385df9021db84c230321c8fb7c00e3b90a23a820acd949c5319006ca5a52502a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Size

372KB
MD5

a0915d7c9161dc6d762ee5f52ea8afa4
SHA1

318e908143af17ad6472274e974823de84bdd16a
SHA256

385df9021db84c230321c8fb7c00e3b90a23a820acd949c5319006ca5a52502a
SHA512

3e46ad68f5fc2b265ff5171b9565065a27c4b73d6c22d9bfee308d2397c04f18c007466e4aaf5c45d66a3f5961174374b211606ad3c9ec2f6c98d826aac503d2
SSDEEP

3072:CEGh0o/mlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJmlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001222a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015364-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015364-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015364-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015364-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015364-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95CF5817-A628-4ea6-BEC2-53769215ABD6}\stubpath = "C:\\Windows\\{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe"	{714E2891-0695-4d38-B80E-2666D904665E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A79E53D-AD48-4763-90DB-241BF4821C20}	{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}\stubpath = "C:\\Windows\\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe"	{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}\stubpath = "C:\\Windows\\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe"	{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}\stubpath = "C:\\Windows\\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe"	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}\stubpath = "C:\\Windows\\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe"	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95CF5817-A628-4ea6-BEC2-53769215ABD6}	{714E2891-0695-4d38-B80E-2666D904665E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A79E53D-AD48-4763-90DB-241BF4821C20}\stubpath = "C:\\Windows\\{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe"	{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7268E0-24E8-4dd6-87F5-26536C92C386}	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}\stubpath = "C:\\Windows\\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe"	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714E2891-0695-4d38-B80E-2666D904665E}\stubpath = "C:\\Windows\\{714E2891-0695-4d38-B80E-2666D904665E}.exe"	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}\stubpath = "C:\\Windows\\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe"	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}\stubpath = "C:\\Windows\\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe"	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}	{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7268E0-24E8-4dd6-87F5-26536C92C386}\stubpath = "C:\\Windows\\{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe"	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714E2891-0695-4d38-B80E-2666D904665E}	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}	{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
532	{714E2891-0695-4d38-B80E-2666D904665E}.exe
2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
1996	{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
1644	{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
2464	{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe
2988	{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
File created	C:\Windows\{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	{714E2891-0695-4d38-B80E-2666D904665E}.exe
File created	C:\Windows\{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe	{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
File created	C:\Windows\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe	{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
File created	C:\Windows\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe	{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe
File created	C:\Windows\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
File created	C:\Windows\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
File created	C:\Windows\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
File created	C:\Windows\{714E2891-0695-4d38-B80E-2666D904665E}.exe	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
File created	C:\Windows\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
File created	C:\Windows\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
Token: SeIncBasePriorityPrivilege	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
Token: SeIncBasePriorityPrivilege	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
Token: SeIncBasePriorityPrivilege	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
Token: SeIncBasePriorityPrivilege	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe
Token: SeIncBasePriorityPrivilege	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
Token: SeIncBasePriorityPrivilege	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
Token: SeIncBasePriorityPrivilege	1996	{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
Token: SeIncBasePriorityPrivilege	1644	{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
Token: SeIncBasePriorityPrivilege	2464	{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2748	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	28
PID 2020 wrote to memory of 2748	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	28
PID 2020 wrote to memory of 2748	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	28
PID 2020 wrote to memory of 2748	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	28
PID 2020 wrote to memory of 2972	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	29
PID 2020 wrote to memory of 2972	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	29
PID 2020 wrote to memory of 2972	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	29
PID 2020 wrote to memory of 2972	2020	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	29
PID 2748 wrote to memory of 2524	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	32
PID 2748 wrote to memory of 2524	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	32
PID 2748 wrote to memory of 2524	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	32
PID 2748 wrote to memory of 2524	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	32
PID 2748 wrote to memory of 2448	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	33
PID 2748 wrote to memory of 2448	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	33
PID 2748 wrote to memory of 2448	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	33
PID 2748 wrote to memory of 2448	2748	{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe	33
PID 2524 wrote to memory of 2444	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	34
PID 2524 wrote to memory of 2444	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	34
PID 2524 wrote to memory of 2444	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	34
PID 2524 wrote to memory of 2444	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	34
PID 2524 wrote to memory of 2500	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	35
PID 2524 wrote to memory of 2500	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	35
PID 2524 wrote to memory of 2500	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	35
PID 2524 wrote to memory of 2500	2524	{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe	35
PID 2444 wrote to memory of 564	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	36
PID 2444 wrote to memory of 564	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	36
PID 2444 wrote to memory of 564	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	36
PID 2444 wrote to memory of 564	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	36
PID 2444 wrote to memory of 680	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	37
PID 2444 wrote to memory of 680	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	37
PID 2444 wrote to memory of 680	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	37
PID 2444 wrote to memory of 680	2444	{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe	37
PID 564 wrote to memory of 532	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	38
PID 564 wrote to memory of 532	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	38
PID 564 wrote to memory of 532	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	38
PID 564 wrote to memory of 532	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	38
PID 564 wrote to memory of 1388	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	39
PID 564 wrote to memory of 1388	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	39
PID 564 wrote to memory of 1388	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	39
PID 564 wrote to memory of 1388	564	{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe	39
PID 532 wrote to memory of 2412	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	40
PID 532 wrote to memory of 2412	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	40
PID 532 wrote to memory of 2412	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	40
PID 532 wrote to memory of 2412	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	40
PID 532 wrote to memory of 2648	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	41
PID 532 wrote to memory of 2648	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	41
PID 532 wrote to memory of 2648	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	41
PID 532 wrote to memory of 2648	532	{714E2891-0695-4d38-B80E-2666D904665E}.exe	41
PID 2412 wrote to memory of 928	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	42
PID 2412 wrote to memory of 928	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	42
PID 2412 wrote to memory of 928	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	42
PID 2412 wrote to memory of 928	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	42
PID 2412 wrote to memory of 1524	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	43
PID 2412 wrote to memory of 1524	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	43
PID 2412 wrote to memory of 1524	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	43
PID 2412 wrote to memory of 1524	2412	{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe	43
PID 928 wrote to memory of 1996	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	44
PID 928 wrote to memory of 1996	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	44
PID 928 wrote to memory of 1996	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	44
PID 928 wrote to memory of 1996	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	44
PID 928 wrote to memory of 2220	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	45
PID 928 wrote to memory of 2220	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	45
PID 928 wrote to memory of 2220	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	45
PID 928 wrote to memory of 2220	928	{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
  C:\Windows\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
    C:\Windows\{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
      C:\Windows\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
        
        C:\Windows\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\{714E2891-0695-4d38-B80E-2666D904665E}.exe
        
        C:\Windows\{714E2891-0695-4d38-B80E-2666D904665E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
        
        C:\Windows\{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
        
        C:\Windows\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
        
        C:\Windows\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
        
        C:\Windows\{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe
        
        C:\Windows\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe
        
        C:\Windows\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe
        12⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4310~1.EXE > nul
        12⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A79E~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F14B~1.EXE > nul
        10⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B664E~1.EXE > nul
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95CF5~1.EXE > nul
        8⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{714E2~1.EXE > nul
        7⤵
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B03F~1.EXE > nul
        6⤵
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CB64~1.EXE > nul
        5⤵
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE726~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{345F2~1.EXE > nul
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B03F0D7-220C-4eb6-BD2C-91219F91892C}.exe

Filesize
372KB

MD5
419388d1706c29196c478fa306805cc1

SHA1
18ec04155e8763af99925b82d3b807fe633f71d8

SHA256
3a51278fa282e74d3127c875e63d8fc79e2617f0c9410f7e256384a76c96379e

SHA512
9bee1da5df9d89c825aa2e02d1c1049fd0de3a2c63ee49cef27a4667082dc586849b6f10916a55c879218ac5841b8396dbcde58bd084428e996c8ff78d041589

Download Submit
C:\Windows\{2CB6441C-80FE-4836-BDFE-CE73D98FB95D}.exe

Filesize
372KB

MD5
5a24e0593bde5d5a5cce7e170e419082

SHA1
b055f09ddf3fe94308283354687b77dd8760976b

SHA256
58bf6c6844f5175257c43f5382aab95db367d19d35b56c4bb5525801e7ece86c

SHA512
dca7ea4ef0d763c416643330388809e25cb6f0b2cefe039a8f42e5aea6f2058876bf4e88f3a7f92a1d1cb4b234b40dba223f56d83a632404e1444eefb8921ff4

Download Submit
C:\Windows\{345F2FB3-D5E0-4e0f-9E71-4D0C5423D6AD}.exe

Filesize
372KB

MD5
b20f85b19d43e0f2861599fd82391b4d

SHA1
605de4739d3bb09b1439384e1c016f83708de459

SHA256
bd42e0008a19dbaa59781a9096e907caf125f86de1d30fe239deab8d2b0a4279

SHA512
9373b9d687d75e3ecf6c35fa56d8176f330e72b901ba6c7f9f8ecfdb1a93d9a139e9daf21adc0c1636f8c1c6a9c59f969f818c36003f6480c4e7b77ce4984e90

Download Submit
C:\Windows\{714E2891-0695-4d38-B80E-2666D904665E}.exe

Filesize
372KB

MD5
4f111e758e0737c87c4c274d1d1268b6

SHA1
8d599317ebb2dd49d83c7b42495b26d1c506fd5f

SHA256
ef7690eb8963e46ce1e235b820d8fe14211eca28e930bc3e7cfe98aa3768d30a

SHA512
e193fdb09d0be62ba9ff9dc6cf31a216e85cf2071570477833ec12adf59b5ad691630c91256f31d02da993a4d835945e33ac1f11d4860c81f3f3d054ce48e6a9

Download Submit
C:\Windows\{7A79E53D-AD48-4763-90DB-241BF4821C20}.exe

Filesize
372KB

MD5
a6154d0eb24b288ac0793ba6bf1d179f

SHA1
cb1a6a29c1d5e7bf4239563181aedf0294076e5b

SHA256
da0f856995b1b39fff0d7328e143cdbc10f8d1eb254e507c35f024327fd71206

SHA512
06c202eed4484017950cd2c11f63d4d3d6f5a2331b98478a90b85492fd572b54e662cda5708e9313403a26973a6df0b61b7956350d2c2b107d79d11093706849

Download Submit
C:\Windows\{95CF5817-A628-4ea6-BEC2-53769215ABD6}.exe

Filesize
372KB

MD5
d5e6b1b8987ca29b57e5247a1f579eda

SHA1
6347eac2aaec0d5c9982af09e5203acfe75be685

SHA256
c9fe0e889447dac5955a473cef8b1dd685c2becb1a986af0de11f855b26c4b9e

SHA512
78d2698886b23f6823a841948af2e59f46f935f791a6c7ca8739f53db9538beb3f919df2aaf4a0fd57fe20d331bbc17922fd9f5b4b7e5a74aef38d9247ba75d4

Download Submit
C:\Windows\{9F14B1AB-1852-4775-B30B-A2972D1BACF1}.exe

Filesize
372KB

MD5
da29cbeb12ab042d737b144d955135df

SHA1
260177da7aaa1a452ccae7663e0b34f48093e3e6

SHA256
9cfa44912c5a60c9e0f0a1fab685201c1811238222c3003c80dacda3f71b5429

SHA512
a39db50b6a5bb8c58dee2e5feda84e638d055bf1d9719e8270933a0ccc937cf0939e347d10e57285f283f00e3936bff59670682e09e8b9e39e74984c06dabe87

Download Submit
C:\Windows\{A4C1F7B4-461A-4278-9CBC-6A87307B2403}.exe

Filesize
372KB

MD5
0a660c056f068e9c207006331514c941

SHA1
e1974d40dfffedfdddea157712720ae28a998ba7

SHA256
066a0d46cc24f4d75e87279b6578dde91ec0f7252a9d54153ab9e3a9253d52d9

SHA512
caa1d3966abd1f4f189cc364a66164a5a0d822e5944f589b03d72347e36912e1d72e5a2e91c9aa321acab7709e4fc86fb303920665c0afca02882791823ff741

Download Submit
C:\Windows\{AE7268E0-24E8-4dd6-87F5-26536C92C386}.exe

Filesize
372KB

MD5
4f1019c8228ec6adead116a8bf44206d

SHA1
776609b6464967467157760d8765311910772f3f

SHA256
fd714321b22abb11524ee932a8d41399311501f98acd8dae2464896d8d5b4bf3

SHA512
9f1dd81455130cde7d4d7737a3ef28a5f92011da7ec91bcbad2be855c34059cd75c9eb41880231d367deb4ffbf29284eb442f65fdde8d76f639ada3e221a3035

Download Submit
C:\Windows\{B664EA2E-E28A-4e2b-9C1F-9139895E08E1}.exe

Filesize
372KB

MD5
ce5a97140cc31e5dfb4dd44a6e0630e5

SHA1
478de562921f19991057e4cc0e7401514f802ba2

SHA256
de6f51c77e68c6a7dd44cea45d55c1c4639e1ac79fe048e2e3fc9b28346b9cf4

SHA512
c00db80f8dadb2bcf98e604154194e86892681ad3aff1a88f3d6adb49403c82185dd1a986baee649c3d2c4254cae6fc5f6d87af2319c983e86ba5c2ab57af7b6

Download Submit
C:\Windows\{D43101AF-8F7D-4c0d-B601-F892BC9F767C}.exe

Filesize
372KB

MD5
16967c764bfa7f78c9f8055934c09341

SHA1
ffc1474822c03b5295a02188858e0506c8ffa265

SHA256
3297a45ab36415ffdad202ed1986de53e2b202426b7912b010fc645aafef1f75

SHA512
b9e9b9fa29cecd4ac7e2dc51a036349dc7c53d9bb9caf6a2d354440d4a78c8ed039dc96df9496042d750e3b62b442d5ee5fe2b032fd5c29247e9dc6fcd546c25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads