8bd50f74e37d241bb9f312702fd6293feff977cd63fa3b15d8b345a6297b5716

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
Size

168KB
MD5

ff681b171503bba4d05778685aa10a2e
SHA1

e118cb1643f665ca6909bfd16f44a29a76005240
SHA256

8bd50f74e37d241bb9f312702fd6293feff977cd63fa3b15d8b345a6297b5716
SHA512

3d69e20d1f2ed45cb0fb1206b9938c75d7e2f4f02d7f40bdc330e2ad48bb3d94da984cf69199903c4d6a989238003a7c4c30379d1869c530b4b7fe28573cbc34
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000143fa-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000167ef-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000143fa-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000143fa-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000143fa-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000143fa-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383A69FD-9620-453a-BC9A-B063F0CB625B}	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}\stubpath = "C:\\Windows\\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe"	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}\stubpath = "C:\\Windows\\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe"	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}\stubpath = "C:\\Windows\\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe"	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}\stubpath = "C:\\Windows\\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe"	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}\stubpath = "C:\\Windows\\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe"	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}\stubpath = "C:\\Windows\\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe"	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15900941-66E3-4a16-A26A-F0D985AC5BE9}\stubpath = "C:\\Windows\\{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe"	{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15900941-66E3-4a16-A26A-F0D985AC5BE9}	{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}\stubpath = "C:\\Windows\\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe"	{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}\stubpath = "C:\\Windows\\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe"	{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}	{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}	{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383A69FD-9620-453a-BC9A-B063F0CB625B}\stubpath = "C:\\Windows\\{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe"	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}\stubpath = "C:\\Windows\\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe"	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
296	{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
1840	{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
2460	{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
2344	{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
File created	C:\Windows\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe	{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
File created	C:\Windows\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
File created	C:\Windows\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
File created	C:\Windows\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
File created	C:\Windows\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
File created	C:\Windows\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe	{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
File created	C:\Windows\{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe	{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
File created	C:\Windows\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
File created	C:\Windows\{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
File created	C:\Windows\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
Token: SeIncBasePriorityPrivilege	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
Token: SeIncBasePriorityPrivilege	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
Token: SeIncBasePriorityPrivilege	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
Token: SeIncBasePriorityPrivilege	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
Token: SeIncBasePriorityPrivilege	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
Token: SeIncBasePriorityPrivilege	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
Token: SeIncBasePriorityPrivilege	296	{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
Token: SeIncBasePriorityPrivilege	1840	{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
Token: SeIncBasePriorityPrivilege	2460	{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2080	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	28
PID 1848 wrote to memory of 2508	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe	29
PID 2080 wrote to memory of 2492	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	30
PID 2080 wrote to memory of 2492	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	30
PID 2080 wrote to memory of 2492	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	30
PID 2080 wrote to memory of 2492	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	30
PID 2080 wrote to memory of 2088	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	31
PID 2080 wrote to memory of 2088	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	31
PID 2080 wrote to memory of 2088	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	31
PID 2080 wrote to memory of 2088	2080	{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe	31
PID 2492 wrote to memory of 2836	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	32
PID 2492 wrote to memory of 2836	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	32
PID 2492 wrote to memory of 2836	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	32
PID 2492 wrote to memory of 2836	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	32
PID 2492 wrote to memory of 2408	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	33
PID 2492 wrote to memory of 2408	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	33
PID 2492 wrote to memory of 2408	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	33
PID 2492 wrote to memory of 2408	2492	{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe	33
PID 2836 wrote to memory of 472	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	36
PID 2836 wrote to memory of 472	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	36
PID 2836 wrote to memory of 472	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	36
PID 2836 wrote to memory of 472	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	36
PID 2836 wrote to memory of 856	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	37
PID 2836 wrote to memory of 856	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	37
PID 2836 wrote to memory of 856	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	37
PID 2836 wrote to memory of 856	2836	{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe	37
PID 472 wrote to memory of 2600	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	38
PID 472 wrote to memory of 2600	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	38
PID 472 wrote to memory of 2600	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	38
PID 472 wrote to memory of 2600	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	38
PID 472 wrote to memory of 1592	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	39
PID 472 wrote to memory of 1592	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	39
PID 472 wrote to memory of 1592	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	39
PID 472 wrote to memory of 1592	472	{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe	39
PID 2600 wrote to memory of 1468	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	40
PID 2600 wrote to memory of 1468	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	40
PID 2600 wrote to memory of 1468	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	40
PID 2600 wrote to memory of 1468	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	40
PID 2600 wrote to memory of 2144	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	41
PID 2600 wrote to memory of 2144	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	41
PID 2600 wrote to memory of 2144	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	41
PID 2600 wrote to memory of 2144	2600	{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe	41
PID 1468 wrote to memory of 1792	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	42
PID 1468 wrote to memory of 1792	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	42
PID 1468 wrote to memory of 1792	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	42
PID 1468 wrote to memory of 1792	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	42
PID 1468 wrote to memory of 2128	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	43
PID 1468 wrote to memory of 2128	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	43
PID 1468 wrote to memory of 2128	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	43
PID 1468 wrote to memory of 2128	1468	{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe	43
PID 1792 wrote to memory of 296	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	44
PID 1792 wrote to memory of 296	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	44
PID 1792 wrote to memory of 296	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	44
PID 1792 wrote to memory of 296	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	44
PID 1792 wrote to memory of 1168	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	45
PID 1792 wrote to memory of 1168	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	45
PID 1792 wrote to memory of 1168	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	45
PID 1792 wrote to memory of 1168	1792	{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_ff681b171503bba4d05778685aa10a2e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
  C:\Windows\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
    C:\Windows\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
      C:\Windows\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
        
        C:\Windows\{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Windows\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
        
        C:\Windows\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
        
        C:\Windows\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
        
        C:\Windows\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
        
        C:\Windows\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
        
        C:\Windows\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
        
        C:\Windows\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe
        
        C:\Windows\{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39A42~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3FFE~1.EXE > nul
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55CE1~1.EXE > nul
        10⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14EE4~1.EXE > nul
        9⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB5A~1.EXE > nul
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF255~1.EXE > nul
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383A6~1.EXE > nul
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F57~1.EXE > nul
        5⤵
        
        PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4E9~1.EXE > nul
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74AB5~1.EXE > nul
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DB5ADC1-0877-418f-9C0F-1D39F62DB2C8}.exe

Filesize
168KB

MD5
a8c0ba6ccb48746dc4a6a22de6adff23

SHA1
439dd941e571f3ab0de4059fed36d809f3721a1c

SHA256
4009deb2ffd2745c906f33418b5fedb6e51bde0cebfca477e95ab8b17822dab5

SHA512
4e918ddd717ccee9587213857e0d7add79f65cda45dc876cfb408fe936c7f9edbdf0fe489f677832173e89fac98cc17c6cb48add8e5478dae778c5f5d4506cf4

Download Submit
C:\Windows\{14EE4AE2-9B96-4185-BC25-27D99541E2B8}.exe

Filesize
168KB

MD5
ef728fa8c978d8563d5fb7622e0773f8

SHA1
3653e8dd3621debadc6d2bc9a0b9c6af740775e4

SHA256
22022061b074ac77a5a6ec0373a9a1ef6617c52bf8c79f1b328388631e272142

SHA512
e1a30a960ec0fb5029b2f6fb3d139c242fcd44e7f3c4bcb48133d4198d5ca2bf09659806dff14db8bbf6466baac9feb2bc7d8635d5ebfb31f82aa566a53c524d

Download Submit
C:\Windows\{15900941-66E3-4a16-A26A-F0D985AC5BE9}.exe

Filesize
168KB

MD5
ef7cf8a3c7a95c0c4ffffa2e3f853607

SHA1
54f4d4b72bb5121c0b7b44edffc0a17affa58834

SHA256
13764974219041c1e5b4a290a3acd766daa23d6172c8dd4b8eeb831c7fdf00de

SHA512
55b73d4235c9b7a49cc9c5d1a48c16788aae13518d44bae86086f388705447ad5578bf79140dfcd42380bdaa910a73f6a15893075748412e767e6f793cc97770

Download Submit
C:\Windows\{383A69FD-9620-453a-BC9A-B063F0CB625B}.exe

Filesize
168KB

MD5
a3316ce4f66b31ab7cf65e5af1228c19

SHA1
37b4ce18a7607ee910a5c2a6f523881a61d2c3cf

SHA256
d352e346423f27c810b75807a0a2e74c70c3ede8338935d997aef160454c81f2

SHA512
2be5bf69223fe5849e63537f03ea5671dba596b074c6b4384ca95b9c0f56ac6cd222c16e39bf380e2b620e9edf9ff4319c8f234ca221efac8d11f3120d272b4a

Download Submit
C:\Windows\{39A420BE-DAB6-4849-916B-F42ADDB38DB4}.exe

Filesize
168KB

MD5
2b0ff8aec7dfaf849b6b5fcb496150d0

SHA1
1ea71f49488e2d9cd9ecf0f17a52fedac70b16eb

SHA256
d90ade68d2715204ad49f863b8e97063c738a42f4881c76384abb94f0226e0c9

SHA512
4789dd7ec6ed0623e743d7a74442e5db8a05eb03acf4ef77f0fed82bb9d16c2760521f105b26679f06a1416e4763eecd7c8753f71baed8850aa92189d86ec62a

Download Submit
C:\Windows\{55CE1296-A6BD-4f70-81D5-2136AA9BB934}.exe

Filesize
168KB

MD5
b3b0b899b26528a3b27b6c66c890f9bc

SHA1
915845b2a56b11cb7012da05c1b0df18c19ebe99

SHA256
deb4dc616affdb675c52a200277bf53bcf7fbd7821c892d2c979b9c3364d5363

SHA512
76ce060e1c31614764275fbfd9b00577d110ce7fae112f7afa3e9236d53ceb2c92b4569347d240482c0f0bef08468a9ada6ea8c1a9a9947c9e61ce087c7ad59c

Download Submit
C:\Windows\{74AB5BAC-61AD-491e-BF82-C0C2E1EC59A7}.exe

Filesize
168KB

MD5
1a26c6efca260b9c4e185dfc9b731578

SHA1
a170f5d9aebe8646f583173da3d56ebf0e548f7c

SHA256
fed626341df9957360bbb9f9a1c4d4d8852efe4ccd04338618eb0dacd5ab5f1b

SHA512
04d44a4bc985ce6daa45c1b0f588f57ad601c04a4f44c865bcee9f3806e52bfbdb900a133b76e361a93752227dca6111d85aab30e9e439bcef909e563eefbe85

Download Submit
C:\Windows\{8C4E998F-2DD8-4b4b-A08D-DB57D9B2DA47}.exe

Filesize
168KB

MD5
f3d597dea93a56502de14d7b09d7ed3a

SHA1
4aa781de26bd6f3c8220d24679b89a0c78695a52

SHA256
f18990e8e070a65555e66ceeac303937f18e7910dae0c76262e24a461fad780c

SHA512
2b45c73370b11401a0dde149c795a31590af2fb2a0d5dd22b2f873c40d74a6f9afcfddcc7895c54456e1f1a308c9c4bd59c4e4ee2b9491d5f0aa4853d751d6c6

Download Submit
C:\Windows\{AF255ED1-6AAF-4733-8F6C-5FDA35B6F64E}.exe

Filesize
168KB

MD5
97ee79821bf9304b57c968b7d7f96288

SHA1
7915319629df38f7fedeec0476ed61e9d6f60497

SHA256
58fb1444dfd641953925ad48675adc302f7d2d67f19315af140ae56411abc783

SHA512
1a298673da57605070e826d28c2ce1576179226da3b397b105d8d0523b0f95bbcee0804e8bd78c886e4d9670f8c62d9c52ac6b2970fcabd61cb061b02e18a260

Download Submit
C:\Windows\{B5F5771F-0BCA-4f82-8313-CD6FD98B9B1C}.exe

Filesize
168KB

MD5
ae36a514bb8ab3cdcb150f012ddccf81

SHA1
6a8ad5f0e065b1c20c61366bbd11f8c3f2ad0abd

SHA256
ba4f0d5caebc98fae760de6484ad1c6a9307760cf1fb5b0e171e8c0768a07fe5

SHA512
804abd92f87000244d6b9e5382eff8597ac0552fc47458e8365f56aab43b51cf3c6ec71c420bb747c85a62a724f802018fa1ed6678feca8c6284a6ce62ba4fd6

Download Submit
C:\Windows\{E3FFE24A-3F6A-480a-8441-FB5B3E0AFFFA}.exe

Filesize
168KB

MD5
55084b6c78d59b3ffe10bc33d74a27ff

SHA1
a0994b6e1dd123e3e144c35c4bde4143e88f7d52

SHA256
5c1e89486a53c67942e216c54ea25f2d74aac0a67e0dc380f8eadfd5cbb6d5e2

SHA512
af9375b584a1709486c5ce5f7d3b144fa3aec473fae32f0330cf9c71039d18b690221042e9de6dd8aa4a3560e18f0e785c396808d78757a32777f7928ed96037

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads