27a2dc67088163e989c5c1ad89272e1a98fc24566da583f955006564cb2a76db

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 19:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
Size

197KB
MD5

0d0fbf878b425ab9a2e4cfed94ba5cb0
SHA1

7f95d16e21a802ef96acece6123cfeb8c7ec04f3
SHA256

27a2dc67088163e989c5c1ad89272e1a98fc24566da583f955006564cb2a76db
SHA512

e1c6790c72d38eff9d5c8e2977b085ec28690b6ec14403f70c4c6c556e958dc0af7199a033baeb3329dc006866b774944e17ce3e245bfd06d9f0ca22ab54fe64
SSDEEP

3072:jEGh0oql+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122f0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000149f5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122f0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122f0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122f0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}\stubpath = "C:\\Windows\\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe"	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9399282-2C8F-48be-8239-F35E827B3334}\stubpath = "C:\\Windows\\{B9399282-2C8F-48be-8239-F35E827B3334}.exe"	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}\stubpath = "C:\\Windows\\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe"	{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E831644-ECCD-4645-A2CF-15AF8418A716}	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}\stubpath = "C:\\Windows\\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe"	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}\stubpath = "C:\\Windows\\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe"	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E230102D-D996-49e6-9683-3F76E6C4C5EB}\stubpath = "C:\\Windows\\{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe"	{B9399282-2C8F-48be-8239-F35E827B3334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59B62355-3831-48b7-BA23-110FA94AED86}	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}	{59B62355-3831-48b7-BA23-110FA94AED86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}\stubpath = "C:\\Windows\\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe"	{59B62355-3831-48b7-BA23-110FA94AED86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}\stubpath = "C:\\Windows\\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe"	{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E831644-ECCD-4645-A2CF-15AF8418A716}\stubpath = "C:\\Windows\\{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe"	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}\stubpath = "C:\\Windows\\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe"	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59B62355-3831-48b7-BA23-110FA94AED86}\stubpath = "C:\\Windows\\{59B62355-3831-48b7-BA23-110FA94AED86}.exe"	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}	{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9399282-2C8F-48be-8239-F35E827B3334}	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E230102D-D996-49e6-9683-3F76E6C4C5EB}	{B9399282-2C8F-48be-8239-F35E827B3334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}	{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe
2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
1516	{59B62355-3831-48b7-BA23-110FA94AED86}.exe
2232	{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
2224	{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
2436	{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe	{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
File created	C:\Windows\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
File created	C:\Windows\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
File created	C:\Windows\{B9399282-2C8F-48be-8239-F35E827B3334}.exe	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
File created	C:\Windows\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe	{59B62355-3831-48b7-BA23-110FA94AED86}.exe
File created	C:\Windows\{59B62355-3831-48b7-BA23-110FA94AED86}.exe	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
File created	C:\Windows\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe	{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
File created	C:\Windows\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
File created	C:\Windows\{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
File created	C:\Windows\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
File created	C:\Windows\{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	{B9399282-2C8F-48be-8239-F35E827B3334}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
Token: SeIncBasePriorityPrivilege	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
Token: SeIncBasePriorityPrivilege	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
Token: SeIncBasePriorityPrivilege	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
Token: SeIncBasePriorityPrivilege	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
Token: SeIncBasePriorityPrivilege	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe
Token: SeIncBasePriorityPrivilege	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
Token: SeIncBasePriorityPrivilege	1516	{59B62355-3831-48b7-BA23-110FA94AED86}.exe
Token: SeIncBasePriorityPrivilege	2232	{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
Token: SeIncBasePriorityPrivilege	2224	{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2172	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	28
PID 756 wrote to memory of 668	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe	29
PID 2172 wrote to memory of 2596	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	30
PID 2172 wrote to memory of 2596	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	30
PID 2172 wrote to memory of 2596	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	30
PID 2172 wrote to memory of 2596	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	30
PID 2172 wrote to memory of 2660	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	31
PID 2172 wrote to memory of 2660	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	31
PID 2172 wrote to memory of 2660	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	31
PID 2172 wrote to memory of 2660	2172	{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe	31
PID 2596 wrote to memory of 2460	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	32
PID 2596 wrote to memory of 2460	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	32
PID 2596 wrote to memory of 2460	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	32
PID 2596 wrote to memory of 2460	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	32
PID 2596 wrote to memory of 2892	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	33
PID 2596 wrote to memory of 2892	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	33
PID 2596 wrote to memory of 2892	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	33
PID 2596 wrote to memory of 2892	2596	{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe	33
PID 2460 wrote to memory of 2504	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	36
PID 2460 wrote to memory of 2504	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	36
PID 2460 wrote to memory of 2504	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	36
PID 2460 wrote to memory of 2504	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	36
PID 2460 wrote to memory of 2828	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	37
PID 2460 wrote to memory of 2828	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	37
PID 2460 wrote to memory of 2828	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	37
PID 2460 wrote to memory of 2828	2460	{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe	37
PID 2504 wrote to memory of 2404	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	38
PID 2504 wrote to memory of 2404	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	38
PID 2504 wrote to memory of 2404	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	38
PID 2504 wrote to memory of 2404	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	38
PID 2504 wrote to memory of 2768	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	39
PID 2504 wrote to memory of 2768	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	39
PID 2504 wrote to memory of 2768	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	39
PID 2504 wrote to memory of 2768	2504	{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe	39
PID 2404 wrote to memory of 1980	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	40
PID 2404 wrote to memory of 1980	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	40
PID 2404 wrote to memory of 1980	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	40
PID 2404 wrote to memory of 1980	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	40
PID 2404 wrote to memory of 2816	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	41
PID 2404 wrote to memory of 2816	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	41
PID 2404 wrote to memory of 2816	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	41
PID 2404 wrote to memory of 2816	2404	{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe	41
PID 1980 wrote to memory of 2760	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	42
PID 1980 wrote to memory of 2760	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	42
PID 1980 wrote to memory of 2760	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	42
PID 1980 wrote to memory of 2760	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	42
PID 1980 wrote to memory of 2772	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	43
PID 1980 wrote to memory of 2772	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	43
PID 1980 wrote to memory of 2772	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	43
PID 1980 wrote to memory of 2772	1980	{B9399282-2C8F-48be-8239-F35E827B3334}.exe	43
PID 2760 wrote to memory of 1516	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	44
PID 2760 wrote to memory of 1516	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	44
PID 2760 wrote to memory of 1516	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	44
PID 2760 wrote to memory of 1516	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	44
PID 2760 wrote to memory of 2984	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	45
PID 2760 wrote to memory of 2984	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	45
PID 2760 wrote to memory of 2984	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	45
PID 2760 wrote to memory of 2984	2760	{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_0d0fbf878b425ab9a2e4cfed94ba5cb0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
  C:\Windows\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
    C:\Windows\{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
      C:\Windows\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
        
        C:\Windows\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
        
        C:\Windows\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{B9399282-2C8F-48be-8239-F35E827B3334}.exe
        
        C:\Windows\{B9399282-2C8F-48be-8239-F35E827B3334}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
        
        C:\Windows\{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{59B62355-3831-48b7-BA23-110FA94AED86}.exe
        
        C:\Windows\{59B62355-3831-48b7-BA23-110FA94AED86}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
        
        C:\Windows\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
        
        C:\Windows\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe
        
        C:\Windows\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC85D~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6DA~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59B62~1.EXE > nul
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2301~1.EXE > nul
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9399~1.EXE > nul
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA5BB~1.EXE > nul
        7⤵
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09DF9~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F57BB~1.EXE > nul
        5⤵
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1E831~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2936~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09DF916B-8C44-4f2b-A7F9-991C48CB2000}.exe

Filesize
197KB

MD5
e99b4d504457574792f6c8e6f70598f4

SHA1
89d495ef035450aa973ec4b76b4d58ea81f235c9

SHA256
4e404a6e4215652ae5a7b1a598867f96f7a1dabb274c56a3586115e27b778c1e

SHA512
b823fe93794b7eff2fba6fdf8843be17ebd879188b06353f93b66ac95994cce6a743e806b53ed9159bada208f309ad4f9762c53c4ad8b7d3ba6a88d622449425

Download Submit
C:\Windows\{1E831644-ECCD-4645-A2CF-15AF8418A716}.exe

Filesize
197KB

MD5
1fb574a067ebad86b2e7b8759adb4f32

SHA1
3abd848869c4e9754131bd882931aa04a9e33a5e

SHA256
a33055b328c317c9deaf49aa0ef32d36adbf44fbe60d507241f3de992f7155c3

SHA512
f876f296e885a27ccf22f1e4b74184ec61695f1c0c8769634ad97b215837100dffae2e99f9bbf9a0bfda1c5541996d99429a394c3292a0230929fb5efb14e3b3

Download Submit
C:\Windows\{59B62355-3831-48b7-BA23-110FA94AED86}.exe

Filesize
197KB

MD5
7581a87aef785572e02f5febb746b599

SHA1
e7e6852ede06b7378df6775f54b959702f9f79c0

SHA256
69647e86fdaeca4029f11ad1f2b01d51d5e971a6c3c8736e45641300abbf24d3

SHA512
8fe5fac5528f609745f0dd676e244d6234db581fa994d3600bde6264cb29fd75b2b506d8d78fecaff91bda66949f7368548691ce14fb051c8901e85b7d2b182e

Download Submit
C:\Windows\{6C6DAAE4-8B43-4cc4-AF4C-6D71AE9E4B2B}.exe

Filesize
197KB

MD5
43d35d283dfb89406cec9befff62edd1

SHA1
454c811dbc1cfa3f6358b6637d9cd6b83b271bf0

SHA256
7b38e053b13aa2f6059f41a938810dc5f7a3468917ae3bd8ea59ee3d59dce7fd

SHA512
8bfc925901215e219b2fe0c26102def4bdffb6103bc9e6690e2e8d6aecbbe818b06dd581f94d812f24e933b87d2b1b1105c3e657ba6db32e86c047363bfb06aa

Download Submit
C:\Windows\{B9399282-2C8F-48be-8239-F35E827B3334}.exe

Filesize
197KB

MD5
29134c70c50c826f53288d7c9a74c114

SHA1
455454130e474efb06787ddc29b93f45396b3199

SHA256
9fe8ce16df116c10cfd8dd43e2a29eefc551fe213e8a38104a097e1389c04fd2

SHA512
f0cc15899838fb02d46537d66a77c8416209d94dcb5d398f9528ea6fb0a9fbd399e2831739974b0e9a52bc54ca19d0b48ea59e68e702a988c97719b547058241

Download Submit
C:\Windows\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe

Filesize
197KB

MD5
cc81e9d7e933944e61d6052d10352ec8

SHA1
08145f6126928ebbbd72835b62e2e43c0d6057e1

SHA256
5820be02afe5435c0942f96d8f0c653a31550cf3e1289805b2f8a51efed4e264

SHA512
f26a6081a40d3343143e47dc5ef24ed1338c3b9face9736b447058949cfbcf4a54da8119b45e0ee590b5bef715610b4f6500ef5b5d05272b42832f5a60b333cc

Download Submit
C:\Windows\{C29368A5-4D2A-4206-B52F-FDFBBB43C11A}.exe

Filesize
182KB

MD5
2ec1521df6b0e575a8c3f27f21d85912

SHA1
9e8cd2aef6573dcb5112af177b911ddf32537935

SHA256
aeba2c363445bc8413e798fc786e985399921466275ccc28a11f29cce0f27307

SHA512
dd553af8a9e58b583f90165ff5d31877c1e712cc3fbfc1a43e6326694c3dcd4f7b5af059a46265b9dc5ef35021de4e437f9274115672a69b9fa939bddbb1e06a

Download Submit
C:\Windows\{CC85DAEE-526F-489d-B1B4-3ADD82F8B5DB}.exe

Filesize
197KB

MD5
76a5554e62727748e95d2501b54c669c

SHA1
c3fad706748517f63967fc967acfcc63ff17a9bc

SHA256
a23de7a0ccc31e4a5df052401d5c7f346408b5aa15d3485bd2b31e92da90376d

SHA512
9c78a0315ab58c8d9863cb5d123b38d9e0ec8776a9301ecf14614e310f644e8fd4d7619fd0a8a800064ba3fe6a781b548e8c1dc8aeca08a0a8b6ae936803bd8a

Download Submit
C:\Windows\{D8522966-62D7-4d5b-8D21-0D9DF6200C70}.exe

Filesize
197KB

MD5
f93636f82d7965d2a44b8d3b7050b17a

SHA1
e198aae58df072b28d6cc7f339fd1bebb5d4b42e

SHA256
c9f0e13f7d26ee66b9a49295cc4cce64a789b72cd096629c83c675b1c25d61e5

SHA512
9bcfb9cff3229e74b94caf77dad194cf793d82ceeb9f3840842a4ab05237932c4d717e9d124eaac97f01cae1b627b108707033db002496686f12b99b761bdf83

Download Submit
C:\Windows\{DA5BBFB1-12BC-4cc8-BA7F-EA5D55BC1C7E}.exe

Filesize
197KB

MD5
857b9c9bc24ac79f007c2fe58b7e9f20

SHA1
495336a8ced2dc805993393d15eb463564da46d8

SHA256
331a8364290554df8c8a723e623b399e1fd712b8083b8c9479650ace95d3d1d3

SHA512
b3e5dbdc355b5962fbe510561d1d035c2c12015de1f7365d20ba1d074d0f058abbdb4dddaa1ab28c605906f2aaa152c4f28113b24d58cb7c95de9ee31d390c30

Download Submit
C:\Windows\{E230102D-D996-49e6-9683-3F76E6C4C5EB}.exe

Filesize
197KB

MD5
96080404d59b161db6562eec8d0f517e

SHA1
5a0aa47553296fa4f6fb8052b5688b740787882c

SHA256
105b3b9a1875c063536fb7574ab01a65e8d546fbfbd7e95e6c306f71eb94ce1f

SHA512
a455419ecc75b56981ac3dcea88b5e90d88dea8dadc3205aa12258fc31cedafb2ffb647485c8ae815af4465fd8eff6f2d3817f5740e2fe653bb3b43262b24b12

Download Submit
C:\Windows\{F57BBA3F-6FB2-4349-A6E7-E71421EDEEDC}.exe

Filesize
197KB

MD5
d7751d16f7bbafa1855c06efe2a46002

SHA1
1f6081cc98260e9209abaacbc8acaed9933b1dc1

SHA256
07ee24b33ad93eb1ecee9b251324aa0134d0ecccab3d035e469336c0033e09ab

SHA512
3dfe700179f3a33836da2f459206fde7f4434dc5a4d0eb3153868ff5e609cf6e184279df07edab820afb83ea6ede883cdbcb748919e629cecc0a7a8e5b37681e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads