ef08b3d734eb333b41536cc7aa1233b11adcde8a2376391b1e1775e1e265b95e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Size

168KB
MD5

f7d7eb6c166f378d7305595537ac530f
SHA1

b61bda19e915efa8a0f457dfa0a846232c2ec81d
SHA256

ef08b3d734eb333b41536cc7aa1233b11adcde8a2376391b1e1775e1e265b95e
SHA512

f53b10f1ae232212ba951e691b5c401f9aa360244332f47c783ffdccffae6e61971948beec443d951b840bf6a4a289d2b7b042920bf364af2e39494bd05c26b8
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000142c4-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014390-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000142c4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000146a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000142c4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000142c4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000142c4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A32789-F229-4fc4-B7C9-9351E562F0FE}	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B8FE9D-16A4-4810-BE88-27883310FA49}\stubpath = "C:\\Windows\\{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe"	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}\stubpath = "C:\\Windows\\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe"	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B8FE9D-16A4-4810-BE88-27883310FA49}	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}\stubpath = "C:\\Windows\\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe"	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A32789-F229-4fc4-B7C9-9351E562F0FE}\stubpath = "C:\\Windows\\{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe"	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E55888-DC7F-4884-A56C-0282ED232BB9}\stubpath = "C:\\Windows\\{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe"	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}	{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}	{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}\stubpath = "C:\\Windows\\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe"	{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}	{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}\stubpath = "C:\\Windows\\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe"	{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}\stubpath = "C:\\Windows\\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe"	{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}\stubpath = "C:\\Windows\\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe"	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}\stubpath = "C:\\Windows\\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe"	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E55888-DC7F-4884-A56C-0282ED232BB9}	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}\stubpath = "C:\\Windows\\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe"	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
1744	{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
2128	{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
2084	{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
644	{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe	{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
File created	C:\Windows\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
File created	C:\Windows\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
File created	C:\Windows\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
File created	C:\Windows\{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
File created	C:\Windows\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe	{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
File created	C:\Windows\{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
File created	C:\Windows\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
File created	C:\Windows\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
File created	C:\Windows\{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
File created	C:\Windows\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe	{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
Token: SeIncBasePriorityPrivilege	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
Token: SeIncBasePriorityPrivilege	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
Token: SeIncBasePriorityPrivilege	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
Token: SeIncBasePriorityPrivilege	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
Token: SeIncBasePriorityPrivilege	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
Token: SeIncBasePriorityPrivilege	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
Token: SeIncBasePriorityPrivilege	1744	{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
Token: SeIncBasePriorityPrivilege	2128	{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
Token: SeIncBasePriorityPrivilege	2084	{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2832	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	28
PID 2340 wrote to memory of 2832	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	28
PID 2340 wrote to memory of 2832	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	28
PID 2340 wrote to memory of 2832	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	28
PID 2340 wrote to memory of 2896	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	29
PID 2340 wrote to memory of 2896	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	29
PID 2340 wrote to memory of 2896	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	29
PID 2340 wrote to memory of 2896	2340	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	29
PID 2832 wrote to memory of 2528	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	30
PID 2832 wrote to memory of 2528	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	30
PID 2832 wrote to memory of 2528	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	30
PID 2832 wrote to memory of 2528	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	30
PID 2832 wrote to memory of 2636	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	31
PID 2832 wrote to memory of 2636	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	31
PID 2832 wrote to memory of 2636	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	31
PID 2832 wrote to memory of 2636	2832	{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe	31
PID 2528 wrote to memory of 2556	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	32
PID 2528 wrote to memory of 2556	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	32
PID 2528 wrote to memory of 2556	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	32
PID 2528 wrote to memory of 2556	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	32
PID 2528 wrote to memory of 2540	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	33
PID 2528 wrote to memory of 2540	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	33
PID 2528 wrote to memory of 2540	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	33
PID 2528 wrote to memory of 2540	2528	{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe	33
PID 2556 wrote to memory of 1660	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	36
PID 2556 wrote to memory of 1660	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	36
PID 2556 wrote to memory of 1660	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	36
PID 2556 wrote to memory of 1660	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	36
PID 2556 wrote to memory of 2376	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	37
PID 2556 wrote to memory of 2376	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	37
PID 2556 wrote to memory of 2376	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	37
PID 2556 wrote to memory of 2376	2556	{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe	37
PID 1660 wrote to memory of 2736	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	38
PID 1660 wrote to memory of 2736	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	38
PID 1660 wrote to memory of 2736	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	38
PID 1660 wrote to memory of 2736	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	38
PID 1660 wrote to memory of 2512	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	39
PID 1660 wrote to memory of 2512	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	39
PID 1660 wrote to memory of 2512	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	39
PID 1660 wrote to memory of 2512	1660	{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe	39
PID 2736 wrote to memory of 1628	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	40
PID 2736 wrote to memory of 1628	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	40
PID 2736 wrote to memory of 1628	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	40
PID 2736 wrote to memory of 1628	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	40
PID 2736 wrote to memory of 1548	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	41
PID 2736 wrote to memory of 1548	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	41
PID 2736 wrote to memory of 1548	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	41
PID 2736 wrote to memory of 1548	2736	{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe	41
PID 1628 wrote to memory of 1968	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	42
PID 1628 wrote to memory of 1968	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	42
PID 1628 wrote to memory of 1968	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	42
PID 1628 wrote to memory of 1968	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	42
PID 1628 wrote to memory of 940	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	43
PID 1628 wrote to memory of 940	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	43
PID 1628 wrote to memory of 940	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	43
PID 1628 wrote to memory of 940	1628	{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe	43
PID 1968 wrote to memory of 1744	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	44
PID 1968 wrote to memory of 1744	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	44
PID 1968 wrote to memory of 1744	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	44
PID 1968 wrote to memory of 1744	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	44
PID 1968 wrote to memory of 1444	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	45
PID 1968 wrote to memory of 1444	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	45
PID 1968 wrote to memory of 1444	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	45
PID 1968 wrote to memory of 1444	1968	{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
  C:\Windows\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
    C:\Windows\{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
      C:\Windows\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
        
        C:\Windows\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
        
        C:\Windows\{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
        
        C:\Windows\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
        
        C:\Windows\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
        
        C:\Windows\{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
        
        C:\Windows\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
        
        C:\Windows\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe
        
        C:\Windows\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe
        12⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5AA~1.EXE > nul
        12⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77346~1.EXE > nul
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B8F~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54410~1.EXE > nul
        9⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD826~1.EXE > nul
        8⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36E55~1.EXE > nul
        7⤵
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F384~1.EXE > nul
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A68D7~1.EXE > nul
        5⤵
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11A32~1.EXE > nul
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B07~1.EXE > nul
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11A32789-F229-4fc4-B7C9-9351E562F0FE}.exe

Filesize
168KB

MD5
f2922a2de3da0bfc4aade8d8c4717c87

SHA1
437391dd41af9d5f7f3ef3f3050179709702d3cc

SHA256
6007af16325ee780c22bed973913ccdefac9cd230850abae9d69ca8048cc2848

SHA512
c7de5344bce69de9b536fd9031a4abf510a586a3a082380a67ee1613536c140fd675ea35caae7f8917b457256fb0ee76cef166a1dcb39bdaa6c8ab07e7e39c06

Download Submit
C:\Windows\{1F38477D-5E27-4896-9B3E-D1CD9929DAAC}.exe

Filesize
168KB

MD5
9960fe2adf8599b235c8119bb7fa64be

SHA1
b9a97b34079795cc97858429e3681fb50a4c12c1

SHA256
c7f9b10feb139f058bccd7ea5aa1dd6d80045ab91add40a9b4eda5cbb7819d1f

SHA512
629c21c46ead62431636d2ca4192bc1f400a50e9746b3ed0f2c4a4001750de8a7c1b6fe4f3432b60cc2fd73c4d3b7a834a72f356e198e865953745c7bcce1982

Download Submit
C:\Windows\{36E55888-DC7F-4884-A56C-0282ED232BB9}.exe

Filesize
168KB

MD5
01b5ad7bcdd272def6b0ec4ca694d4b3

SHA1
524bfde97e3d08910ec5229a6e674236b1f3d4fa

SHA256
50487b83188f1a755fc1c19751df057732c0dc9242e0d1b31e3250ad0c95ccd3

SHA512
020360d35e912be6ce49efdbbbf2ba5d57377f9d9c25a0e02e57741be538bd73c37e28316c34a05e7f0028a514e8d11cb9d234eccf333e4dfa7cfd19bf63ff4a

Download Submit
C:\Windows\{3BD4D4A5-6B7C-48b1-A251-C81C6E30BC22}.exe

Filesize
168KB

MD5
8252b02e474e84ed5a96caa4359b1b3e

SHA1
89e3b9e68e3b9c0337adccbab177b09da1c8ef8c

SHA256
540cb4655ad942938778685df0c5c32e231702bd9f0b7945853caa5a9ec864ea

SHA512
c406e4f4988bb658643753f73babd297e8a08da1edf8c4fdb2244c9e44ca5b528e40b0cdb8c4e80e7ae9b592115b3f13000d5bf88ead09db1a63e426b65e9b4c

Download Submit
C:\Windows\{54410A49-FB7F-4743-AB0D-CB4752E87CAF}.exe

Filesize
168KB

MD5
1099d3ed9c1bd10349d29d430b79fcf0

SHA1
5f8bc534958fe354b54789c87c12dbac557c0429

SHA256
aebef65f700eb25e864b7da8d5f5dc50e40a95bab6bb03c95cd8a452819efb85

SHA512
0e444f45471f996ce4895da2cc8461dc3da5ed88c98f313db616914673387c2439a7fb0cd789195cdff9b82c521dd9c18a4f8336a9e8f9642231a1e488ecabc6

Download Submit
C:\Windows\{5F5AA0F7-05CD-4c5d-BB5A-AEB60831CBE1}.exe

Filesize
168KB

MD5
5beec89c1bce5da46789bcbb6a095aa9

SHA1
8db5c2744ad215d35ed305f4bf22aecb9c182ddb

SHA256
eca8f8a45e37c9c098aec315923beca87f17f1bf65785c2b715c063281e58ae0

SHA512
59e59ae2929f05cb84869bb922e7593f04140e5b25b5a34c0b26024c13e8e411c56e81b724b9ba4446f3e69ff2bdaaa3f98414c902fe1bd853cf39a6fb981b1f

Download Submit
C:\Windows\{77346F4D-70F1-44ca-89DF-2312AC12DBD4}.exe

Filesize
168KB

MD5
4b1c440f21a853cd8ed80ce0ceb6ca23

SHA1
d678a00a5344fb5061e8472bfde6d7e8a7316eb9

SHA256
1ddab081e63ab8cd71e0653b0f41c8ca98f87144581dac742de7f515ea6e0910

SHA512
a9b02cb02f15005efbb1f1b544593f710ac8419002c495ad55a9342f4f0b22f6e388b41a1af2dadaa73fe5aa3dbcd2af80d11a2ab31a36a0f80c20825b29b6cd

Download Submit
C:\Windows\{A68D7E14-1DD1-4cd7-AEE9-B8A79AD13DAB}.exe

Filesize
168KB

MD5
ddd69b4bd1e9a43b1ec341aee7875680

SHA1
c67ca9836802be677a9670fe8f624d5a564a19ed

SHA256
a4ee83f4b3f57b363d4ccfa007ac374bad91ad3d42a8d7ce09ecff100a1c40a1

SHA512
09217538897c31b13ecd8cbaca84fc1858f597ba73124e96291d2ddc482627a539b693b641f22d78fbe77da676d74f8b4ef6b3cdcb45d76730256cbf14d71cc7

Download Submit
C:\Windows\{B1B8FE9D-16A4-4810-BE88-27883310FA49}.exe

Filesize
168KB

MD5
1e8a304b12a755bd18b14a4e483770d0

SHA1
1b5ae9ed0bd4f6f5c603c9a40ea6d79234a60d7a

SHA256
003cae355ce8825d9493967b90aa77f9a272d96332400b9621c58c58540e5a55

SHA512
3729f3d49a3624aa4195b77f55584b32c0504ae5bed7b3eb3e890206ec46264403743e161bd0e1e579285091d1c11ebd929301a4b3a22c8236d68082c56f6b90

Download Submit
C:\Windows\{C2B072AE-3308-4c60-A232-F4A3CD5EC79F}.exe

Filesize
168KB

MD5
2001f20161c923669a1523b34075f5e7

SHA1
742946e1c3b8c545faac526bc8d61beee78bf89c

SHA256
ae4a1f17aba1b41f2b510981f2db2f6080ed55ddf4e45ea192f36d1388d213c5

SHA512
4c7f139fc5c3f84c3b690d174e9822a3790e0c7f550586b9ea79f4069d3376430bbb889fb8e4f1efa0eeaeee8e7e891d476114900013bdbbc7a18beffeab60dc

Download Submit
C:\Windows\{FD826FB5-8A42-41ab-B484-F3AFAB66F7C0}.exe

Filesize
168KB

MD5
7ee419c400e5468d68b3ff2c8b740c0a

SHA1
c3f9360d32b2b0c022bdcccaaf67ce0ce9c70776

SHA256
d386c20461d5f11973d81decba9f71bbcd25d2ebe4be34c1d406ef76a1794b55

SHA512
eb4ce21181570ed85db06abb20526bb557901ba83f22cef56b83218cb6a69b42aa40c72852fdfce49c563571919087936ec3e780b7e6b5a26de28428550352c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads