043f89159efb601f4f67902ee949b047c3c544d6c5fa2d8a5e7a4f14993457df

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
Size

168KB
MD5

aa66da6228ea0ea834e15c83606b4038
SHA1

f3d994ffddbfe3f9331006b78ec0ab4808ecd939
SHA256

043f89159efb601f4f67902ee949b047c3c544d6c5fa2d8a5e7a4f14993457df
SHA512

c0b8390918f959920a3af2de3bf40cfe66461f59399e76d10447a28f6e2962c7a03608e2b116af5aab196dce1c927da6b67655ba020a44e58f677a0c4266c409
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000144e8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014712-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72C379FA-4F83-48f3-9AF4-20A86E52158A}\stubpath = "C:\\Windows\\{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe"	{757356CC-0E91-4770-823B-B4678B080F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}\stubpath = "C:\\Windows\\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe"	{BD163019-E361-448e-99F7-A5706970CC93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}\stubpath = "C:\\Windows\\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe"	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}	{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}\stubpath = "C:\\Windows\\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe"	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72C379FA-4F83-48f3-9AF4-20A86E52158A}	{757356CC-0E91-4770-823B-B4678B080F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}\stubpath = "C:\\Windows\\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe"	{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{134C05F4-D024-426f-91AA-49D476368E40}\stubpath = "C:\\Windows\\{134C05F4-D024-426f-91AA-49D476368E40}.exe"	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}	{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CF6255-1008-47cc-A43B-29F4F75D27C7}	{134C05F4-D024-426f-91AA-49D476368E40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CF6255-1008-47cc-A43B-29F4F75D27C7}\stubpath = "C:\\Windows\\{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe"	{134C05F4-D024-426f-91AA-49D476368E40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}	{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}\stubpath = "C:\\Windows\\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe"	{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{757356CC-0E91-4770-823B-B4678B080F8D}	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD163019-E361-448e-99F7-A5706970CC93}	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD163019-E361-448e-99F7-A5706970CC93}\stubpath = "C:\\Windows\\{BD163019-E361-448e-99F7-A5706970CC93}.exe"	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}	{BD163019-E361-448e-99F7-A5706970CC93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}\stubpath = "C:\\Windows\\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe"	{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{757356CC-0E91-4770-823B-B4678B080F8D}\stubpath = "C:\\Windows\\{757356CC-0E91-4770-823B-B4678B080F8D}.exe"	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{134C05F4-D024-426f-91AA-49D476368E40}	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe
2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe
640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe
1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
1224	{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
2116	{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
684	{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
1796	{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe	{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
File created	C:\Windows\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
File created	C:\Windows\{757356CC-0E91-4770-823B-B4678B080F8D}.exe	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
File created	C:\Windows\{BD163019-E361-448e-99F7-A5706970CC93}.exe	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
File created	C:\Windows\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
File created	C:\Windows\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe	{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
File created	C:\Windows\{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	{757356CC-0E91-4770-823B-B4678B080F8D}.exe
File created	C:\Windows\{134C05F4-D024-426f-91AA-49D476368E40}.exe	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
File created	C:\Windows\{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	{134C05F4-D024-426f-91AA-49D476368E40}.exe
File created	C:\Windows\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	{BD163019-E361-448e-99F7-A5706970CC93}.exe
File created	C:\Windows\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe	{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
Token: SeIncBasePriorityPrivilege	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe
Token: SeIncBasePriorityPrivilege	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
Token: SeIncBasePriorityPrivilege	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe
Token: SeIncBasePriorityPrivilege	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
Token: SeIncBasePriorityPrivilege	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe
Token: SeIncBasePriorityPrivilege	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
Token: SeIncBasePriorityPrivilege	1224	{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
Token: SeIncBasePriorityPrivilege	2116	{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
Token: SeIncBasePriorityPrivilege	684	{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2528	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	28
PID 2856 wrote to memory of 2528	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	28
PID 2856 wrote to memory of 2528	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	28
PID 2856 wrote to memory of 2528	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	28
PID 2856 wrote to memory of 2568	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	29
PID 2856 wrote to memory of 2568	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	29
PID 2856 wrote to memory of 2568	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	29
PID 2856 wrote to memory of 2568	2856	2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe	29
PID 2528 wrote to memory of 2692	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	30
PID 2528 wrote to memory of 2692	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	30
PID 2528 wrote to memory of 2692	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	30
PID 2528 wrote to memory of 2692	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	30
PID 2528 wrote to memory of 2924	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	31
PID 2528 wrote to memory of 2924	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	31
PID 2528 wrote to memory of 2924	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	31
PID 2528 wrote to memory of 2924	2528	{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe	31
PID 2692 wrote to memory of 2556	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	32
PID 2692 wrote to memory of 2556	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	32
PID 2692 wrote to memory of 2556	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	32
PID 2692 wrote to memory of 2556	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	32
PID 2692 wrote to memory of 2472	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	33
PID 2692 wrote to memory of 2472	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	33
PID 2692 wrote to memory of 2472	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	33
PID 2692 wrote to memory of 2472	2692	{757356CC-0E91-4770-823B-B4678B080F8D}.exe	33
PID 2556 wrote to memory of 1872	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	36
PID 2556 wrote to memory of 1872	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	36
PID 2556 wrote to memory of 1872	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	36
PID 2556 wrote to memory of 1872	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	36
PID 2556 wrote to memory of 1860	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	37
PID 2556 wrote to memory of 1860	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	37
PID 2556 wrote to memory of 1860	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	37
PID 2556 wrote to memory of 1860	2556	{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe	37
PID 1872 wrote to memory of 640	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	38
PID 1872 wrote to memory of 640	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	38
PID 1872 wrote to memory of 640	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	38
PID 1872 wrote to memory of 640	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	38
PID 1872 wrote to memory of 1512	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	39
PID 1872 wrote to memory of 1512	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	39
PID 1872 wrote to memory of 1512	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	39
PID 1872 wrote to memory of 1512	1872	{134C05F4-D024-426f-91AA-49D476368E40}.exe	39
PID 640 wrote to memory of 1884	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	40
PID 640 wrote to memory of 1884	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	40
PID 640 wrote to memory of 1884	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	40
PID 640 wrote to memory of 1884	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	40
PID 640 wrote to memory of 2184	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	41
PID 640 wrote to memory of 2184	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	41
PID 640 wrote to memory of 2184	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	41
PID 640 wrote to memory of 2184	640	{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe	41
PID 1884 wrote to memory of 1584	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	42
PID 1884 wrote to memory of 1584	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	42
PID 1884 wrote to memory of 1584	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	42
PID 1884 wrote to memory of 1584	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	42
PID 1884 wrote to memory of 1808	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	43
PID 1884 wrote to memory of 1808	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	43
PID 1884 wrote to memory of 1808	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	43
PID 1884 wrote to memory of 1808	1884	{BD163019-E361-448e-99F7-A5706970CC93}.exe	43
PID 1584 wrote to memory of 1224	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	44
PID 1584 wrote to memory of 1224	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	44
PID 1584 wrote to memory of 1224	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	44
PID 1584 wrote to memory of 1224	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	44
PID 1584 wrote to memory of 1700	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	45
PID 1584 wrote to memory of 1700	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	45
PID 1584 wrote to memory of 1700	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	45
PID 1584 wrote to memory of 1700	1584	{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_aa66da6228ea0ea834e15c83606b4038_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
  C:\Windows\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{757356CC-0E91-4770-823B-B4678B080F8D}.exe
    C:\Windows\{757356CC-0E91-4770-823B-B4678B080F8D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
      C:\Windows\{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{134C05F4-D024-426f-91AA-49D476368E40}.exe
        
        C:\Windows\{134C05F4-D024-426f-91AA-49D476368E40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
        
        C:\Windows\{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{BD163019-E361-448e-99F7-A5706970CC93}.exe
        
        C:\Windows\{BD163019-E361-448e-99F7-A5706970CC93}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
        
        C:\Windows\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
        
        C:\Windows\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
        
        C:\Windows\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
        
        C:\Windows\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe
        
        C:\Windows\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B446~1.EXE > nul
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5C7~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA7D~1.EXE > nul
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2658~1.EXE > nul
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD163~1.EXE > nul
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28CF6~1.EXE > nul
        7⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{134C0~1.EXE > nul
        6⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72C37~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75735~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B77~1.EXE > nul
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{134C05F4-D024-426f-91AA-49D476368E40}.exe

Filesize
168KB

MD5
1ca8f2cbcb7574e9eb06be5f17ca2776

SHA1
c81f87884d377f9a8b43ec5418efa4342d9f832f

SHA256
c1b103a1a24ed580fcf074ae2a45b46aff49d48749e28c702e7bb8995f1fe817

SHA512
57bd5fe95a027955bdf8d6b68af08e258f9cda4a08ba6a4a893731727824a612185f188207ef72b9583e90eccbccffb9c48783f0f68fcb87f33214118a192662

Download Submit
C:\Windows\{28CF6255-1008-47cc-A43B-29F4F75D27C7}.exe

Filesize
168KB

MD5
422339ae97e5b104ed663b2e7a2b522e

SHA1
0db291256a02e876cc4fb84772f698b8ebd694b8

SHA256
d4ee0688aed27ff1c7ace89185c5d596c42bcdae273b7c898a575933efacd12f

SHA512
345fb8cac56aafe7595721ed869a6ed9d5c0e551ebb1c954969a11b5ec738df165753e5dabc2d59c5c9c1262db1699107d96778ee5fbf16afe663be00bf390aa

Download Submit
C:\Windows\{4B446E1E-40F1-4587-8E8F-76E58F83D2D7}.exe

Filesize
168KB

MD5
42d841a9b48ac71e2ee479eecd167125

SHA1
755d68148ee23c1e71f432d7174a29af38a81422

SHA256
309e4d2fce2b726a58c973c15eabe1f10c9940adef6080d5390533a333ad422a

SHA512
062a4fea18a14629acc4ce06486f5204afc37cc146128deb01b7f3c2a5a0988652da624172584cc215a437304027569a352767603f6cf41ad2a43fa7deafff3e

Download Submit
C:\Windows\{72C379FA-4F83-48f3-9AF4-20A86E52158A}.exe

Filesize
168KB

MD5
571fba7247d17abfb3dee9df731548a4

SHA1
16cb96cd5df02f8a94b597c76f5eaa1fa31f6915

SHA256
b59151efcf8d1fe1ebfae5542b39fd239a1c2429491f8683a3df18132d3f070e

SHA512
d32f74ea95f81d09ec012aee9608be545339cdb6372b25547f62e130263413b0c2d65f5ab58e931cddc500c88fe08dc78f396f9965edb85b21b794ace1725d38

Download Submit
C:\Windows\{757356CC-0E91-4770-823B-B4678B080F8D}.exe

Filesize
168KB

MD5
dbbfffc18c66b937519ff4d67d3e232c

SHA1
4ace6067de5d347209347fe23df0fa0c47449b91

SHA256
b093802a3e28eaa64cd0f5cb121cdd8854626f0e088d866abc6ea4dd2897883f

SHA512
b13529f7228dd409c922fb2a0243ba657c7db2be24cba63c984503b5264e3b4ede661293a22775b3c577ca0aae0eeab4e54d6f4ab1f8fd2dcd503e79368d95e3

Download Submit
C:\Windows\{9EEDBD50-1E4D-4c4e-9D7E-D96952AD11CA}.exe

Filesize
168KB

MD5
f5ddbe7682de83e60f17a081346d13ad

SHA1
c1d66c47fb46e1418ac49b51bb2e23a644d092bf

SHA256
a8b6cefc7a47cec904b24ded52f969e816236e4a14895d7662696c1b4b861c95

SHA512
f0e38a67f358cfb82adf570a0cacb21c2e34dd92a685152f0de68180e9cf30d1758c57b007face2d671e542ec27929950de4a32433dccf3081c6607a6e102a38

Download Submit
C:\Windows\{BD163019-E361-448e-99F7-A5706970CC93}.exe

Filesize
168KB

MD5
1f9faa981e92917e1f8b1c59189e49bb

SHA1
6b3759204486c062ef30323cdf0e2cb6acca5aa0

SHA256
10c4e595ab6c37c15e6d2334703da211e15c44141dfa10f2c6c43166bb4f4703

SHA512
661363eb59c7c48c5ebf7c3abd12f9ee9ebdda2e4e0531169d117eb1b5e757ba28b7349e4dd8770ed3009d85cc3cd98f88c556cfdf372cad9b3828d75e6c4546

Download Submit
C:\Windows\{C5B77CCE-2559-46f0-806F-ED6F172C9F8D}.exe

Filesize
168KB

MD5
d814cc92641592a83c8d0faff3f5b9b8

SHA1
a824f006c193cd7905d8c473d1d1f4593bfd9caa

SHA256
38e879518fb5d8e781675aa1ee2dac4e8b221696de5bc0b63b190cb3b74043eb

SHA512
7e9ee7192bd6e7d6724a3fe169682db8b390c5daa8fcd54366e35d91b96d2933a121191d8f19b31f30362e78a3a9e11533e8e9d5f616bb149d3fb760ff7913b4

Download Submit
C:\Windows\{DD5C7910-E79F-4ecc-8EC6-E7C591723688}.exe

Filesize
168KB

MD5
421654c143c2a05c69226401471c9631

SHA1
fcbeef831d6e250d8a68f0892550def501a25690

SHA256
c3696d93bf8e570d26ba7caf37bf2ecf979d536d8d4c2cfda94bd328315b7f41

SHA512
c870fdae9791f61a234b8e0d0d827bc2aaea18d76d1d7d0691deb27f4090da38ea3748221d60b3d535fa184b2bc1e6d4f0ed002c0e32cabd8b34a82e9964f4e4

Download Submit
C:\Windows\{E2658AFD-8863-45f4-8DEA-972360C6B7DA}.exe

Filesize
168KB

MD5
4c56a526c203afadc8cf8c1efed1988b

SHA1
e881f9946b80edc16fdef0831a027dfa0fd1c241

SHA256
9f71d59d53b92212ca9c5997c9855b262c710ed09d5370478a6133dc7487ecc9

SHA512
70be3394d827dd01b1a2f91fd9c8341b8b2b78454a8323b9dc38e60ccd86b46f7c40a9a29f9f388478d542b45f5f228d11caa8d5ea3d600145e5d3557c5beb2e

Download Submit
C:\Windows\{FFA7D5A6-0C78-4ce2-ADBB-51BEA7B80DDF}.exe

Filesize
168KB

MD5
c1d6393bfe0abcb576f033b422359dda

SHA1
7ce872bf26e035bd2e6c9ffdbe5fbcfd3642bba3

SHA256
2b8523ae4400b45782cdf55e08755b80a2d3cdf69e81e622dc5f3596a57627c0

SHA512
0e121a0847d4353387135a1667c0fce183599f27c43a2d2619964c6dd239cd08e455fc4afe744ba986056b3dbd0581f02012023f30981e3d73c210a0419435fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads