e52ad08ba618dcf97b442b4bc4bffb25424c99f58e7d6e2cf78ebcaf827d40cb

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
Size

180KB
MD5

9513f46b1e4f48add9bd7ba78d3dc66c
SHA1

d8c00e9db86f0f252578a6196d2a6204aea6221f
SHA256

e52ad08ba618dcf97b442b4bc4bffb25424c99f58e7d6e2cf78ebcaf827d40cb
SHA512

0f52fa559f84db62ebe29775814f3e76d49c97114c3edc60eb7ada737b671edda46a3d318960202f361b8ee3717a8492b55827089c157deae947b48d32e440b0
SSDEEP

3072:jEGh0owlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG6l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001432c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014594-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C39DAE75-AB0D-4dd1-A421-4479923F0633}\stubpath = "C:\\Windows\\{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe"	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}\stubpath = "C:\\Windows\\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe"	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3458956-D4B1-456b-A435-20E2523C2C37}	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3458956-D4B1-456b-A435-20E2523C2C37}\stubpath = "C:\\Windows\\{B3458956-D4B1-456b-A435-20E2523C2C37}.exe"	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}\stubpath = "C:\\Windows\\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe"	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}\stubpath = "C:\\Windows\\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe"	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC0862E-CF78-42b0-95F4-03AC264DB185}	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC0862E-CF78-42b0-95F4-03AC264DB185}\stubpath = "C:\\Windows\\{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe"	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4973BA0F-1BC2-420f-941D-F0327FFE981B}	{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}	{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}\stubpath = "C:\\Windows\\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe"	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4973BA0F-1BC2-420f-941D-F0327FFE981B}\stubpath = "C:\\Windows\\{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe"	{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}	{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}\stubpath = "C:\\Windows\\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe"	{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C39DAE75-AB0D-4dd1-A421-4479923F0633}	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}\stubpath = "C:\\Windows\\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe"	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}\stubpath = "C:\\Windows\\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe"	{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
2760	{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
2076	{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe
472	{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
980	{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
File created	C:\Windows\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
File created	C:\Windows\{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
File created	C:\Windows\{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe	{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
File created	C:\Windows\{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
File created	C:\Windows\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
File created	C:\Windows\{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
File created	C:\Windows\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe	{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
File created	C:\Windows\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
File created	C:\Windows\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
File created	C:\Windows\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe	{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
Token: SeIncBasePriorityPrivilege	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
Token: SeIncBasePriorityPrivilege	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
Token: SeIncBasePriorityPrivilege	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
Token: SeIncBasePriorityPrivilege	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
Token: SeIncBasePriorityPrivilege	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
Token: SeIncBasePriorityPrivilege	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
Token: SeIncBasePriorityPrivilege	2760	{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
Token: SeIncBasePriorityPrivilege	2076	{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe
Token: SeIncBasePriorityPrivilege	472	{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2168	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	28
PID 2336 wrote to memory of 2168	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	28
PID 2336 wrote to memory of 2168	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	28
PID 2336 wrote to memory of 2168	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	28
PID 2336 wrote to memory of 2636	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	29
PID 2336 wrote to memory of 2636	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	29
PID 2336 wrote to memory of 2636	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	29
PID 2336 wrote to memory of 2636	2336	2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe	29
PID 2168 wrote to memory of 2668	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	30
PID 2168 wrote to memory of 2668	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	30
PID 2168 wrote to memory of 2668	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	30
PID 2168 wrote to memory of 2668	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	30
PID 2168 wrote to memory of 2860	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	31
PID 2168 wrote to memory of 2860	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	31
PID 2168 wrote to memory of 2860	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	31
PID 2168 wrote to memory of 2860	2168	{B3458956-D4B1-456b-A435-20E2523C2C37}.exe	31
PID 2668 wrote to memory of 2564	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	32
PID 2668 wrote to memory of 2564	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	32
PID 2668 wrote to memory of 2564	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	32
PID 2668 wrote to memory of 2564	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	32
PID 2668 wrote to memory of 1820	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	33
PID 2668 wrote to memory of 1820	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	33
PID 2668 wrote to memory of 1820	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	33
PID 2668 wrote to memory of 1820	2668	{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe	33
PID 2564 wrote to memory of 2028	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	36
PID 2564 wrote to memory of 2028	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	36
PID 2564 wrote to memory of 2028	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	36
PID 2564 wrote to memory of 2028	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	36
PID 2564 wrote to memory of 2508	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	37
PID 2564 wrote to memory of 2508	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	37
PID 2564 wrote to memory of 2508	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	37
PID 2564 wrote to memory of 2508	2564	{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe	37
PID 2028 wrote to memory of 2936	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	38
PID 2028 wrote to memory of 2936	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	38
PID 2028 wrote to memory of 2936	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	38
PID 2028 wrote to memory of 2936	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	38
PID 2028 wrote to memory of 2968	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	39
PID 2028 wrote to memory of 2968	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	39
PID 2028 wrote to memory of 2968	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	39
PID 2028 wrote to memory of 2968	2028	{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe	39
PID 2936 wrote to memory of 1944	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	40
PID 2936 wrote to memory of 1944	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	40
PID 2936 wrote to memory of 1944	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	40
PID 2936 wrote to memory of 1944	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	40
PID 2936 wrote to memory of 1644	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	41
PID 2936 wrote to memory of 1644	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	41
PID 2936 wrote to memory of 1644	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	41
PID 2936 wrote to memory of 1644	2936	{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe	41
PID 1944 wrote to memory of 2744	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	42
PID 1944 wrote to memory of 2744	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	42
PID 1944 wrote to memory of 2744	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	42
PID 1944 wrote to memory of 2744	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	42
PID 1944 wrote to memory of 2328	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	43
PID 1944 wrote to memory of 2328	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	43
PID 1944 wrote to memory of 2328	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	43
PID 1944 wrote to memory of 2328	1944	{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe	43
PID 2744 wrote to memory of 2760	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	44
PID 2744 wrote to memory of 2760	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	44
PID 2744 wrote to memory of 2760	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	44
PID 2744 wrote to memory of 2760	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	44
PID 2744 wrote to memory of 1840	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	45
PID 2744 wrote to memory of 1840	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	45
PID 2744 wrote to memory of 1840	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	45
PID 2744 wrote to memory of 1840	2744	{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_9513f46b1e4f48add9bd7ba78d3dc66c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
  C:\Windows\{B3458956-D4B1-456b-A435-20E2523C2C37}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
    C:\Windows\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
      C:\Windows\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
        
        C:\Windows\{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
        
        C:\Windows\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
        
        C:\Windows\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
        
        C:\Windows\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
        
        C:\Windows\{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe
        
        C:\Windows\{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
        
        C:\Windows\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe
        
        C:\Windows\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe
        12⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E57~1.EXE > nul
        12⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4973B~1.EXE > nul
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AC08~1.EXE > nul
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{705F9~1.EXE > nul
        9⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16A3~1.EXE > nul
        8⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EF09~1.EXE > nul
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C39DA~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48F24~1.EXE > nul
        5⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C82~1.EXE > nul
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3458~1.EXE > nul
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{48F24C8F-7D73-4556-8E7D-AE2CB0E6C8D6}.exe

Filesize
180KB

MD5
fdbee4f5be387a9477e6cf3b357ca1b2

SHA1
3a404eceac9b326ad6f4962bbcd75669f03ad6a9

SHA256
587d5ca1fa82864c67c18ff49d7e6c5bc421baf9e6afad68a1df367802867194

SHA512
902099f5541ae99c05e5850d2ca63e4ad998f068cf77e8e65566c035e1f6ee155fd6416816aae9c043775b2fd592f8d887cae81b8c42038422dd51ee87eb55bb

Download Submit
C:\Windows\{4973BA0F-1BC2-420f-941D-F0327FFE981B}.exe

Filesize
180KB

MD5
c0614b07a2dd9f6c45254a93efda980d

SHA1
198960b05048f8203e2ddc89aab58fe02557f7da

SHA256
e50375ee0d17f658ec335ff395c2a3044d6661ee5bfee97fef28690af2513398

SHA512
561796dd49ccd4500df32a6f5d9221403263374abb7c416e29ec5cd2f905051270b647862f3804bb97f907b02bd92830ec0ed351f8ccce33f792bf033299a59a

Download Submit
C:\Windows\{6AC0862E-CF78-42b0-95F4-03AC264DB185}.exe

Filesize
180KB

MD5
32643fd1702a394d3928ebf41567bb93

SHA1
4afe534f2302906c4abeac7be95a7b18027df89b

SHA256
1cd851727b4480894f20ff5d47a0f8d6975e664fba2f9c4ec53481fe57bb820f

SHA512
47b6d0aaebc6e8e7d11db92f35e0b76b6ec8615eb341c2edf07cd87669e7a2debd7b3307319b38af78948f80a5bac395c15fa3fe664ab57751633dd819b505fa

Download Submit
C:\Windows\{705F9E79-07A8-4633-A2CC-2AAB624BA9AC}.exe

Filesize
180KB

MD5
e2e44a295ccce5961008f10645c9810a

SHA1
da7b0cb4ce11403e3e285f38767851ccec46c043

SHA256
04126f6ee9ecf89ca936e6207febf48c22984659ced8aa9443829a8f7817aa11

SHA512
4fd0e18d2fd2d0750f9e670487f643a46b4a8d82c2742e69b70c0d44cf8ed87671e2cf6dc392d39946b8e87230be6068792336ab9056ae2051bb4be19743dc2a

Download Submit
C:\Windows\{8EF09D7C-D934-475e-99DA-6E1B2161EB8F}.exe

Filesize
180KB

MD5
2c9298603d130f8613fcbd51b015fde5

SHA1
733bae77ea688b831c0fc41c3955a44adedf7c9c

SHA256
e5df93e9b79873bce9511868cfa41d9fa6b3b53bd4b4f1794b386e6cad7a34af

SHA512
71b9886de08d0601d7a8c387a107f2ba26b12c6e6d5d442f3748971dbd3cdd21156b5cf0d497dac298ab57414be17d530d55e149539beea5702aed04f47cbb3e

Download Submit
C:\Windows\{A0FD0969-325B-490b-A9E4-D2C51FFADB43}.exe

Filesize
180KB

MD5
84775440aeba0d4ba155adc063f3b106

SHA1
6696a5b8d1f96bd973a354f3b64310208835ce7a

SHA256
5b6be72e8518a60d6ae5758061af54978e99784b235d6f8bed7108bc84d30fc2

SHA512
4f8b78b6c9d2e9543ad6b2b9e23da821d48daa6029ca0c74da4e39f237f5b54a08e6fd069e3f6e5cc490c52b214cbd64667b5e67e29dde038e137133c6b59d8d

Download Submit
C:\Windows\{B16A3C68-B0F0-4b17-A6D0-D515DAB12A40}.exe

Filesize
180KB

MD5
2039c8d4b0ec836e3c77b549893e9624

SHA1
91ab02bac25f87eb482890d68e8846b2bad52cfd

SHA256
8a13e78e28f16e1aed99c834c06ffa6b9c3cbe4ef5a22161604d13c18c3008cd

SHA512
bcdf4b7f3e6a9a6a8c201442ce17cf3589f61f370c6def10f917efe02dfd69757767bd6a332aaca3f2ed31e97c43ffcd6beaf78181e2d5405137b4faeda742cf

Download Submit
C:\Windows\{B3458956-D4B1-456b-A435-20E2523C2C37}.exe

Filesize
180KB

MD5
294762a6bc7b7f11f41b3920e6072b2d

SHA1
fa2544524191d1b1269f08b77d687210987758d1

SHA256
d8add4b224a2738b1964ad2c3db01e9541386a65624079c137f9cf4d6092aed0

SHA512
e169e0b4cc5afe9f3ddef652411d1c7fbe5e266eb4d53a0c3b2e0dad335fb64ed0f0f58ecd48b5a6105eca9d1ff737285fabd700fe6982caa00a82b0015582df

Download Submit
C:\Windows\{C39DAE75-AB0D-4dd1-A421-4479923F0633}.exe

Filesize
180KB

MD5
2fa9782fcf4d01b79ddc632000f0b27d

SHA1
3281c3b6c26b02111785f95dbffd1dae7373cdd9

SHA256
8d0ce5d2179b3c9ac0c22cddd5272434f8310487222348995d860b035affbf68

SHA512
52f41e43ed0cfc0eab6e08cf0ddeec2cb4c1f215ff196c14aadb24d486817a1b6b314f5a967a4cb48942fb3f720a411b8c87816604388fda7783a359e5620ab0

Download Submit
C:\Windows\{F0E57931-9955-4cae-8F9B-BFD82EBE8E21}.exe

Filesize
180KB

MD5
951d9fdc51e291dc7c49fc20547893a7

SHA1
26f39c8c8f1720673e556b7eaebe23ed7bc5bf93

SHA256
89d834b0c44c26ce33b5cdd7aad49e987218ff29784237e96486c19d5a095c79

SHA512
f7ed4f196c41ea7f2725347b4fac90741d3ea6a344de3b3f8b8543ef9e406352279bc30d650b52561373416a538d569f2f3b9778b7ef013e6a905d8bd340ce29

Download Submit
C:\Windows\{F9C82FBC-826A-4203-AF51-B59DDDCA23D9}.exe

Filesize
180KB

MD5
b438e67971f3d01ea14e7a83601caaa1

SHA1
8114db715c8d479e9d7a2774f685395b3218e527

SHA256
40d7dc1ed589e09d89165df5de3c58341a5eb0f4fe908bd6977ff7eb7ab668ec

SHA512
5a370fb813617724c5fe6e664d35d85b04f434aa728d8b4afaad02c8f5614a80349b29e89ed59079548d75f917af447f3efffb9d48d563e37b97a4b35c18461e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads