ed101167245ff40adbd54e09a3c24f8c1937f2a4a0d525bbaf71c3ebb040fb8a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Size

180KB
MD5

90a75baad13f1d2ed66626c86be3297f
SHA1

a21dc5bd5a09d0c5c7c5a7cdfef58d0a0f8914f6
SHA256

ed101167245ff40adbd54e09a3c24f8c1937f2a4a0d525bbaf71c3ebb040fb8a
SHA512

400d6528217193aa32db66a5bc207b740b664dc9dd4cb5f061b617914437be2d92e64a4d7d3a26366ea5f48e8827170a8f107e9fa81dd1f6289c057f9c001739
SSDEEP

3072:jEGh0owlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012247-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122d1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122d1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122d1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122d1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122d1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE80E243-F7C5-4751-9419-24101F40BEED}\stubpath = "C:\\Windows\\{BE80E243-F7C5-4751-9419-24101F40BEED}.exe"	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1E181C-989A-4013-9083-6CF2348CF072}	{89047988-E759-4831-8B53-7D51998864E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}\stubpath = "C:\\Windows\\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe"	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278DC5AE-A982-4589-9D5E-23922BADBB0F}	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278DC5AE-A982-4589-9D5E-23922BADBB0F}\stubpath = "C:\\Windows\\{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe"	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C8672E-89A1-4d47-9514-494174642EC1}	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89047988-E759-4831-8B53-7D51998864E4}	{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}\stubpath = "C:\\Windows\\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe"	{AD1E181C-989A-4013-9083-6CF2348CF072}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}\stubpath = "C:\\Windows\\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe"	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D19E5678-814B-40c6-8DCC-95A5608B8B11}	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}\stubpath = "C:\\Windows\\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe"	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}\stubpath = "C:\\Windows\\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe"	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE80E243-F7C5-4751-9419-24101F40BEED}	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}	{AD1E181C-989A-4013-9083-6CF2348CF072}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D19E5678-814B-40c6-8DCC-95A5608B8B11}\stubpath = "C:\\Windows\\{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe"	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C8672E-89A1-4d47-9514-494174642EC1}\stubpath = "C:\\Windows\\{A7C8672E-89A1-4d47-9514-494174642EC1}.exe"	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89047988-E759-4831-8B53-7D51998864E4}\stubpath = "C:\\Windows\\{89047988-E759-4831-8B53-7D51998864E4}.exe"	{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1E181C-989A-4013-9083-6CF2348CF072}\stubpath = "C:\\Windows\\{AD1E181C-989A-4013-9083-6CF2348CF072}.exe"	{89047988-E759-4831-8B53-7D51998864E4}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
2692	{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
1588	{89047988-E759-4831-8B53-7D51998864E4}.exe
3028	{AD1E181C-989A-4013-9083-6CF2348CF072}.exe
2156	{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
File created	C:\Windows\{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
File created	C:\Windows\{A7C8672E-89A1-4d47-9514-494174642EC1}.exe	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
File created	C:\Windows\{89047988-E759-4831-8B53-7D51998864E4}.exe	{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
File created	C:\Windows\{AD1E181C-989A-4013-9083-6CF2348CF072}.exe	{89047988-E759-4831-8B53-7D51998864E4}.exe
File created	C:\Windows\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
File created	C:\Windows\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
File created	C:\Windows\{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
File created	C:\Windows\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
File created	C:\Windows\{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
File created	C:\Windows\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe	{AD1E181C-989A-4013-9083-6CF2348CF072}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
Token: SeIncBasePriorityPrivilege	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
Token: SeIncBasePriorityPrivilege	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
Token: SeIncBasePriorityPrivilege	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
Token: SeIncBasePriorityPrivilege	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
Token: SeIncBasePriorityPrivilege	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
Token: SeIncBasePriorityPrivilege	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
Token: SeIncBasePriorityPrivilege	2692	{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
Token: SeIncBasePriorityPrivilege	1588	{89047988-E759-4831-8B53-7D51998864E4}.exe
Token: SeIncBasePriorityPrivilege	3028	{AD1E181C-989A-4013-9083-6CF2348CF072}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1072	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	28
PID 2700 wrote to memory of 1072	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	28
PID 2700 wrote to memory of 1072	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	28
PID 2700 wrote to memory of 1072	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	28
PID 2700 wrote to memory of 2540	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	29
PID 2700 wrote to memory of 2540	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	29
PID 2700 wrote to memory of 2540	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	29
PID 2700 wrote to memory of 2540	2700	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	29
PID 1072 wrote to memory of 2680	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	32
PID 1072 wrote to memory of 2680	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	32
PID 1072 wrote to memory of 2680	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	32
PID 1072 wrote to memory of 2680	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	32
PID 1072 wrote to memory of 2388	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	33
PID 1072 wrote to memory of 2388	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	33
PID 1072 wrote to memory of 2388	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	33
PID 1072 wrote to memory of 2388	1072	{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe	33
PID 2680 wrote to memory of 2244	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	34
PID 2680 wrote to memory of 2244	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	34
PID 2680 wrote to memory of 2244	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	34
PID 2680 wrote to memory of 2244	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	34
PID 2680 wrote to memory of 2372	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	35
PID 2680 wrote to memory of 2372	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	35
PID 2680 wrote to memory of 2372	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	35
PID 2680 wrote to memory of 2372	2680	{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe	35
PID 2244 wrote to memory of 2992	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	36
PID 2244 wrote to memory of 2992	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	36
PID 2244 wrote to memory of 2992	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	36
PID 2244 wrote to memory of 2992	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	36
PID 2244 wrote to memory of 2336	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	37
PID 2244 wrote to memory of 2336	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	37
PID 2244 wrote to memory of 2336	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	37
PID 2244 wrote to memory of 2336	2244	{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe	37
PID 2992 wrote to memory of 1248	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	38
PID 2992 wrote to memory of 1248	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	38
PID 2992 wrote to memory of 1248	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	38
PID 2992 wrote to memory of 1248	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	38
PID 2992 wrote to memory of 864	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	39
PID 2992 wrote to memory of 864	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	39
PID 2992 wrote to memory of 864	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	39
PID 2992 wrote to memory of 864	2992	{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe	39
PID 1248 wrote to memory of 2584	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	40
PID 1248 wrote to memory of 2584	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	40
PID 1248 wrote to memory of 2584	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	40
PID 1248 wrote to memory of 2584	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	40
PID 1248 wrote to memory of 2572	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	41
PID 1248 wrote to memory of 2572	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	41
PID 1248 wrote to memory of 2572	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	41
PID 1248 wrote to memory of 2572	1248	{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe	41
PID 2584 wrote to memory of 1668	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	42
PID 2584 wrote to memory of 1668	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	42
PID 2584 wrote to memory of 1668	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	42
PID 2584 wrote to memory of 1668	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	42
PID 2584 wrote to memory of 1928	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	43
PID 2584 wrote to memory of 1928	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	43
PID 2584 wrote to memory of 1928	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	43
PID 2584 wrote to memory of 1928	2584	{BE80E243-F7C5-4751-9419-24101F40BEED}.exe	43
PID 1668 wrote to memory of 2692	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	44
PID 1668 wrote to memory of 2692	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	44
PID 1668 wrote to memory of 2692	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	44
PID 1668 wrote to memory of 2692	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	44
PID 1668 wrote to memory of 636	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	45
PID 1668 wrote to memory of 636	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	45
PID 1668 wrote to memory of 636	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	45
PID 1668 wrote to memory of 636	1668	{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
  C:\Windows\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
    C:\Windows\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
      C:\Windows\{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
        
        C:\Windows\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
        
        C:\Windows\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
        
        C:\Windows\{BE80E243-F7C5-4751-9419-24101F40BEED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
        
        C:\Windows\{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
        
        C:\Windows\{A7C8672E-89A1-4d47-9514-494174642EC1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{89047988-E759-4831-8B53-7D51998864E4}.exe
        
        C:\Windows\{89047988-E759-4831-8B53-7D51998864E4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{AD1E181C-989A-4013-9083-6CF2348CF072}.exe
        
        C:\Windows\{AD1E181C-989A-4013-9083-6CF2348CF072}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe
        
        C:\Windows\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD1E1~1.EXE > nul
        12⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89047~1.EXE > nul
        11⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C86~1.EXE > nul
        10⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{278DC~1.EXE > nul
        9⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE80E~1.EXE > nul
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E01D~1.EXE > nul
        7⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA1D2~1.EXE > nul
        6⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D19E5~1.EXE > nul
        5⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CBF59~1.EXE > nul
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DAF2~1.EXE > nul
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{278DC5AE-A982-4589-9D5E-23922BADBB0F}.exe

Filesize
180KB

MD5
b4cc7b7f672726b24a6259969400491b

SHA1
06197a1e64df825cecaee398113335b08ab170eb

SHA256
71e97179804ed65e7e48a7a9ad442268f0fcf717cd249fea6f4eb4c4472f97e9

SHA512
8697b7bee2b67419d88528b876d09e4ce17d0940a43c4906e2873712e82ef2759f53c882d419af45bd1e8609a0049409040d595b0d0127e1bd70188ddc55a5e1

Download Submit
C:\Windows\{3DAF2DA0-41F0-4b8a-90E7-58C973C60E3A}.exe

Filesize
180KB

MD5
37c2554dc0f98ef0f2f40999474d4db7

SHA1
82d9ad089670c51ec3d62478cea6ebf268346c86

SHA256
f42fcd170f469d1abf383107a2eaf0a837d52a6a827779ccd9cff903d2f82b3e

SHA512
8d589de280970bbe79ab48dd2fdf9d94ce84dd8e633a06d95a35d44541d45ab6120afd6b1678bcc27db0159029bc981c0f49638540dd4545d1c710db9c4687cd

Download Submit
C:\Windows\{6E01D566-BD15-4b30-AB96-6C7DDD0E471C}.exe

Filesize
180KB

MD5
2e91a2ca9f2073ace987e3952205974e

SHA1
87cd0fa9d1edd03523782fb7f9621745b5bedcb2

SHA256
8c31f6cbdbec4606e261f33615b172ce94c3bb4779e5aae070e9cf0009765330

SHA512
2358afe063b2db7f2756ceb95aeae58755213795b9e2badfa50c4c0aa9458a4aaeb1e708c1fdf80baf727bc5f224f561561143e7b1ea078925f5f38d835c554f

Download Submit
C:\Windows\{89047988-E759-4831-8B53-7D51998864E4}.exe

Filesize
180KB

MD5
40745087d2a720345a169d68dcb2ad2c

SHA1
11def0870d2abc0e19f46129e3944d4c0f2f9b3f

SHA256
f1b3dbacddc24af9aa1bb36bb8b413109e756c2d49099ee06eec1532dab16336

SHA512
4465f1e7911439a74a527c0030cab4dc5bdf6f9c4e150a9bc68885796b6c260aa84a931c066089024ef770593a66a37fe0992751bb3a5595cff5898579b07f21

Download Submit
C:\Windows\{A7C8672E-89A1-4d47-9514-494174642EC1}.exe

Filesize
180KB

MD5
3ff5594ef2c6ecd846896b0d1603edfd

SHA1
10e62963bd5acb903315eea12dae7c980fe3bc9d

SHA256
1883b3a29ff920a9bf9ced2388c69a2f86e7e3f3fc8ae272b1c9226716af0a3a

SHA512
edfd0dada5b7a76ed8802192fc796a8e19ee14bafe941d640fe815d1c74dda2baf551dda133befb64b270cdb3e56d6065c0c9f92325083fe3cf6a702f62f01da

Download Submit
C:\Windows\{AD1E181C-989A-4013-9083-6CF2348CF072}.exe

Filesize
180KB

MD5
86210833df45e887b266e40ff53cea0b

SHA1
9b9777f8468d371febca8a4370530783f4639c3d

SHA256
f433e8fccad0841fd6d91665c5100d03616de4af96bdca2b466b341685cf1f6f

SHA512
c096c0d8f5a169b80a4c74de6a759c6f134dba1230b37d83af5f9fd37dff08b73e84f377cb1ba2eaa0eef79b6e401f27875fb9b9def443230e54daf861e04956

Download Submit
C:\Windows\{BE80E243-F7C5-4751-9419-24101F40BEED}.exe

Filesize
180KB

MD5
2fbe741f68cc4e3741d34cfeb45b1cd2

SHA1
4b3ea653c28345e892cbda73bf94568e378f2580

SHA256
ff3719c2096c5b3ff7d785d7ff581d98986a7f494265567a816d9b8656896e7b

SHA512
fbbdc4c6a34aaad94bf2d8372e0462bb09a464bb1f427a7ae2301d7304e0e7ffcfe4570ccccb1375d6ce6e2ab3b2daf6c079ffd310eb5ac1b83104efbb0b6ecf

Download Submit
C:\Windows\{CA1D229F-E600-4b2c-8F1D-B6BA7AB5B78E}.exe

Filesize
180KB

MD5
00fe961d4aac4bf3f1b3f6f9a430674f

SHA1
33db83d0fb3b6795692b82ffe1322f16b3832780

SHA256
3870e91560d910e04b5be78bf11cbf4e5df73aed9894403713924d77ed66988b

SHA512
027e085e5ea2b2345186a111f21162f23440f12ccc60947e3531cf275640b9803e20da73dc13bdbb7a86818a4a371a2d886f4a7a25023b34834eaedf9465c34f

Download Submit
C:\Windows\{CBF599DA-BDEF-4f19-BCC2-E8C7DADFF285}.exe

Filesize
180KB

MD5
10934be31845f93ca960828d40e20297

SHA1
c5a0e5cdcbaac19ae39556dbe6b65adc9fb42cbc

SHA256
9b73284e24de9ffbe030e7e6f107ec27ccb4ab0011da99ab40aeaf99782d4dbd

SHA512
4d4cc67248d1ff740448b6536e71255e5905e0a19faf4cd4d5473452968efe96cbf2af2c455d05a624da9105b75da0db85f550870e392f33cd344c6ba145a0b7

Download Submit
C:\Windows\{D19E5678-814B-40c6-8DCC-95A5608B8B11}.exe

Filesize
180KB

MD5
d1a4d1a41bad43bcb1e3ddd0ed59418e

SHA1
cfd15b1ee99e8f4b3a1d4c64510d5bc9ec4db18c

SHA256
4a36d9422fcc2338d10e9f8cc044c6600c499ee3c7daff3f40b2391da05d9fb2

SHA512
a8dde8bb62abe310ad6a38172f698da4703d1eac484a719f79af72c99aaeef504f224a135864a3476ee500326b6869bc34393e7ca88f7a771f71720e1593b141

Download Submit
C:\Windows\{E04F9E3E-C02E-4a32-BF66-07EFAA20D9CA}.exe

Filesize
180KB

MD5
0713502083e5c5c38fefc17338b4fe70

SHA1
7341f18169cf19448e14b31e2e9054a094e38f3b

SHA256
678ab380f0edeb72e2b6021e7196c9799462b64a069b9fb8c0ba064cc4bf3ec1

SHA512
6e1cb93818aac2f1e6a1db359d34d72b14889e98669595c3a3ea210de91a684d83005bf3dba28f2e6e3e5c0d0398c8136bb846fa0063a511518130834bfecf7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads