3792777633bbb

SHA256
63896fad3d8acd3244a6f728570e3cae678ba6905fcced54bb65b89001e101bb

SHA512
db20d6d43f5c1266ff2374c8c822418656b7bb69990d85a24781745247e360785117815c463cac2e1a57131abeef8231b9b04196622092e67dd820e59c7c9950

Download Submit
C:\Windows\{73BD2BFC-D0C4-499c-B630-490399DC3371}.exe

Filesize
344KB

MD5
28ed8ed3c59bc71a647c3afacd615c27

SHA1
3f9f179c91197986e1cc37251e3f6affe28d05f0

SHA256
911b2b041d3e582c8f4aaabf022695ee22691fc6f49c6dcec73a8c1515d7cdfa

SHA512
0c166f641708a0acc47e98799dc8e89ccf011519e131ba0155bc968036da43adb774d07c9ace8a660a5de71a318b85c7ffb07617bf0dddc07d0d77433dfd3a86

Download Submit
C:\Windows\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe

Filesize
344KB

MD5
4afdbfd31423df77a887f4911292b56c

SHA1
007cc6daf219da36b60701e14963f51da88291c4

SHA256
db45d16ad0fa295d530ffbefdb5047e290099926416857664f47d394ae36dbdf

SHA512
4c4e54579970903d4911d4ebb82c18565c3623587399505533af70ed89d70e025d413f0c49f17ff0eb730a47b9d44f801a78237ba9397192b0418db644a247ef

Download Submit
C:\Windows\{78BE21A0-87B0-4bcb-8443-4AF7DEA20A53}.exe

Filesize
236KB

MD5
986464ff54af6e78b91aacc1702e5131

SHA1
6d36e37cd3b93943c7ac1abf4f2cf7ec4f5621cf

SHA256
928fa06d94e1a1b3dec439cda057bca9696a0018b5a252b123e51d5229a63ee5

SHA512
a4884dd28f951ce837f6156b74c5438f24fa56b80d2add5049c631f158cb351153314d60d4cc3e17fa407d2e84ee65382bb7e38e7aaf128df5a8096fd2290fcf

Download Submit
C:\Windows\{99D9AAE4-6741-44a1-9196-E22F3C6D4BBA}.exe

Filesize
344KB

MD5
50d1c1ae84c5d52cd5ab09da13773a39

SHA1
0f41e81fb6e42f57d6870b951c91aa9b51af5c8e

SHA256
49f0c6a3794be5b80028b65257a7ecc89e1ad5bf4e5d46f0ec943b9a3ceff3c6

SHA512
904a9f70d6b6d614dcefa116b6bc7c9eba3726b6bd51ca3a22aefe00fd34490b9b6e28fa44fb52c74325a4ce5b1c154647e4c4522fb17f2897d0c6e92670fb9d

Download Submit
C:\Windows\{B1B0BB7B-50B7-47c5-9D4A-A51D0FF9C0AE}.exe

Filesize
344KB

MD5
c081f9b2f69fccdd0f219ce6487a64e2

SHA1
bb129cf0fc685b99b884916634fa2da2fe248db7

SHA256
55895cb43215a823f6eaa0e2abd9b68b677899be7ff2cd442afd4af085dba68f

SHA512
53e45e9dd26765f9ce31999ab193817669e74ae192c08e40d9e79af21a9dcc27cd1fcaa29086928e41bdee344280d2a594fb4ed0b84df3ad69c9d1eeacbb9913

Download Submit
C:\Windows\{B9D68B38-D9A2-4b10-B316-AFB76699418F}.exe

Filesize
344KB

MD5
6ca87c62341706ae49221d970e740a9a

SHA1
ff4f95dbda76182e9cd49ecafe17886085c523b7

SHA256
a1f537ce451fa6e40dfaae26f5716c569eddf70aba5c44e33ca26a093bab0449

SHA512
84b5bd1140bd61f4848b246398eb59ba6c8abeed97a959e7e2a17eaddb6b9fb63065826518b60554be6f300cbe7eb07fefa276834bec2795c151baab6248da63

Download Submit
C:\Windows\{C051FA50-69FE-4915-828B-62CD8322BFCA}.exe

Filesize
344KB

MD5
f0b2f0154dfaa6491ec07d919283c86f

SHA1
68c165de3e58a9e83790aa358c830028bcbd3c98

SHA256
ef98d0d8b31ed23cfe2e5838c9638d8ab4df0b7e94440ec68d26e5d641ab28fe

SHA512
6de8b8ce1e98baa4f68588794db8778bc998a536220f19a3ce528c363c77d4eac51d4471e2128d2ff15ac4efd0f99c65e162213a0f994748d5bd992a9495eae2

Download Submit
C:\Windows\{E23B1909-A7A4-477b-9F43-692D985D4FC4}.exe

Filesize
344KB

MD5
2ccdd01312875c70f68b9433fb379022

SHA1
114c807004375d0db4ebe829acbf9e46b8434fb3

SHA256
3fec611f29dd5f0eac5fc8351e20370fdd9451411c047cea72eca8ab94bb67a7

SHA512
94f4136a476c84361471eff58cba721c897ffc9e8b4113cd5ff7f733c486e60f004dbd8a0b61dad72f776986af17dcb5d75a9153475509116c5eafd24a48b30b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads