20208fcef0d9c56123af475831eb320ebf099d74b526b8c550378108c70dcd7e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
Size

180KB
MD5

3ae37bd162dbd1b501ca06f4e1f99758
SHA1

1eb1936075054fada59f3246b6d4bdbf23a45202
SHA256

20208fcef0d9c56123af475831eb320ebf099d74b526b8c550378108c70dcd7e
SHA512

e3fbb048dfcb05f4e7c8a8f85b9bfae155e596377c38f2a866b502171e0714d34298778e41c8895178b7256128f9e90699232ab73d1fcf730ea50446b92df0e2
SSDEEP

3072:jEGh0oFlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGPl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000149f5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122f0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122f0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122f0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B4F9A9C-C70B-4597-9483-B404426790EE}\stubpath = "C:\\Windows\\{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe"	{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}\stubpath = "C:\\Windows\\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe"	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D7E5E84-81D8-4272-8C55-021D9919EB71}\stubpath = "C:\\Windows\\{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe"	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}\stubpath = "C:\\Windows\\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe"	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}\stubpath = "C:\\Windows\\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe"	{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}	{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}\stubpath = "C:\\Windows\\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe"	{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}\stubpath = "C:\\Windows\\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe"	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}\stubpath = "C:\\Windows\\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe"	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}\stubpath = "C:\\Windows\\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe"	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D7E5E84-81D8-4272-8C55-021D9919EB71}	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}\stubpath = "C:\\Windows\\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe"	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}\stubpath = "C:\\Windows\\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe"	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B4F9A9C-C70B-4597-9483-B404426790EE}	{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}	{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
1456	{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
3028	{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
1864	{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
2436	{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe	{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
File created	C:\Windows\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe	{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
File created	C:\Windows\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
File created	C:\Windows\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
File created	C:\Windows\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
File created	C:\Windows\{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe	{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
File created	C:\Windows\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
File created	C:\Windows\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
File created	C:\Windows\{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
File created	C:\Windows\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
File created	C:\Windows\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
Token: SeIncBasePriorityPrivilege	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
Token: SeIncBasePriorityPrivilege	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
Token: SeIncBasePriorityPrivilege	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
Token: SeIncBasePriorityPrivilege	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
Token: SeIncBasePriorityPrivilege	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
Token: SeIncBasePriorityPrivilege	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
Token: SeIncBasePriorityPrivilege	1456	{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
Token: SeIncBasePriorityPrivilege	3028	{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
Token: SeIncBasePriorityPrivilege	1864	{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2172	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	28
PID 756 wrote to memory of 668	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe	29
PID 2172 wrote to memory of 2600	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	30
PID 2172 wrote to memory of 2600	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	30
PID 2172 wrote to memory of 2600	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	30
PID 2172 wrote to memory of 2600	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	30
PID 2172 wrote to memory of 2672	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	31
PID 2172 wrote to memory of 2672	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	31
PID 2172 wrote to memory of 2672	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	31
PID 2172 wrote to memory of 2672	2172	{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe	31
PID 2600 wrote to memory of 2292	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	32
PID 2600 wrote to memory of 2292	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	32
PID 2600 wrote to memory of 2292	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	32
PID 2600 wrote to memory of 2292	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	32
PID 2600 wrote to memory of 2724	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	33
PID 2600 wrote to memory of 2724	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	33
PID 2600 wrote to memory of 2724	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	33
PID 2600 wrote to memory of 2724	2600	{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe	33
PID 2292 wrote to memory of 2528	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	36
PID 2292 wrote to memory of 2528	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	36
PID 2292 wrote to memory of 2528	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	36
PID 2292 wrote to memory of 2528	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	36
PID 2292 wrote to memory of 2996	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	37
PID 2292 wrote to memory of 2996	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	37
PID 2292 wrote to memory of 2996	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	37
PID 2292 wrote to memory of 2996	2292	{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe	37
PID 2528 wrote to memory of 2748	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	38
PID 2528 wrote to memory of 2748	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	38
PID 2528 wrote to memory of 2748	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	38
PID 2528 wrote to memory of 2748	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	38
PID 2528 wrote to memory of 2160	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	39
PID 2528 wrote to memory of 2160	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	39
PID 2528 wrote to memory of 2160	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	39
PID 2528 wrote to memory of 2160	2528	{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe	39
PID 2748 wrote to memory of 1972	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	40
PID 2748 wrote to memory of 1972	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	40
PID 2748 wrote to memory of 1972	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	40
PID 2748 wrote to memory of 1972	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	40
PID 2748 wrote to memory of 2852	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	41
PID 2748 wrote to memory of 2852	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	41
PID 2748 wrote to memory of 2852	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	41
PID 2748 wrote to memory of 2852	2748	{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe	41
PID 1972 wrote to memory of 2776	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	42
PID 1972 wrote to memory of 2776	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	42
PID 1972 wrote to memory of 2776	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	42
PID 1972 wrote to memory of 2776	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	42
PID 1972 wrote to memory of 2864	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	43
PID 1972 wrote to memory of 2864	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	43
PID 1972 wrote to memory of 2864	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	43
PID 1972 wrote to memory of 2864	1972	{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe	43
PID 2776 wrote to memory of 1456	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	44
PID 2776 wrote to memory of 1456	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	44
PID 2776 wrote to memory of 1456	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	44
PID 2776 wrote to memory of 1456	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	44
PID 2776 wrote to memory of 1524	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	45
PID 2776 wrote to memory of 1524	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	45
PID 2776 wrote to memory of 1524	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	45
PID 2776 wrote to memory of 1524	2776	{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_3ae37bd162dbd1b501ca06f4e1f99758_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
  C:\Windows\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
    C:\Windows\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
      C:\Windows\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
        
        C:\Windows\{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
        
        C:\Windows\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
        
        C:\Windows\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
        
        C:\Windows\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
        
        C:\Windows\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
        
        C:\Windows\{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
        
        C:\Windows\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe
        
        C:\Windows\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECDB7~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B4F9~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4EF0~1.EXE > nul
        10⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B91~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38B55~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDFEE~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D7E5~1.EXE > nul
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{072A2~1.EXE > nul
        5⤵
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B29~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A591~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{072A20E8-2E07-42d6-B8BF-3C6D099F7204}.exe

Filesize
180KB

MD5
85caf2ba1160e3ea7b75e3b17ee25dcf

SHA1
1cadbfa914f2835431047574d67807cb2f8bd3d3

SHA256
9cad8c8de0f349f16408dcccb5034cac591ff3b921359b353d7bd27a44bca4d6

SHA512
4922e8cf257d9991654091b2fad6ae3f4740954be8e4be579ad9e70c5b4cbeed787953b177703d02bc62169a6ace65ce7a3755e9bc25dabddfe32177b7442297

Download Submit
C:\Windows\{1B89F1FB-5832-4dbf-BBF0-AFFFAE017E4D}.exe

Filesize
180KB

MD5
feeb7bd69d819051cf5305f517f0a48d

SHA1
8dfb2305b2155a9888d35f57fe26108f7e438da7

SHA256
423b18b09cb56ad46af399a91f72125f1b77e20a361773d16b1ee66e6c84f3bd

SHA512
cab7b9c4070c194f57417babb15619c4189511e0beb0bed2ecd90db7c5ecda8c224151c86d07440862c319f000e0a92f27fcd7adbe8551326f4ee5675b992650

Download Submit
C:\Windows\{2A591AE2-8389-4305-A133-A2E2EC1E65A6}.exe

Filesize
180KB

MD5
b5a88492a8603fe425294f1a3ce5d29d

SHA1
36aa8a1a384cdbde929e4f4c8e2330ecad5850f1

SHA256
bf61e964c4581d80c6f358ad0fb5515900f2a9018b2975418401c887af179c1d

SHA512
a799400d079587cde54de5227623e7f96c39b7f88db076eab54cb8fc9913967b02439da948aec384cb7cc39b393e94a697a5fcd03d41647aeb70db8e62d1d3fd

Download Submit
C:\Windows\{2B4F9A9C-C70B-4597-9483-B404426790EE}.exe

Filesize
180KB

MD5
54339686662a070d9a62f7a5dda9e777

SHA1
0ba07af7233e17700eb64d49eca93b3dfb5fc08d

SHA256
60ae3d2627b05a88695deea113655f9d600105b0fc29f0e462e788f5dc007f8e

SHA512
0246b67c85a8ff6c3340acc0e7b55f388327eb9ef0ea8ea186c04558927ee92ec1bded814e7696288bd6af036b8c539b284f63060e3a5208d34bf83c546d6477

Download Submit
C:\Windows\{38B55863-5BE1-4d3c-81AE-8A2628A12B5D}.exe

Filesize
180KB

MD5
a7a59cb59b46ad3445cfae93c5d3ea0c

SHA1
e1b4dd6653272347095af82184f570bf0a9d6601

SHA256
e9ad09d6691467ad1fc05c26fa3721579a085648bfeb0ef802f299d8246da451

SHA512
1de5e85c7a5958e466acaff8d188ff6de43edb21a72f12855fa0a5689f63ba32eecf5821d2c51bc525ca7f9d6c4239b86f75b26afbfa17b7091f4b5d0900dac7

Download Submit
C:\Windows\{7D7E5E84-81D8-4272-8C55-021D9919EB71}.exe

Filesize
180KB

MD5
bc58b30fdc55d526946afe4560f8a463

SHA1
0f573baf98ff44afad6dd0ca6ec70363bedd58dd

SHA256
f1dbf76bb9f825d5106f62eb788f0c42ebfae16927e78b37cb4ee154417d864e

SHA512
c9afc7767ec0e834b840392324fce4e0c3ddd6f76fe03193658282bef35cb4d03b412298bbc818531dc82bc099aeeb7c7617de3fb2bcf19f98e8b79bb8968247

Download Submit
C:\Windows\{D6B91C83-FBDF-43c7-82BF-40D3540968E4}.exe

Filesize
180KB

MD5
6425844d8be642024ece6319f5abbc7d

SHA1
81b075587426ba7ba1d8034c83f91ca1e24c4ace

SHA256
fb21ee3ae3ccbbe1079fef88da5b8a0cc9781349e566235f7fb3b8c60dd1696f

SHA512
ac4458b1111ca4ed4fde85dc7146f25e116eed82b4052629244194966abb4d302f5938458892541814f5ce65ce9fde2cfce4a4d5fceddfca8637413b9e4415cb

Download Submit
C:\Windows\{DDFEEF26-6903-45c1-9FF9-47CAD7254CB1}.exe

Filesize
180KB

MD5
a02e0a178ea3d4b42d27ba94678c50a7

SHA1
0de63a817d28e4b1895e435a8e7a3971f12b7a12

SHA256
00687b0ea9c8ce875fa8a555d094a61bb55ca6f90c1dec77199b6fc72c288224

SHA512
3831d24324962d5650380471a8aa7fb55002b527be921cf946d8826af725ec1e4caa3b7e6f2ad7ce217f47f1aadf76b96d98919df242986522b451f0d974aab1

Download Submit
C:\Windows\{ECDB70A9-9E32-433a-9CD1-5C3E1A1ECC3F}.exe

Filesize
180KB

MD5
ca7bed8ac5459ed4d4a0a66d23f69fd9

SHA1
f366000d5b7a33648981b9169f0d8337bc56cec2

SHA256
554edf22fb6d4aabbb4ba7ce519ea35324f7b6405a2ab44a680ed51008d0f126

SHA512
7ab47a6f18c70b803e352a7dca35e46556b9015a0993e82908ce6a6f6ef92f04606592803bc76fff6d4ba402593a8db3a5097130b7e15ad41ce62e7f3f2d3d70

Download Submit
C:\Windows\{F4EF0D8D-609F-4c6b-BC52-3DABF849FEC2}.exe

Filesize
180KB

MD5
9364aa908b8c18ef6ba0d51c54057195

SHA1
ea4a5813cdc62627d45da4ee911004b1fb30ceae

SHA256
e92b2fe7ad5a7e1b9c1d6600810eaf4c8abaf5a9300c92e413cf4ae152454fd0

SHA512
86a87eb5bfac29ffe7d3b2d04253cced56896c6a1f9783146330135aab0b037a36fb4d6167a26caa54463694719a00080e41074e0516c6c4b7b05a34d291c27d

Download Submit
C:\Windows\{F5B2947A-193D-4fe1-8B5C-0E86108491EA}.exe

Filesize
180KB

MD5
0955b17142c4ea88571aa684f5824688

SHA1
ffca9150235948967dc1be9949d5704762e775c4

SHA256
794af4dc30d93adc048420deb5fa96f7e5249d3784c208289a65f4ec64475030

SHA512
bee5d29a27f9212c6f609274c55edcc877db544e3b301b9837cb9f2cd650cf93b84d37c57a5f022ac9890c2810dda3929401e3e722805defb2aa57bf5db6eac8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads