1bdd35a29d4b0bda09e361f635cbcee2a32e7f573d289aab9ed98dbb50ddf866

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe
Size

408KB
MD5

ebe05313c99422f99c79c14da6cff5d9
SHA1

3ef76f0fed633cf343a5a61331c28945cf39fd4f
SHA256

1bdd35a29d4b0bda09e361f635cbcee2a32e7f573d289aab9ed98dbb50ddf866
SHA512

da9e5ca4779b12a972b2b66a11ece32a69fe028ab98b3967f14eb6934d0de4bfdc8c1c13e412b8f89507f4f1bb01cc06f560db3dafe4f6acfeec00473b19fb34
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGrldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012328-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013413-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012328-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012328-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012328-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012328-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98535788-A4AD-4c86-8B3D-3A63284288F8}\stubpath = "C:\\Windows\\{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe"	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}	{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}	{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98535788-A4AD-4c86-8B3D-3A63284288F8}	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A30804-CC77-4774-A2F1-8E007508B7B5}	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}	{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}\stubpath = "C:\\Windows\\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe"	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1E1A57-0DC0-470c-A263-8202BA546451}	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}\stubpath = "C:\\Windows\\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe"	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}\stubpath = "C:\\Windows\\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe"	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}\stubpath = "C:\\Windows\\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe"	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1E1A57-0DC0-470c-A263-8202BA546451}\stubpath = "C:\\Windows\\{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe"	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A30804-CC77-4774-A2F1-8E007508B7B5}\stubpath = "C:\\Windows\\{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe"	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}\stubpath = "C:\\Windows\\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe"	{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}\stubpath = "C:\\Windows\\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe"	{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}\stubpath = "C:\\Windows\\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe"	{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}\stubpath = "C:\\Windows\\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe"	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
1676	{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
2060	{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
1156	{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
488	{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe	{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
File created	C:\Windows\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe	{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
File created	C:\Windows\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe	{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
File created	C:\Windows\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
File created	C:\Windows\{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
File created	C:\Windows\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
File created	C:\Windows\{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
File created	C:\Windows\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
File created	C:\Windows\{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
File created	C:\Windows\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe
File created	C:\Windows\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
Token: SeIncBasePriorityPrivilege	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
Token: SeIncBasePriorityPrivilege	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
Token: SeIncBasePriorityPrivilege	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
Token: SeIncBasePriorityPrivilege	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
Token: SeIncBasePriorityPrivilege	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
Token: SeIncBasePriorityPrivilege	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
Token: SeIncBasePriorityPrivilege	1676	{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
Token: SeIncBasePriorityPrivilege	2060	{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
Token: SeIncBasePriorityPrivilege	1156	{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2960	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	28
PID 1940 wrote to memory of 2960	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	28
PID 1940 wrote to memory of 2960	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	28
PID 1940 wrote to memory of 2960	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	28
PID 1940 wrote to memory of 2836	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	29
PID 1940 wrote to memory of 2836	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	29
PID 1940 wrote to memory of 2836	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	29
PID 1940 wrote to memory of 2836	1940	2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe	29
PID 2960 wrote to memory of 2660	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	30
PID 2960 wrote to memory of 2660	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	30
PID 2960 wrote to memory of 2660	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	30
PID 2960 wrote to memory of 2660	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	30
PID 2960 wrote to memory of 2600	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	31
PID 2960 wrote to memory of 2600	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	31
PID 2960 wrote to memory of 2600	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	31
PID 2960 wrote to memory of 2600	2960	{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe	31
PID 2660 wrote to memory of 2708	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	32
PID 2660 wrote to memory of 2708	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	32
PID 2660 wrote to memory of 2708	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	32
PID 2660 wrote to memory of 2708	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	32
PID 2660 wrote to memory of 2472	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	33
PID 2660 wrote to memory of 2472	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	33
PID 2660 wrote to memory of 2472	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	33
PID 2660 wrote to memory of 2472	2660	{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe	33
PID 2708 wrote to memory of 3012	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	36
PID 2708 wrote to memory of 3012	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	36
PID 2708 wrote to memory of 3012	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	36
PID 2708 wrote to memory of 3012	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	36
PID 2708 wrote to memory of 2108	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	37
PID 2708 wrote to memory of 2108	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	37
PID 2708 wrote to memory of 2108	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	37
PID 2708 wrote to memory of 2108	2708	{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe	37
PID 3012 wrote to memory of 2776	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	38
PID 3012 wrote to memory of 2776	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	38
PID 3012 wrote to memory of 2776	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	38
PID 3012 wrote to memory of 2776	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	38
PID 3012 wrote to memory of 2764	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	39
PID 3012 wrote to memory of 2764	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	39
PID 3012 wrote to memory of 2764	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	39
PID 3012 wrote to memory of 2764	3012	{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe	39
PID 2776 wrote to memory of 1856	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	40
PID 2776 wrote to memory of 1856	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	40
PID 2776 wrote to memory of 1856	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	40
PID 2776 wrote to memory of 1856	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	40
PID 2776 wrote to memory of 1428	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	41
PID 2776 wrote to memory of 1428	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	41
PID 2776 wrote to memory of 1428	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	41
PID 2776 wrote to memory of 1428	2776	{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe	41
PID 1856 wrote to memory of 2160	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	42
PID 1856 wrote to memory of 2160	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	42
PID 1856 wrote to memory of 2160	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	42
PID 1856 wrote to memory of 2160	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	42
PID 1856 wrote to memory of 2360	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	43
PID 1856 wrote to memory of 2360	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	43
PID 1856 wrote to memory of 2360	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	43
PID 1856 wrote to memory of 2360	1856	{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe	43
PID 2160 wrote to memory of 1676	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	44
PID 2160 wrote to memory of 1676	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	44
PID 2160 wrote to memory of 1676	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	44
PID 2160 wrote to memory of 1676	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	44
PID 2160 wrote to memory of 2200	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	45
PID 2160 wrote to memory of 2200	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	45
PID 2160 wrote to memory of 2200	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	45
PID 2160 wrote to memory of 2200	2160	{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ebe05313c99422f99c79c14da6cff5d9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
  C:\Windows\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
    C:\Windows\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
      C:\Windows\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
        
        C:\Windows\{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
        
        C:\Windows\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
        
        C:\Windows\{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
        
        C:\Windows\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
        
        C:\Windows\{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
        
        C:\Windows\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
        
        C:\Windows\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe
        
        C:\Windows\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe
        12⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA80D~1.EXE > nul
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3817B~1.EXE > nul
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A30~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7F65~1.EXE > nul
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98535~1.EXE > nul
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1148~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B1E1~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB8C~1.EXE > nul
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA54~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B668~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17A30804-CC77-4774-A2F1-8E007508B7B5}.exe

Filesize
408KB

MD5
6b9dc793682bc2ac2bc30190a84f7cbb

SHA1
4400b4918773d2667be8f42563e74fc9fc105a63

SHA256
b64a8e9020c5b266c026581b03b493e69fe75f9f68dd2a5be5b10df575346268

SHA512
cf6bf8576ce324a3ac2ce824eced279332de8afd2590e6fb01167f212c99b67272ca8bade8483e6c667b07a3bab2472aaa7a6440f803831c1379b88d8d99f7b6

Download Submit
C:\Windows\{1C987531-E69D-42ca-8FEB-6FE5017EBC1C}.exe

Filesize
408KB

MD5
1a64a2bb6fab6d778700501255aa3cbe

SHA1
45d1b70b5c5a5baa6257671bb6f4b28e349ec202

SHA256
ae709573a7cb93ef98bb86f91d42a993e8d58aafe7c6928a2da98e39cb2dd893

SHA512
4cf3cf6daec90be3d78cca8989b90b89ee52c0826ac9784c660230402f94a65b692477ccfd41aa7527146c0ad9c2d10860ea70e4f43809e8e4d46b6416351f27

Download Submit
C:\Windows\{2B6689B6-34AB-4c8b-BDE9-7E7124CD47FC}.exe

Filesize
408KB

MD5
338aca5fbbda00a531febfb68fedd365

SHA1
f4c94edd90dea1fb1c4660f25c25f4819d8478ec

SHA256
11dc5c8cfb1bfc8472f9d1c723f3b5ef13d0319ee1b0225ee562f27988e287d2

SHA512
dda807db716a18455f486c7bd119b61f86640bce635ce10c37ba30ae04df9c65cccb37a9ff04c7499e1adbcd4eccfdc9d7b16e1f436bb20c9915b18e81f45d35

Download Submit
C:\Windows\{3817B9EE-E261-4b76-9DE9-E902D6E863C1}.exe

Filesize
408KB

MD5
4ba03b5cc30c61490533f01c937e0db3

SHA1
79c98d514c30cf56c86b4015d3e0a00e9e228011

SHA256
0196207eae7a38bd06c0d1e80155f8fb8b0b92d05e6764914872126b162fc43e

SHA512
c401d5d11873784fe4c96e378e7978a8a754a49a87fc0d54339e9067d8dfd8523dc69a8e4007c955d185955ccfc51c01beaa3f4391227d80ef5409eefa4163f1

Download Submit
C:\Windows\{5B1E1A57-0DC0-470c-A263-8202BA546451}.exe

Filesize
408KB

MD5
e30087f4f3a06a900822a9a4d3b6d25c

SHA1
56d7d3f7e8c38f7163cb2abc6e96b1e63d957952

SHA256
e9f2d44cc0bd615a7f52b041bff6f9278f6ba50f01cb7045cf2d4de5f981c7c2

SHA512
ee36f3f6205bf3eb9ca4146555d9ba7e877d25567d6b849edd20942f91a8ae4ab308de2c4287efe79e43c5c37296d6bd4f37e28be416f2981b40b5fb28dbbb39

Download Submit
C:\Windows\{98535788-A4AD-4c86-8B3D-3A63284288F8}.exe

Filesize
408KB

MD5
41a197cc16cb783ab210b6bd4b4652e8

SHA1
adb277c4e2f96f8734ce484bed74a4a5f3174a8a

SHA256
49e0ff6bc460e298e760cb1ac121f1894db84caa94d49d4e6762d40feb613873

SHA512
95e42668d997367c5fdfe15054f5c4a5705f6ca23c2cde2dd1bac5de6ecb0ff667014c084c7f19d4d555022cea4d1693c820c3926f223e36284118cb4540233a

Download Submit
C:\Windows\{A1148662-9B0F-42c5-BF5A-6826ADAFBF1A}.exe

Filesize
408KB

MD5
c5c8f544fb60e5311a9462f8605ea177

SHA1
62f1205b41ffee49603fba583f15ef256ec47d0b

SHA256
b00b83ff56ea4ba1222a247556bd9fffbe882a636c98b7f2e88f52beb8d2d13c

SHA512
415d4958bcb5b0fa26dd2f24a98aa7c905d13bdf82c2acde202111f440e7f4f528a5e8229714ccde55bbe9d11c450ae5bacfce66ae6659f265cbbec68d46c305

Download Submit
C:\Windows\{AA80DB80-DA11-4d50-A8DF-2F0E13645148}.exe

Filesize
408KB

MD5
accd63826a86447c41812f437728e9a3

SHA1
f406cab83389bd2ee11c5fafa676d1d9436f407c

SHA256
85057ee3ad0789907d9f49e6fb34f421a213e5d1aeba930589171b3a93e59cd8

SHA512
aa0379206e4b72ed447920d2bcab50ae823c42c22f20ff1a5699a7cc851583b9a86a21333a8c447be29dd5ce140442d853f5647e12ce02c5abfdc7505492c0d3

Download Submit
C:\Windows\{BFB8C6CF-B399-4931-A198-9CE1C7018FAC}.exe

Filesize
408KB

MD5
d7d0711111d8792a265e37204dbdc353

SHA1
728c14b825c09166218469d802ba2148f26e0609

SHA256
14d281d11f438d7ad74d184124e6fceacc3587a0e206d4668afda7f5def17be4

SHA512
ef1435b742083a83c269a1accbd59057dc24c44edf51be650572946c9f5d3c76c80b165583ffdf8dc331cb18103af4bbcbaf65e652681ddfb7e84e7011232f86

Download Submit
C:\Windows\{CCA54D3D-D2F3-430b-997D-FF7DB9222A4F}.exe

Filesize
408KB

MD5
5e6a984c47be37f385b20c4f3e09d83c

SHA1
46c2e10fe0d2bcc2c7c20ca48f6df735f907b524

SHA256
118f4dab07758002c86104538d80355183d57cab0c3d2f9ec79d7ed10ae802ea

SHA512
ba6169b0030c7a13225788fa7fc45351d82ca0df2c623eece52342a4586d573fa8a6cc738c57a8ffcc9110fc98a89ada0026ac09ef2f4020b7025e532cac89bc

Download Submit
C:\Windows\{D7F65BBD-4455-43fd-920B-44EA5B6C518F}.exe

Filesize
408KB

MD5
f9a3f6a61ae198e6f745c8d895eb6111

SHA1
74d2a97258c3e302fd1299e3b163f96a41e7cc99

SHA256
2f378eae0aed817d2ed4021b4022f23f3e5e3ba3c63df2dc8c318087152e0314

SHA512
863f1aa7216434b67d29605ae26b9db5603d7218ec72f7256846c721c1f889ddb8eed32094a7532f3d08952b46009bd2a5cd7ad6b770b043344991d86a7f2da6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads