abc31d23e379cc8053130d89f2d4f7ded490ed733df640ca0acb39f9713aa118

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 21:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
Size

168KB
MD5

eb11ac323a4e478dfaf2e72fad063277
SHA1

de3dd681e77b8bd8ee022a1ecaadd274c8451608
SHA256

abc31d23e379cc8053130d89f2d4f7ded490ed733df640ca0acb39f9713aa118
SHA512

461ca65397877ec06ffc888e900af138f2b8262b37c9029ca934938fab96cdcd2ef843359d1fb2cce443d06a2d78044bd4faf717b1a420a008866e411ad7f7bc
SSDEEP

1536:1EGh0o+li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o+liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122bf-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c85-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122bf-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015cd9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122bf-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122bf-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122bf-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}	{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}	{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8B1633-5912-471f-B7B9-E397AB191BAC}\stubpath = "C:\\Windows\\{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe"	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}\stubpath = "C:\\Windows\\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe"	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA31637-22FC-4b3a-8E78-102E363AB912}\stubpath = "C:\\Windows\\{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe"	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA31637-22FC-4b3a-8E78-102E363AB912}	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA58FA25-8475-4c28-9C33-129E4C85614D}	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}\stubpath = "C:\\Windows\\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe"	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}\stubpath = "C:\\Windows\\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe"	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8B1633-5912-471f-B7B9-E397AB191BAC}	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA58FA25-8475-4c28-9C33-129E4C85614D}\stubpath = "C:\\Windows\\{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe"	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}\stubpath = "C:\\Windows\\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe"	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}\stubpath = "C:\\Windows\\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe"	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}\stubpath = "C:\\Windows\\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe"	{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}	{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}\stubpath = "C:\\Windows\\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe"	{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}\stubpath = "C:\\Windows\\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe"	{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe

Deletes itself 1 IoCs

pid	Process
856	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
308	{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
2508	{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
684	{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
472	{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
File created	C:\Windows\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
File created	C:\Windows\{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
File created	C:\Windows\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
File created	C:\Windows\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
File created	C:\Windows\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe	{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
File created	C:\Windows\{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
File created	C:\Windows\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
File created	C:\Windows\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe	{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
File created	C:\Windows\{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
File created	C:\Windows\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe	{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
Token: SeIncBasePriorityPrivilege	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
Token: SeIncBasePriorityPrivilege	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
Token: SeIncBasePriorityPrivilege	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
Token: SeIncBasePriorityPrivilege	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
Token: SeIncBasePriorityPrivilege	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
Token: SeIncBasePriorityPrivilege	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
Token: SeIncBasePriorityPrivilege	308	{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
Token: SeIncBasePriorityPrivilege	2508	{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
Token: SeIncBasePriorityPrivilege	684	{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1336	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	28
PID 2272 wrote to memory of 1336	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	28
PID 2272 wrote to memory of 1336	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	28
PID 2272 wrote to memory of 1336	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	28
PID 2272 wrote to memory of 856	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	29
PID 2272 wrote to memory of 856	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	29
PID 2272 wrote to memory of 856	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	29
PID 2272 wrote to memory of 856	2272	2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe	29
PID 1336 wrote to memory of 2548	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	30
PID 1336 wrote to memory of 2548	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	30
PID 1336 wrote to memory of 2548	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	30
PID 1336 wrote to memory of 2548	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	30
PID 1336 wrote to memory of 2608	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	31
PID 1336 wrote to memory of 2608	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	31
PID 1336 wrote to memory of 2608	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	31
PID 1336 wrote to memory of 2608	1336	{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe	31
PID 2548 wrote to memory of 2540	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	32
PID 2548 wrote to memory of 2540	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	32
PID 2548 wrote to memory of 2540	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	32
PID 2548 wrote to memory of 2540	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	32
PID 2548 wrote to memory of 2672	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	33
PID 2548 wrote to memory of 2672	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	33
PID 2548 wrote to memory of 2672	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	33
PID 2548 wrote to memory of 2672	2548	{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe	33
PID 2540 wrote to memory of 2472	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	36
PID 2540 wrote to memory of 2472	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	36
PID 2540 wrote to memory of 2472	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	36
PID 2540 wrote to memory of 2472	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	36
PID 2540 wrote to memory of 2796	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	37
PID 2540 wrote to memory of 2796	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	37
PID 2540 wrote to memory of 2796	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	37
PID 2540 wrote to memory of 2796	2540	{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe	37
PID 2472 wrote to memory of 1992	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	38
PID 2472 wrote to memory of 1992	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	38
PID 2472 wrote to memory of 1992	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	38
PID 2472 wrote to memory of 1992	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	38
PID 2472 wrote to memory of 1800	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	39
PID 2472 wrote to memory of 1800	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	39
PID 2472 wrote to memory of 1800	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	39
PID 2472 wrote to memory of 1800	2472	{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe	39
PID 1992 wrote to memory of 2136	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	40
PID 1992 wrote to memory of 2136	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	40
PID 1992 wrote to memory of 2136	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	40
PID 1992 wrote to memory of 2136	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	40
PID 1992 wrote to memory of 1836	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	41
PID 1992 wrote to memory of 1836	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	41
PID 1992 wrote to memory of 1836	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	41
PID 1992 wrote to memory of 1836	1992	{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe	41
PID 2136 wrote to memory of 2032	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	42
PID 2136 wrote to memory of 2032	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	42
PID 2136 wrote to memory of 2032	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	42
PID 2136 wrote to memory of 2032	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	42
PID 2136 wrote to memory of 2044	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	43
PID 2136 wrote to memory of 2044	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	43
PID 2136 wrote to memory of 2044	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	43
PID 2136 wrote to memory of 2044	2136	{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe	43
PID 2032 wrote to memory of 308	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	44
PID 2032 wrote to memory of 308	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	44
PID 2032 wrote to memory of 308	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	44
PID 2032 wrote to memory of 308	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	44
PID 2032 wrote to memory of 1596	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	45
PID 2032 wrote to memory of 1596	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	45
PID 2032 wrote to memory of 1596	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	45
PID 2032 wrote to memory of 1596	2032	{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_eb11ac323a4e478dfaf2e72fad063277_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
  C:\Windows\{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
    C:\Windows\{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
      C:\Windows\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
        
        C:\Windows\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
        
        C:\Windows\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
        
        C:\Windows\{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
        
        C:\Windows\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
        
        C:\Windows\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
        
        C:\Windows\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
        
        C:\Windows\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe
        
        C:\Windows\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe
        12⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C2AE~1.EXE > nul
        12⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD67E~1.EXE > nul
        11⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D316~1.EXE > nul
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD7C~1.EXE > nul
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA31~1.EXE > nul
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0DE~1.EXE > nul
        7⤵
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C36B~1.EXE > nul
        6⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DE1A~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA58F~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8B1~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C36B0C6-6BEE-4523-A5AF-18CEE7AB720F}.exe

Filesize
168KB

MD5
bd8659855b979f3055dcc3a2b85692c4

SHA1
8c864374c8fd424afc8fcf3696a6e379cfe62a39

SHA256
11a6dade115645459e790aced831942a3514ac55fdbbfee0d59a0c32ea175a29

SHA512
aa08bd4ade9f853562bd82f33ff46433c7ab64ce474832a26639fe1b24235ab701ae820aae55d8079aa7e5544a34f723337a19e54f10f5a9446957820039175e

Download Submit
C:\Windows\{0E8B1633-5912-471f-B7B9-E397AB191BAC}.exe

Filesize
168KB

MD5
1acc93c2758dfcccd84ed370ccace5f7

SHA1
0905e2ce1dbd038311b3f6c1f027c4feb28e23b4

SHA256
6e0bf4238578d9a3ef8de56e782325ee83139d9be3f3cb6a6cf403b17b5def4a

SHA512
68e4e9f03bc254e99161bb30c7dabbb68b3e792839c4c8b7866a0a22efce53e1cda9b4bbc10a7c153db2b5a68c7f63817c359e93c7961a72d9c9cf13887de8c8

Download Submit
C:\Windows\{3192CE3E-9DFE-438a-B3DA-800E0FD460A2}.exe

Filesize
168KB

MD5
bb0e6a98696ea7c70523d4736ea542b8

SHA1
4fa89735f768f5ead6ca34a3adac576cd778d930

SHA256
2167e839ad6f7afd753e2a7472bc795b730c9d85dd143e81eb4cfccb16aa3dc8

SHA512
aa09c605bcfa280bccad18e3fb5aea644bce70e4cc2902d7f9605631026eaa4aa5d54132cfad5a69664523d8b6cae1a8537873d903e517bac6789f11856f8591

Download Submit
C:\Windows\{3C0DEFA3-8A7F-4a3e-9962-A00C276F69DB}.exe

Filesize
168KB

MD5
c6d788f78f4135422c5c69780e888a2f

SHA1
5ebd873f964c80a03d0bc0bb997342ff0b7a5629

SHA256
3b6f638c36da3fa553c0f191f7ae86c6e54c361e7d072455e3eda0898b61de2a

SHA512
9542b5a6090536aa2500f41df251e4b39c8d30fd850d688aa53cb7e55afefc89a076e29b997b38c648f1db67e2d212b6ffe5ca3ef40fd5c3587823ac6a02eba3

Download Submit
C:\Windows\{3FA31637-22FC-4b3a-8E78-102E363AB912}.exe

Filesize
168KB

MD5
50641bbde30e6272395b0aab9f689768

SHA1
2c510f479a7c4efee335e70f48dfc503adcea759

SHA256
57eec64cebc76ed5c355fced8061d9e53c021722e208db8169102fe6c43b5716

SHA512
79f5808a3b4adaa53cc234790ca6640a6570358d0342eb0d5ad2ab6cd5dc59e7de90d90061ce2d33621a0da9990906f4e7ab8372e30de79a44aacdffc24528ad

Download Submit
C:\Windows\{4DE1A0F9-8ED6-40a5-825D-96B3C86B7C80}.exe

Filesize
168KB

MD5
955e385f896c9507dec3af5541129dff

SHA1
16d7ea323107c2026c0b167fb3797833bbf03b8b

SHA256
399577e6ae6f275f24bcdc946477ba585590865414bd33819c8c63157d8aa52d

SHA512
c3cea1f13d025e5aa5113d72928fab4b94df1be19c3649f55f13435278ec2f4b59b61459d1338f10ef2b94326c2bb1bc732e6ccd9b93e460c60bd1a8a5de8f21

Download Submit
C:\Windows\{5C2AEE92-0F2A-4518-97AE-C7B686D4E9BF}.exe

Filesize
168KB

MD5
365252f0605b64c64f6d9986cd5e1dfc

SHA1
2938e8f5caeab70c395dcdcfc74a3dbd31874ec1

SHA256
0cbae3e22ed843e48df277a0f8be57abe69383a2831ede532d922d088faa198f

SHA512
e5120502f204a7a8deb6c30f680ddd8b052aa813368eb378c9bdab3431d4a67d0358e291bcc25d8deb3906e6516d47c06462d7ab391e357982e9df453f50bb48

Download Submit
C:\Windows\{7D316231-D4AD-47da-AD07-2AA9D89BF8C7}.exe

Filesize
168KB

MD5
6164d7c1a82b6148714565ea703e75b5

SHA1
546edd318275889692d9a0012d62cdc097be9287

SHA256
b98bb611ce7c835ac2187b7cb46df7feccc783a64a3c17522580863b0d76d3cb

SHA512
463471a779f5997f60039110c626d681a68ef39fae9008e27bc6661d7de86d43ed69a1b249fea0c7677c5b53d7a8fb9d4f753604d1e51706a6789fa2d537c35d

Download Submit
C:\Windows\{BA58FA25-8475-4c28-9C33-129E4C85614D}.exe

Filesize
168KB

MD5
c78c39b8a1f344a8c2452aee6bac8115

SHA1
27dc378e44534ac0c2ce7100dc4196a9c0bfd046

SHA256
049b661790f212577153f1fac37da65addfd0d8853e84edeb550bf27cfba5228

SHA512
71493c8d47ce8ddaf462001d086d74a4c12bcc61c994a98339885d6de4154ec8fe2c4ae21d6f2a2c073a57e9aba2cda83b58ccc142762e7fa0a6809953ebf2f3

Download Submit
C:\Windows\{DD67E28F-AA98-4abf-93BA-95B6831BFD88}.exe

Filesize
168KB

MD5
ebaa00d19740bde7b526e5eb6e125b1c

SHA1
85caa5a56b54ab467d113984a2b536cb2a9bc14a

SHA256
dc3a19846c561152091cf7f22a7453feb760ffa8f0648ff46231c77e21267714

SHA512
845494639ad072475a19ffde4ade402795ab7c868f3a04fc1a356c3942ec4365250686d20d7d5a02b6890f9a82eb4de0d93e7c7eacafffaa0d2b32f64c9c848e

Download Submit
C:\Windows\{FAD7C0FC-40B9-4b0b-B0A5-C8289B499937}.exe

Filesize
168KB

MD5
7b494f205e5309edf6a52ac132d79f25

SHA1
18978f9a66c1baf67b7db57d421b013e35a46a71

SHA256
958551c810081f70d747d6da5dfc40fa9771decc617936e2d423d90b21405e86

SHA512
1916ce16be885d8579ac5c68f5c37704d26f374daa67a9f0b40e318d06b9fcbb9655ce96da322df2e60fc0d665d169e7bd8c8b5d26502416c7530f1dbcd413a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads