a2b3b7c4dcc332bd910937660d08c5d296e9f3be070388d9e343aec08311281e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 13:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
Size

408KB
MD5

056fe0ab859db0cad15350b15439695c
SHA1

655735f4b8ca01ba285ff5f636c2405caa09c7d6
SHA256

a2b3b7c4dcc332bd910937660d08c5d296e9f3be070388d9e343aec08311281e
SHA512

a465934a0d7891341fee6306c4c898bbad73d2d49a95c465a4ab45e04f29385fd7f791e5ed5b9df242c0b752c9dafb6228b2dc138b7a30e541ea60b112e48adb
SSDEEP

3072:CEGh0ojl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001230f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001230f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001230f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001230f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001230f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}\stubpath = "C:\\Windows\\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe"	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}\stubpath = "C:\\Windows\\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe"	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1943566F-1347-4a72-837A-75935B2932EE}	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235B740E-7E78-4645-A01F-5CC0D05DD691}	{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235B740E-7E78-4645-A01F-5CC0D05DD691}\stubpath = "C:\\Windows\\{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe"	{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}\stubpath = "C:\\Windows\\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe"	{1943566F-1347-4a72-837A-75935B2932EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}	{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}\stubpath = "C:\\Windows\\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe"	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59D7D80F-740E-4659-903A-0041A7F821FC}	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}	{1943566F-1347-4a72-837A-75935B2932EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}\stubpath = "C:\\Windows\\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe"	{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB61F560-92F5-4226-9951-27DF09616AB5}\stubpath = "C:\\Windows\\{FB61F560-92F5-4226-9951-27DF09616AB5}.exe"	{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542F3511-56AF-4d4c-BCC3-032818700B66}	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542F3511-56AF-4d4c-BCC3-032818700B66}\stubpath = "C:\\Windows\\{542F3511-56AF-4d4c-BCC3-032818700B66}.exe"	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}\stubpath = "C:\\Windows\\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe"	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59D7D80F-740E-4659-903A-0041A7F821FC}\stubpath = "C:\\Windows\\{59D7D80F-740E-4659-903A-0041A7F821FC}.exe"	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1943566F-1347-4a72-837A-75935B2932EE}\stubpath = "C:\\Windows\\{1943566F-1347-4a72-837A-75935B2932EE}.exe"	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB61F560-92F5-4226-9951-27DF09616AB5}	{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
320	{1943566F-1347-4a72-837A-75935B2932EE}.exe
2044	{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
2760	{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
1940	{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe
1416	{FB61F560-92F5-4226-9951-27DF09616AB5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
File created	C:\Windows\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
File created	C:\Windows\{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe	{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
File created	C:\Windows\{FB61F560-92F5-4226-9951-27DF09616AB5}.exe	{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe
File created	C:\Windows\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe	{1943566F-1347-4a72-837A-75935B2932EE}.exe
File created	C:\Windows\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe	{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
File created	C:\Windows\{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
File created	C:\Windows\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
File created	C:\Windows\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
File created	C:\Windows\{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
File created	C:\Windows\{1943566F-1347-4a72-837A-75935B2932EE}.exe	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
Token: SeIncBasePriorityPrivilege	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
Token: SeIncBasePriorityPrivilege	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
Token: SeIncBasePriorityPrivilege	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
Token: SeIncBasePriorityPrivilege	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
Token: SeIncBasePriorityPrivilege	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
Token: SeIncBasePriorityPrivilege	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe
Token: SeIncBasePriorityPrivilege	2044	{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
Token: SeIncBasePriorityPrivilege	2760	{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
Token: SeIncBasePriorityPrivilege	1940	{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1936	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	28
PID 2276 wrote to memory of 1936	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	28
PID 2276 wrote to memory of 1936	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	28
PID 2276 wrote to memory of 1936	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	28
PID 2276 wrote to memory of 3024	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	29
PID 2276 wrote to memory of 3024	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	29
PID 2276 wrote to memory of 3024	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	29
PID 2276 wrote to memory of 3024	2276	2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe	29
PID 1936 wrote to memory of 2484	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	30
PID 1936 wrote to memory of 2484	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	30
PID 1936 wrote to memory of 2484	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	30
PID 1936 wrote to memory of 2484	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	30
PID 1936 wrote to memory of 2512	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	31
PID 1936 wrote to memory of 2512	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	31
PID 1936 wrote to memory of 2512	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	31
PID 1936 wrote to memory of 2512	1936	{542F3511-56AF-4d4c-BCC3-032818700B66}.exe	31
PID 2484 wrote to memory of 2564	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	32
PID 2484 wrote to memory of 2564	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	32
PID 2484 wrote to memory of 2564	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	32
PID 2484 wrote to memory of 2564	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	32
PID 2484 wrote to memory of 2464	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	33
PID 2484 wrote to memory of 2464	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	33
PID 2484 wrote to memory of 2464	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	33
PID 2484 wrote to memory of 2464	2484	{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe	33
PID 2564 wrote to memory of 2428	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	34
PID 2564 wrote to memory of 2428	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	34
PID 2564 wrote to memory of 2428	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	34
PID 2564 wrote to memory of 2428	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	34
PID 2564 wrote to memory of 2888	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	35
PID 2564 wrote to memory of 2888	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	35
PID 2564 wrote to memory of 2888	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	35
PID 2564 wrote to memory of 2888	2564	{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe	35
PID 2428 wrote to memory of 2680	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	38
PID 2428 wrote to memory of 2680	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	38
PID 2428 wrote to memory of 2680	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	38
PID 2428 wrote to memory of 2680	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	38
PID 2428 wrote to memory of 1756	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	39
PID 2428 wrote to memory of 1756	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	39
PID 2428 wrote to memory of 1756	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	39
PID 2428 wrote to memory of 1756	2428	{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe	39
PID 2680 wrote to memory of 304	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	40
PID 2680 wrote to memory of 304	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	40
PID 2680 wrote to memory of 304	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	40
PID 2680 wrote to memory of 304	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	40
PID 2680 wrote to memory of 1976	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	41
PID 2680 wrote to memory of 1976	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	41
PID 2680 wrote to memory of 1976	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	41
PID 2680 wrote to memory of 1976	2680	{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe	41
PID 304 wrote to memory of 320	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	42
PID 304 wrote to memory of 320	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	42
PID 304 wrote to memory of 320	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	42
PID 304 wrote to memory of 320	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	42
PID 304 wrote to memory of 1148	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	43
PID 304 wrote to memory of 1148	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	43
PID 304 wrote to memory of 1148	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	43
PID 304 wrote to memory of 1148	304	{59D7D80F-740E-4659-903A-0041A7F821FC}.exe	43
PID 320 wrote to memory of 2044	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	44
PID 320 wrote to memory of 2044	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	44
PID 320 wrote to memory of 2044	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	44
PID 320 wrote to memory of 2044	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	44
PID 320 wrote to memory of 2012	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	45
PID 320 wrote to memory of 2012	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	45
PID 320 wrote to memory of 2012	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	45
PID 320 wrote to memory of 2012	320	{1943566F-1347-4a72-837A-75935B2932EE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_056fe0ab859db0cad15350b15439695c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
  C:\Windows\{542F3511-56AF-4d4c-BCC3-032818700B66}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
    C:\Windows\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
      C:\Windows\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
        
        C:\Windows\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
        
        C:\Windows\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
        
        C:\Windows\{59D7D80F-740E-4659-903A-0041A7F821FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\{1943566F-1347-4a72-837A-75935B2932EE}.exe
        
        C:\Windows\{1943566F-1347-4a72-837A-75935B2932EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
        
        C:\Windows\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
        
        C:\Windows\{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe
        
        C:\Windows\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{FB61F560-92F5-4226-9951-27DF09616AB5}.exe
        
        C:\Windows\{FB61F560-92F5-4226-9951-27DF09616AB5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE43~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{235B7~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FDC9~1.EXE > nul
        10⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19435~1.EXE > nul
        9⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59D7D~1.EXE > nul
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C92B~1.EXE > nul
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA9BE~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B84D9~1.EXE > nul
        5⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA79D~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{542F3~1.EXE > nul
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CE43617-BBE5-4117-B9BE-9D32EE15B1DF}.exe

Filesize
408KB

MD5
18124da870b6e21ddecab31dc62dc668

SHA1
82e96104569b03dc24aaf2bb1d5356ac3fea3bd7

SHA256
5fbe57f63e1d67b0f2a8aec3c10ad73025ca447a52df2ea02507071303c26c44

SHA512
0ebe7a1f637ec335022f030d9c088d53d460cc55fcc2b2c90fdb43ba5437913766dca1a04a2eef9ca05a05751859a3706137bba4c80dadab90b95173a89c0ec1

Download Submit
C:\Windows\{1943566F-1347-4a72-837A-75935B2932EE}.exe

Filesize
408KB

MD5
4c9ba318823cf90c02e65d97d5f0da05

SHA1
93827a00e1d4ba23fae78f3a0aeb35ce849bf05f

SHA256
82e9c5e2d52ea800c9111a2aa491ebefd2c0938d852bcaaaa19949589a99af2b

SHA512
8733480c901391cf614b93135ec0f525d18ef953c8f03b515f1aa8a7996a4cac8e1220a0612d2da98fd820eb239d1766214bd231a1bd3baf6d695f6fa457c776

Download Submit
C:\Windows\{235B740E-7E78-4645-A01F-5CC0D05DD691}.exe

Filesize
408KB

MD5
daada13bf3852c09a8cf624d1b00a178

SHA1
d701c150bad07de7ee0370ec8d02fb637ba46b84

SHA256
ba8ed7a6a9a80ba870ef97c6897462a6da1b9718e1778ada075616386876555c

SHA512
45a52aed97a486334d8e2da0f0a5d8d28bddb55775b6dbdb7994e001dda6a2e5cb00b077da499bcdfbd7399585c29f9a34bb63076967a875b4eda1913954ae5a

Download Submit
C:\Windows\{4FDC9A6F-0F52-4d8b-9BB7-133ACC2533AB}.exe

Filesize
408KB

MD5
81126533688e5ae6e32f31fb34733ddb

SHA1
e35703aadade25461ddec31c197d0f9c8d738ecb

SHA256
265d6b08ffa8532c22c4b080592b5c3e8a1c23534508b9e66db4761676b8051b

SHA512
2077b48115d56b83cd70a8ec2f20573f44975b1bfcc6b821ebdce7841b4279016ebcb2921ba6b1dde7ac041c9fdf9302bb3833d9b379e444b79abd6447d2debf

Download Submit
C:\Windows\{542F3511-56AF-4d4c-BCC3-032818700B66}.exe

Filesize
408KB

MD5
f34fdfe1cf061006ada1c3a7a583b8fd

SHA1
9f2a9e90f94f9cfd0b3390cbcbaa8ecf0392d61d

SHA256
dabdde177beeaac611055b7af29fcb24d56a22c047b66a91f63804e868625828

SHA512
bc63a12e03a6874f977ec5e2305874d84287b3a4a820acf31fca05d31e9529a02cec7b76039283fb6f082f5b4a1e16d6fd822c8a96c5ea46ea43d231925ec3df

Download Submit
C:\Windows\{59D7D80F-740E-4659-903A-0041A7F821FC}.exe

Filesize
408KB

MD5
97c0ff332fa9695eda11f50095e7f06b

SHA1
e0716bcdcb895874c3f7e5729c901656e1ba0114

SHA256
ba69ab3aa7c0e66f74d1217172620edabd3ac85238a0a33d74b1584252d931a6

SHA512
ce60b1f8a864f3c987d065b8e1c8e2fc1eefb6173d1e03af2a09af739defa18d6d113f88e07c70606c61041e23678bd210c3051ff314c64bfafeedeaa95f6759

Download Submit
C:\Windows\{8C92BEC9-9C9A-4ce1-B1C5-457E13A291A2}.exe

Filesize
408KB

MD5
56c619947b9f519672012cb1860bf7cb

SHA1
ac321159005b50fa217110e9d5183e318adc1942

SHA256
864ed76037b0e18ccea90196785aaa5a87a9caf45b7c7b0d60045fcef0a3a388

SHA512
9c6f22303bdc2bffca73ec5180ddbad89d7d99f93a4dc9258bfe65f1d358345cc1cc789bda6f98936468758f2131bd370012a8fe96fafe7b07f20d97bc8e3cf4

Download Submit
C:\Windows\{AA79D12D-758D-4bfd-A6B6-3ACB0D1B478E}.exe

Filesize
408KB

MD5
00f326870a6cb55139aa723915cec689

SHA1
4439afd556094b0bf6c80e7e33914c1c2fd7ece4

SHA256
b20308808942f66b087b1eb918fde1eaaea5b7c53c58c17caa38184d649ec099

SHA512
c0c09d715bae441a08a48b74f743232be5ea0727198d13957c80a4c18714bf8515fa296e288b6040eeef317fa99d5cdf057fb706b71c1e67c15af9dfcf920929

Download Submit
C:\Windows\{B84D9162-4FFD-4e94-B2AA-2BECEC69115D}.exe

Filesize
408KB

MD5
0ee8557a9fb46e6407003657b7172e3b

SHA1
ad9be514e950298e849ee3710334d99e73b0ac93

SHA256
7c5ebda9788c1ebbc50f3de603b107fb75ccaed067edd39d6ae7bfcf8939a5d5

SHA512
70927293269326fac8d735ad48d827261a6f08a5c6d5bbebdab038d1b4c75ed3e4b37f5d868897abfc12c870812e032581b930d60d667f57ce6ce841e1cd1801

Download Submit
C:\Windows\{FA9BEA75-4BA7-4296-9B6E-2EE312C0A46E}.exe

Filesize
408KB

MD5
bdbd8203eb51211c69793cd8d311c099

SHA1
cf9e2fee46643186cb577c3cedefbab2c3c7e6b6

SHA256
cb989ffcdc6879434595ef34d9cd868bb5da61565bebbcf9d244f112fb33828d

SHA512
d00d22b8d7e9ad541a9b95a607eadaf5313b4e22bb09891e0b45d619f41fce410308f24b687e4abcfe8e900996e4b85f6af62cf1443e94e912754844959c7fcb

Download Submit
C:\Windows\{FB61F560-92F5-4226-9951-27DF09616AB5}.exe

Filesize
408KB

MD5
d6e544f06e6aecd204e7b522426af7c8

SHA1
37e5b3fa3106a1fd640f2468b59549e8fb04b8d1

SHA256
71b9acbbc379651eab53afa8b8ad55f929b5c42006604e8d3d2cc17c1233c658

SHA512
a431155a8302e4513719020a501890d7d4eb7ef9ebe7cce1713ab23f9674803059043b5535a1d6331db851c743b60780b43516aa4574a6e9cb038f5402757880

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads