71cece2a13efc8762f2c239258842d63ef37ea8320e8db5e31f38f71e55bd9b9

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
Size

408KB
MD5

7e107f0862a535d54cd39f599a3b6b65
SHA1

c0c578fb73ed28a69be9260a08c493569a63972a
SHA256

71cece2a13efc8762f2c239258842d63ef37ea8320e8db5e31f38f71e55bd9b9
SHA512

6e9b69139bab418c5f6ef427d12fac08790b2f09bf6dfeeb7c469918a6fa2c620ee85b85860b070b9bce194e2825d2f210df4e03b2cf25dff3f0afb75705410d
SSDEEP

3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000131a1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D253668-17F6-425c-A155-F5D8510DEDEA}	{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}	{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}\stubpath = "C:\\Windows\\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe"	{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}\stubpath = "C:\\Windows\\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe"	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}\stubpath = "C:\\Windows\\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe"	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}\stubpath = "C:\\Windows\\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe"	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D253668-17F6-425c-A155-F5D8510DEDEA}\stubpath = "C:\\Windows\\{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe"	{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}\stubpath = "C:\\Windows\\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe"	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}\stubpath = "C:\\Windows\\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe"	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EDCA05D-5776-42ac-B64A-16C8D511F692}\stubpath = "C:\\Windows\\{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe"	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547EBB15-9480-465a-87AC-859EB365BA7A}\stubpath = "C:\\Windows\\{547EBB15-9480-465a-87AC-859EB365BA7A}.exe"	{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82919C70-BB14-4e08-95A0-2E31A564F165}	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82919C70-BB14-4e08-95A0-2E31A564F165}\stubpath = "C:\\Windows\\{82919C70-BB14-4e08-95A0-2E31A564F165}.exe"	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EDCA05D-5776-42ac-B64A-16C8D511F692}	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}\stubpath = "C:\\Windows\\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe"	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547EBB15-9480-465a-87AC-859EB365BA7A}	{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
1100	{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe
1800	{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
2384	{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
2512	{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
File created	C:\Windows\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
File created	C:\Windows\{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe	{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
File created	C:\Windows\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
File created	C:\Windows\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
File created	C:\Windows\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
File created	C:\Windows\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
File created	C:\Windows\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
File created	C:\Windows\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe	{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
File created	C:\Windows\{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
File created	C:\Windows\{547EBB15-9480-465a-87AC-859EB365BA7A}.exe	{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
Token: SeIncBasePriorityPrivilege	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
Token: SeIncBasePriorityPrivilege	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
Token: SeIncBasePriorityPrivilege	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
Token: SeIncBasePriorityPrivilege	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
Token: SeIncBasePriorityPrivilege	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
Token: SeIncBasePriorityPrivilege	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
Token: SeIncBasePriorityPrivilege	1100	{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe
Token: SeIncBasePriorityPrivilege	1800	{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
Token: SeIncBasePriorityPrivilege	2384	{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3052	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	28
PID 2176 wrote to memory of 3052	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	28
PID 2176 wrote to memory of 3052	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	28
PID 2176 wrote to memory of 3052	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	28
PID 2176 wrote to memory of 2524	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	29
PID 2176 wrote to memory of 2524	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	29
PID 2176 wrote to memory of 2524	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	29
PID 2176 wrote to memory of 2524	2176	2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe	29
PID 3052 wrote to memory of 2736	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	30
PID 3052 wrote to memory of 2736	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	30
PID 3052 wrote to memory of 2736	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	30
PID 3052 wrote to memory of 2736	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	30
PID 3052 wrote to memory of 2856	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	31
PID 3052 wrote to memory of 2856	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	31
PID 3052 wrote to memory of 2856	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	31
PID 3052 wrote to memory of 2856	3052	{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe	31
PID 2736 wrote to memory of 2228	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	34
PID 2736 wrote to memory of 2228	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	34
PID 2736 wrote to memory of 2228	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	34
PID 2736 wrote to memory of 2228	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	34
PID 2736 wrote to memory of 2720	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	35
PID 2736 wrote to memory of 2720	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	35
PID 2736 wrote to memory of 2720	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	35
PID 2736 wrote to memory of 2720	2736	{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe	35
PID 2228 wrote to memory of 2648	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	36
PID 2228 wrote to memory of 2648	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	36
PID 2228 wrote to memory of 2648	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	36
PID 2228 wrote to memory of 2648	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	36
PID 2228 wrote to memory of 2784	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	37
PID 2228 wrote to memory of 2784	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	37
PID 2228 wrote to memory of 2784	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	37
PID 2228 wrote to memory of 2784	2228	{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe	37
PID 2648 wrote to memory of 2844	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	38
PID 2648 wrote to memory of 2844	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	38
PID 2648 wrote to memory of 2844	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	38
PID 2648 wrote to memory of 2844	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	38
PID 2648 wrote to memory of 692	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	39
PID 2648 wrote to memory of 692	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	39
PID 2648 wrote to memory of 692	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	39
PID 2648 wrote to memory of 692	2648	{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe	39
PID 2844 wrote to memory of 1668	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	40
PID 2844 wrote to memory of 1668	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	40
PID 2844 wrote to memory of 1668	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	40
PID 2844 wrote to memory of 1668	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	40
PID 2844 wrote to memory of 1036	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	41
PID 2844 wrote to memory of 1036	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	41
PID 2844 wrote to memory of 1036	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	41
PID 2844 wrote to memory of 1036	2844	{82919C70-BB14-4e08-95A0-2E31A564F165}.exe	41
PID 1668 wrote to memory of 1056	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	42
PID 1668 wrote to memory of 1056	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	42
PID 1668 wrote to memory of 1056	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	42
PID 1668 wrote to memory of 1056	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	42
PID 1668 wrote to memory of 1116	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	43
PID 1668 wrote to memory of 1116	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	43
PID 1668 wrote to memory of 1116	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	43
PID 1668 wrote to memory of 1116	1668	{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe	43
PID 1056 wrote to memory of 1100	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	44
PID 1056 wrote to memory of 1100	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	44
PID 1056 wrote to memory of 1100	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	44
PID 1056 wrote to memory of 1100	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	44
PID 1056 wrote to memory of 2644	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	45
PID 1056 wrote to memory of 2644	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	45
PID 1056 wrote to memory of 2644	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	45
PID 1056 wrote to memory of 2644	1056	{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_7e107f0862a535d54cd39f599a3b6b65_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
  C:\Windows\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
    C:\Windows\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
      C:\Windows\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
        
        C:\Windows\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
        
        C:\Windows\{82919C70-BB14-4e08-95A0-2E31A564F165}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
        
        C:\Windows\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
        
        C:\Windows\{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe
        
        C:\Windows\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
        
        C:\Windows\{547EBB15-9480-465a-87AC-859EB365BA7A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
        
        C:\Windows\{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe
        
        C:\Windows\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D253~1.EXE > nul
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{547EB~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{408DF~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EDCA~1.EXE > nul
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E216~1.EXE > nul
        8⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82919~1.EXE > nul
        7⤵
        
        PID:1036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B714~1.EXE > nul
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56DB2~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E8EA~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A807~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E2161BE-EFD0-4f34-BBBE-5A3B38B70029}.exe

Filesize
408KB

MD5
022789a428a881e5341cb80e989fa0d7

SHA1
6b4e9b6503beb1a311a5784ce2727b563c723d9c

SHA256
5a368ab7ef2fdc64f0a473577355d322b7fc17cd4cb25bdbab627d155d4efcb3

SHA512
dac32c77137ee04825ad11d946f00480d764a3af81426947c8a6eff2571540e8429a047e5ab7d7f35b6f437b5f17d60ac77a4b087a1279cd280000fa453d9924

Download Submit
C:\Windows\{408DF2F3-7B29-4359-B6F7-5137D592ACB4}.exe

Filesize
408KB

MD5
296657e9e8bb8d893f392b71683273bb

SHA1
7722e46785eeaee7491af08d7d3252536d98ca45

SHA256
08b9c17ec75cd1c38db39f49744f27d4757413a5d0cc67e64d67cc0c983ea016

SHA512
c8a6a2fc119a09bfc76aafdf7f41b90e2f934043a42961be4bdc07ed06bf93ca38b8ec6826c98e16679cc05803f383f110e38069cd55f124f7526926eabf9174

Download Submit
C:\Windows\{4B714ABC-4FFE-430c-9C4B-121C6B3AC8A7}.exe

Filesize
408KB

MD5
aeb62772263f48a2707f7a3c83088026

SHA1
0dbc13dcb88b0cca6ba2850b5eff6dec8764457f

SHA256
888eed251f74164817d56882b87698ecbd020f602ac04b31fbfeda15c8319a59

SHA512
8f16d7ae89472bb15421ad266dea436dc5bf39f41da897d19aede50728b179dde91cc9847d2cfdbfffc5a783f1d3287eb10ad652df2d7ee81beb7d97c41cb285

Download Submit
C:\Windows\{547EBB15-9480-465a-87AC-859EB365BA7A}.exe

Filesize
408KB

MD5
3bfb5ee639c81ee0a2f50f6beda072a4

SHA1
414532a55f5b51571da7c27fc3f3e857b2fd30b8

SHA256
10f5f3a2ce5263334745b25683458d5114f3d0be7d19e293c3f8ebfd90eb9617

SHA512
71712c067e227fc537ca56acc00ded38bf99024f33740a0d9a23798931e13f962784dc3d889527a713858a192dc352aca29ae14c3ae257c41494c19b3783ed79

Download Submit
C:\Windows\{56DB2885-51DD-46d2-8EF4-B7E664F5CADA}.exe

Filesize
408KB

MD5
5ad5ccb0c46b3e18ea4d5545c4816058

SHA1
6450d1f64f30f97d8f88b6e7c2f6448f05aeed78

SHA256
23f1cd98109bb330c70cf40fc0507422ff6bcbe3907b562eca06e6c088d23ee8

SHA512
1a6450821ef4f3cda8d8ce4729a39c2a799fd9427c20683e10b1e9933166f952e41dae350aa5101026d947eac51beb7eae463cc749a3a943526204bd10d79fd5

Download Submit
C:\Windows\{7A8078E2-878B-4d42-B1BA-F8D36766DFAB}.exe

Filesize
408KB

MD5
22991a05dc035f6f745d89e3fd4a363d

SHA1
c70db2ee7a9b2c359634617a81b7b912c0b51744

SHA256
f117f5f2e73b5eef23e476b25e23a3d8515a592756f2439087c60f294247f0fb

SHA512
ffb20ac4e15b248e66c616ccb8febafb7dba3a62058f41f27f2cc8534e7f2eb8d54f4e843b5f04253f54230c49bd36b82abd268597d4d7705eb9c93cbbae8ec1

Download Submit
C:\Windows\{82919C70-BB14-4e08-95A0-2E31A564F165}.exe

Filesize
408KB

MD5
3fc03394a63fa09290c0b163f1fdeee1

SHA1
324d69d629da560caa4bf5c9c734e5f9162394bc

SHA256
b1e4b7a89a6eca3da9f3be730ed15580eda4c67be93a1a5f10806329fed144e3

SHA512
e9eb4135627b02bc0f9fd1467ed53160bea5846f608363af9fd2a073ccad6caed1609c072d8c609026213f3528a565d033d39cd3677933ef19e1cdb3a224f4dc

Download Submit
C:\Windows\{8D253668-17F6-425c-A155-F5D8510DEDEA}.exe

Filesize
408KB

MD5
6e620be26fb76709aa4be836bbde770e

SHA1
3d037dd785ecc7a5effeb416536da3dae92bb83c

SHA256
484e2040746fdb902a08e0242f2925fa4559b0bc1a74ed8ffba87f663b34e09b

SHA512
3825c5f842b08b3aee568520a331de4993a0185385c8fbf5417aa19c8f86963d96c9edcdfa19fef03c57bf44bed6ee4aa94fc30805385e81cc4f300a62d0d137

Download Submit
C:\Windows\{8EDCA05D-5776-42ac-B64A-16C8D511F692}.exe

Filesize
408KB

MD5
b7f7515cc13cedd6c4a37c1af2fdbfbb

SHA1
ee900d89af2fcf3ed4c560a6db16b4539b864140

SHA256
490f24cf5f6956f06ef1e6efe267834590e3e61edd25077ba14d3ab98846d430

SHA512
624ad2e5e06a75ac34018dd79faa63ddbaa51c4b2d466c0c0281e9df050389fab20a6b787e2702d4a6e97e1bc1e67c4ba5eeef9531bc2f0da4946650caf6add1

Download Submit
C:\Windows\{9E8EAA4E-22E8-4912-BEDB-9B10737F2EB1}.exe

Filesize
408KB

MD5
cdd0f42b723fc7d9538299d1c6ac00bc

SHA1
28be6a86159b6c44e5811af7de76204a4c51b40a

SHA256
081519e4d8baf6d50c6b713983268bdca6da7cafbb49895172049d7b9315e7ff

SHA512
74adc845b3b489e4a4c6eb79daf4ec6bc12424fb3c96bab0a766459320391abe00541e61e0c1078d1bf57db0453c106f05d29ed318322b9971d739ac227cfb71

Download Submit
C:\Windows\{D12DE188-BC81-479b-82E9-9E0AFF5CFC6D}.exe

Filesize
408KB

MD5
3897d7645c16c7a2fe8022e5d18a4be6

SHA1
8896c5ad50796b2f02f86e9d009fea23a3553e9e

SHA256
ddbceb89bd5a70e381baab08b6fc67de7ffd6d4aaf1ad9811c2e4ff5cef20a01

SHA512
04bd929d6bcf0e3fab7578cbf47f7f7307883fa92ec62325df7395b8fbca0a4f8707f481679a231a8a0937fc846cc0111cf40c42867d9ae559799bcd990ef3a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads