3eaabd7967664f7f91ed19ec40f330542aef0d63cf1c17c35349ddff4b059325

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
Size

408KB
MD5

a4fd30b8f04d30e209ef5201540c527f
SHA1

ad31316950455e6852e1c682b165fae5a11a3a0a
SHA256

3eaabd7967664f7f91ed19ec40f330542aef0d63cf1c17c35349ddff4b059325
SHA512

39f329744a2b1eb558f35475808b25e48a8dc49cc96f1262460292ba5104d2713ace2664b06890cfa8930e90761dd271c118a1f89840bf64b58529bd1c079c04
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGpldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001224d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001431b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}\stubpath = "C:\\Windows\\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe"	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}	{60201862-0798-4c56-A83A-C9EA954251AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}	{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}\stubpath = "C:\\Windows\\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe"	{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60201862-0798-4c56-A83A-C9EA954251AD}\stubpath = "C:\\Windows\\{60201862-0798-4c56-A83A-C9EA954251AD}.exe"	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}\stubpath = "C:\\Windows\\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe"	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}\stubpath = "C:\\Windows\\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe"	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}\stubpath = "C:\\Windows\\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe"	{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}\stubpath = "C:\\Windows\\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe"	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60201862-0798-4c56-A83A-C9EA954251AD}	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}\stubpath = "C:\\Windows\\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe"	{60201862-0798-4c56-A83A-C9EA954251AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1171D927-DE03-4593-90E6-45D6BB9B28DA}	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1171D927-DE03-4593-90E6-45D6BB9B28DA}\stubpath = "C:\\Windows\\{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe"	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}\stubpath = "C:\\Windows\\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe"	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}	{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}\stubpath = "C:\\Windows\\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe"	{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}	{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe
1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
1324	{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
1260	{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
2780	{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe
384	{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{60201862-0798-4c56-A83A-C9EA954251AD}.exe	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
File created	C:\Windows\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	{60201862-0798-4c56-A83A-C9EA954251AD}.exe
File created	C:\Windows\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
File created	C:\Windows\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
File created	C:\Windows\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
File created	C:\Windows\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
File created	C:\Windows\{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
File created	C:\Windows\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
File created	C:\Windows\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe	{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
File created	C:\Windows\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe	{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
File created	C:\Windows\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe	{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
Token: SeIncBasePriorityPrivilege	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
Token: SeIncBasePriorityPrivilege	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe
Token: SeIncBasePriorityPrivilege	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
Token: SeIncBasePriorityPrivilege	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
Token: SeIncBasePriorityPrivilege	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
Token: SeIncBasePriorityPrivilege	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
Token: SeIncBasePriorityPrivilege	1324	{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
Token: SeIncBasePriorityPrivilege	1260	{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
Token: SeIncBasePriorityPrivilege	2780	{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3016	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	28
PID 3028 wrote to memory of 3016	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	28
PID 3028 wrote to memory of 3016	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	28
PID 3028 wrote to memory of 3016	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	28
PID 3028 wrote to memory of 2548	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	29
PID 3028 wrote to memory of 2548	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	29
PID 3028 wrote to memory of 2548	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	29
PID 3028 wrote to memory of 2548	3028	2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe	29
PID 3016 wrote to memory of 2524	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	30
PID 3016 wrote to memory of 2524	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	30
PID 3016 wrote to memory of 2524	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	30
PID 3016 wrote to memory of 2524	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	30
PID 3016 wrote to memory of 2964	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	31
PID 3016 wrote to memory of 2964	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	31
PID 3016 wrote to memory of 2964	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	31
PID 3016 wrote to memory of 2964	3016	{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe	31
PID 2524 wrote to memory of 2564	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	32
PID 2524 wrote to memory of 2564	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	32
PID 2524 wrote to memory of 2564	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	32
PID 2524 wrote to memory of 2564	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	32
PID 2524 wrote to memory of 2596	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	33
PID 2524 wrote to memory of 2596	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	33
PID 2524 wrote to memory of 2596	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	33
PID 2524 wrote to memory of 2596	2524	{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe	33
PID 2564 wrote to memory of 1856	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	36
PID 2564 wrote to memory of 1856	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	36
PID 2564 wrote to memory of 1856	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	36
PID 2564 wrote to memory of 1856	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	36
PID 2564 wrote to memory of 2592	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	37
PID 2564 wrote to memory of 2592	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	37
PID 2564 wrote to memory of 2592	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	37
PID 2564 wrote to memory of 2592	2564	{60201862-0798-4c56-A83A-C9EA954251AD}.exe	37
PID 1856 wrote to memory of 2724	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	38
PID 1856 wrote to memory of 2724	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	38
PID 1856 wrote to memory of 2724	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	38
PID 1856 wrote to memory of 2724	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	38
PID 1856 wrote to memory of 852	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	39
PID 1856 wrote to memory of 852	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	39
PID 1856 wrote to memory of 852	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	39
PID 1856 wrote to memory of 852	1856	{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe	39
PID 2724 wrote to memory of 2580	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	40
PID 2724 wrote to memory of 2580	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	40
PID 2724 wrote to memory of 2580	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	40
PID 2724 wrote to memory of 2580	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	40
PID 2724 wrote to memory of 548	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	41
PID 2724 wrote to memory of 548	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	41
PID 2724 wrote to memory of 548	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	41
PID 2724 wrote to memory of 548	2724	{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe	41
PID 2580 wrote to memory of 840	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	42
PID 2580 wrote to memory of 840	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	42
PID 2580 wrote to memory of 840	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	42
PID 2580 wrote to memory of 840	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	42
PID 2580 wrote to memory of 1580	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	43
PID 2580 wrote to memory of 1580	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	43
PID 2580 wrote to memory of 1580	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	43
PID 2580 wrote to memory of 1580	2580	{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe	43
PID 840 wrote to memory of 1324	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	44
PID 840 wrote to memory of 1324	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	44
PID 840 wrote to memory of 1324	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	44
PID 840 wrote to memory of 1324	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	44
PID 840 wrote to memory of 2020	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	45
PID 840 wrote to memory of 2020	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	45
PID 840 wrote to memory of 2020	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	45
PID 840 wrote to memory of 2020	840	{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_a4fd30b8f04d30e209ef5201540c527f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
  C:\Windows\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
    C:\Windows\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{60201862-0798-4c56-A83A-C9EA954251AD}.exe
      C:\Windows\{60201862-0798-4c56-A83A-C9EA954251AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
        
        C:\Windows\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
        
        C:\Windows\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
        
        C:\Windows\{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
        
        C:\Windows\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
        
        C:\Windows\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
        
        C:\Windows\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe
        
        C:\Windows\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe
        
        C:\Windows\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe
        12⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC5E~1.EXE > nul
        12⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89075~1.EXE > nul
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5606B~1.EXE > nul
        10⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A1A8~1.EXE > nul
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1171D~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58A53~1.EXE > nul
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96BD8~1.EXE > nul
        6⤵
        
        PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60201~1.EXE > nul
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E184~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A145~1.EXE > nul
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1171D927-DE03-4593-90E6-45D6BB9B28DA}.exe

Filesize
408KB

MD5
7f6c9d489383896ea1534db2d07ed80c

SHA1
f3d96873014a7f9641fbbb2718e26ee922af5984

SHA256
32c03fdcdd8c81a25703a6954db4f9883e561aa59bdc49aac16834957235fa5e

SHA512
1841c26acc532c25bb00b5b5b6e62c4ffb4638a58e95e468d79e5ed7bd6275ac1ac410ddda5ebe1381d0ac3bdea4a5a16afc5c8e97422b5ba156badeeb6e463c

Download Submit
C:\Windows\{2A1A87A1-C426-427f-9ECE-5B346E5E45B7}.exe

Filesize
408KB

MD5
e61db547a9a58e194182f972f4522048

SHA1
4ecd3ae6b914ad2d92cb4cb814b0bbd4c7c08af8

SHA256
5d27be61d82419aba95ab3720c3f2b3be5631355eae7d4e8a01724e6cce06af2

SHA512
06dc81b38bc742ddfc42accc43524958498f8509a5f8e46622358be50ad7d8d7fa70009206693ca774c00070b1ed610b1b4be47388cf059a813d1ddc5e0f8bc0

Download Submit
C:\Windows\{4E184F57-DA79-4d5a-9A6D-6329A6A4CFC3}.exe

Filesize
408KB

MD5
cd76cf6b93134fde8df985bfc5fe02fa

SHA1
bea9e67bd5b5b158ebd65adf8dd645bb4a4f26b0

SHA256
1b9dd56a4e1e448a10cd17995ffe9c754a8cd623adbc723b3e102b1539f8a540

SHA512
8f79be24a16bc4c339bc4779444aae6682040acc3f9589f3491b616a5926f7e65134e3d425728e6387d2754f3dde81b70e1145e6acb9e224b26f1e260e7caa77

Download Submit
C:\Windows\{5606B4F6-3CE4-43f8-99FF-19A58818C48F}.exe

Filesize
408KB

MD5
f99328994862cd13bb039cb792f730eb

SHA1
6095be0131749439ab0a0810c6e62f973ba35103

SHA256
c8da97ed77984d1d819a65e42527bffa875ff163aebec51bfd33a935f20cdfef

SHA512
66c691c550f6d538f997915459dfc04e187553d3c66b16fb4183617a8c7bf9c3a37f3a36a41f0ff6334aef783da8f45475ac823e72db40691f5b0ade94e09bf0

Download Submit
C:\Windows\{58A53BA7-85A6-48eb-B043-0E6D2C6B5B9B}.exe

Filesize
408KB

MD5
35a92839f4f4525e2362e1c7ad7c2d23

SHA1
43a841cb6e7422b2ccc5d646f243e2fddb524058

SHA256
16c7f26f3295eae94ef0ca9db6b2459fec9c68291ab6dc9912e2adfd295eb3a3

SHA512
298a67c2813f7073711fb45618dcb64752c5bba5f47654bb04660a8792c6668f8588a581041b1017b16111c3b36037dc78894dadf7c31e62307523152072720c

Download Submit
C:\Windows\{60201862-0798-4c56-A83A-C9EA954251AD}.exe

Filesize
408KB

MD5
a8ebf8b2def4d0b0533b1bb0dd3c2092

SHA1
bcf20539f84e8b26bfdf598a470c8f78290c32a2

SHA256
a62a1c98d1efb61ea9f49a598212bd772a1fb45829609b5cbd3ba73556cf1f14

SHA512
1acd76e8f89d372a93d42b0b67dc666d28b9e9f1a670257c6d041a43d8a882cdeed26334ccd2a0f3d2e1c7e43271b34d06fe81643025e51f85494007493ea6c0

Download Submit
C:\Windows\{890754BA-6BFF-410d-AD2F-5D07C5F0A62D}.exe

Filesize
408KB

MD5
4bc3f6032920f828a6789c40d76e5eb8

SHA1
b00aa344d672b63c79a3bbf48bc44577184a6ae6

SHA256
95571b12144754accadf59e576766fbf30294b47d91df22d699044672089c4bd

SHA512
f001ede4a0f852bf625c8b8f56cdbf2f3331e08582bbc15ed7fec6a03967c6088efa12ae7de8fa532662b0fc012a97f4e79704c3a231b613971b693a26b34520

Download Submit
C:\Windows\{96BD8B3F-16C0-4370-AB8B-B5580641F6ED}.exe

Filesize
408KB

MD5
ef105334816c2e7cf8e702ef6139c56a

SHA1
93a7e778fd0ebc579460a53088151f63c1e3e658

SHA256
8780009a658fec72fe6e13486582047ed2f85186c0ccde9bc3e2d12712f033d1

SHA512
b571b0b1004940f11232f0b661efd3e6a9c0c24bca488234a99e8a10bdbc8d7776d1aca0f58b57d7a1b2706de076a8493bc6ce4a60fac6608ae8511cfeb135aa

Download Submit
C:\Windows\{9A145A36-A9AD-43bb-B4CA-A661E24511C0}.exe

Filesize
408KB

MD5
355dd0074e10ea34a8e8b35248361d2a

SHA1
20a27e4a758916cfaa3b03aee278b517c69253c7

SHA256
07caaf3d6fbaa53045775addf57d6f2630c061428cccba678000b45fb4b80dfa

SHA512
35cb02685bdfef45d3bbe16c55193c4651161f08ae049a832657f7ee9202d005167b4b44b6f85c28c57b028f4b6172ea6892fefc1c16329346bf9e3e39cb9e5d

Download Submit
C:\Windows\{ADC5EAF2-B790-4046-A28B-1F142F5DB293}.exe

Filesize
408KB

MD5
6f5b90bab461a61edc31c560311e5c80

SHA1
fb9bb9d5a61fa93baf08eda26cec48e843c7d800

SHA256
b8e599b7686c956d77e9173dff2e0c32f6c868b4ba6dad767d26200630384016

SHA512
8bcccc79a1802f5fc4ae47bf80064e1a6b8a141458309c344e5dd400e2d8cd2308fc3cb7688a13ea28def280ab861291f5a647f752ed79a4baf420b28fdbdcaf

Download Submit
C:\Windows\{FC9FF998-CB9D-44e8-A299-63628C6CEE53}.exe

Filesize
408KB

MD5
c7b0a3264ba223b26dd45e90051f1a2d

SHA1
5a48288dcc2a0dee2a0cef4218353bfae27310ab

SHA256
c83e8deb2ef9da2045a9d620fc493b8e7a87646373c9f4a3c8567f5906cfafe9

SHA512
17b14ca22c1d6b943f5a35f23e78e6df84866779cab597807f71e4a22dd3bd0852e7ec7991f1c968ccdb11607bcaf7fe199ce8df112e343e8a9b8b21b2c7650a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads