a367e49b4f96743627510f18a0c7536b8e85fa00aa15b0e3dfe4f5beba666b16

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Size

204KB
MD5

49e034e10f53b6ab9332e4e3424400c2
SHA1

1149b59d76b478aa33e6858531c5a4d468b03c62
SHA256

a367e49b4f96743627510f18a0c7536b8e85fa00aa15b0e3dfe4f5beba666b16
SHA512

34f25244e146ff26155579fcfa6f53be00ad786f58f359b8e010fe706327672195f0bfa1dcc1c7b2407a81a4e97edbf300e46b566aa25cb3bb68a2e828848e85
SSDEEP

1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ool1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000155f7-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c6b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000155f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c78-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000155f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000155f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000155f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}\stubpath = "C:\\Windows\\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe"	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}\stubpath = "C:\\Windows\\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe"	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C07C88-A951-4146-A02E-0A9D98D49BDC}	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}\stubpath = "C:\\Windows\\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe"	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}\stubpath = "C:\\Windows\\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe"	{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C07C88-A951-4146-A02E-0A9D98D49BDC}\stubpath = "C:\\Windows\\{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe"	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}\stubpath = "C:\\Windows\\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe"	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}	{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}\stubpath = "C:\\Windows\\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe"	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}\stubpath = "C:\\Windows\\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe"	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}\stubpath = "C:\\Windows\\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe"	{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}\stubpath = "C:\\Windows\\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe"	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}	{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}\stubpath = "C:\\Windows\\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe"	{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}	{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe

Deletes itself 1 IoCs

pid	Process
848	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
2988	{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
2264	{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
1164	{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe
2972	{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
File created	C:\Windows\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
File created	C:\Windows\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
File created	C:\Windows\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe	{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
File created	C:\Windows\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe	{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
File created	C:\Windows\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe	{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe
File created	C:\Windows\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
File created	C:\Windows\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
File created	C:\Windows\{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
File created	C:\Windows\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
File created	C:\Windows\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
Token: SeIncBasePriorityPrivilege	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
Token: SeIncBasePriorityPrivilege	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
Token: SeIncBasePriorityPrivilege	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
Token: SeIncBasePriorityPrivilege	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
Token: SeIncBasePriorityPrivilege	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
Token: SeIncBasePriorityPrivilege	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
Token: SeIncBasePriorityPrivilege	2988	{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
Token: SeIncBasePriorityPrivilege	2264	{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
Token: SeIncBasePriorityPrivilege	1164	{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2376	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	28
PID 2044 wrote to memory of 2376	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	28
PID 2044 wrote to memory of 2376	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	28
PID 2044 wrote to memory of 2376	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	28
PID 2044 wrote to memory of 848	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	29
PID 2044 wrote to memory of 848	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	29
PID 2044 wrote to memory of 848	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	29
PID 2044 wrote to memory of 848	2044	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	29
PID 2376 wrote to memory of 2624	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	30
PID 2376 wrote to memory of 2624	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	30
PID 2376 wrote to memory of 2624	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	30
PID 2376 wrote to memory of 2624	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	30
PID 2376 wrote to memory of 2480	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	31
PID 2376 wrote to memory of 2480	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	31
PID 2376 wrote to memory of 2480	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	31
PID 2376 wrote to memory of 2480	2376	{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe	31
PID 2624 wrote to memory of 2748	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	32
PID 2624 wrote to memory of 2748	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	32
PID 2624 wrote to memory of 2748	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	32
PID 2624 wrote to memory of 2748	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	32
PID 2624 wrote to memory of 2608	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	33
PID 2624 wrote to memory of 2608	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	33
PID 2624 wrote to memory of 2608	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	33
PID 2624 wrote to memory of 2608	2624	{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe	33
PID 2748 wrote to memory of 2212	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	36
PID 2748 wrote to memory of 2212	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	36
PID 2748 wrote to memory of 2212	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	36
PID 2748 wrote to memory of 2212	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	36
PID 2748 wrote to memory of 1956	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	37
PID 2748 wrote to memory of 1956	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	37
PID 2748 wrote to memory of 1956	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	37
PID 2748 wrote to memory of 1956	2748	{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe	37
PID 2212 wrote to memory of 1768	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	38
PID 2212 wrote to memory of 1768	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	38
PID 2212 wrote to memory of 1768	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	38
PID 2212 wrote to memory of 1768	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	38
PID 2212 wrote to memory of 808	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	39
PID 2212 wrote to memory of 808	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	39
PID 2212 wrote to memory of 808	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	39
PID 2212 wrote to memory of 808	2212	{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe	39
PID 1768 wrote to memory of 2460	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	40
PID 1768 wrote to memory of 2460	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	40
PID 1768 wrote to memory of 2460	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	40
PID 1768 wrote to memory of 2460	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	40
PID 1768 wrote to memory of 1912	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	41
PID 1768 wrote to memory of 1912	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	41
PID 1768 wrote to memory of 1912	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	41
PID 1768 wrote to memory of 1912	1768	{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe	41
PID 2460 wrote to memory of 2808	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	42
PID 2460 wrote to memory of 2808	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	42
PID 2460 wrote to memory of 2808	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	42
PID 2460 wrote to memory of 2808	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	42
PID 2460 wrote to memory of 1324	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	43
PID 2460 wrote to memory of 1324	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	43
PID 2460 wrote to memory of 1324	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	43
PID 2460 wrote to memory of 1324	2460	{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe	43
PID 2808 wrote to memory of 2988	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	44
PID 2808 wrote to memory of 2988	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	44
PID 2808 wrote to memory of 2988	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	44
PID 2808 wrote to memory of 2988	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	44
PID 2808 wrote to memory of 2860	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	45
PID 2808 wrote to memory of 2860	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	45
PID 2808 wrote to memory of 2860	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	45
PID 2808 wrote to memory of 2860	2808	{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
  C:\Windows\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
    C:\Windows\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
      C:\Windows\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
        
        C:\Windows\{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
        
        C:\Windows\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
        
        C:\Windows\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
        
        C:\Windows\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
        
        C:\Windows\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
        
        C:\Windows\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe
        
        C:\Windows\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe
        
        C:\Windows\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92BA9~1.EXE > nul
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04081~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76F0D~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBA4~1.EXE > nul
        9⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8829D~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC6F0~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60C07~1.EXE > nul
        6⤵
        
        PID:808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9CFB~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA140~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2333~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04081B1A-94D2-4e7e-8BCD-0BD083EDE848}.exe

Filesize
204KB

MD5
51903716137815a0fb8b092151980162

SHA1
a821351ddb3beeaa9d1505f8c58375c1cbe30162

SHA256
c229489d46ac9945af20aab6d46438cabd1c8dc5b424db15cd85bc4c22c2e7ef

SHA512
6fc889dadad44ef4c5bd791cc694b177c4bfd3374496b1e9e6410bbdd9fe65ad83c5e50af3f23066b86d706b1974d95e88498702276e3b9935cce86836acd079

Download Submit
C:\Windows\{26859C9E-64B7-4ca7-A40B-77BC0F10E9AC}.exe

Filesize
204KB

MD5
eb5caca5a55238ca5506ad84a8d40a27

SHA1
567e0c6061f85bcc141ea191c41fbd7a40aa56aa

SHA256
37df483d85ab1b93b86d3ed219fcfab1ca92a5f0cf8095e15863090dc88e9a28

SHA512
42e44393fbdc907a32a7a1b68989a2cb8f5f069c9c33e80120f63f81701117f9faa87937c07ecd5255aa67354752971e2223720691ad982cbdea4cee85166e2d

Download Submit
C:\Windows\{60C07C88-A951-4146-A02E-0A9D98D49BDC}.exe

Filesize
204KB

MD5
a1cb1b1df24e8bd6b6ec261bab80da1e

SHA1
8639cb0fb5c16b436a0c77ffd690a9cb3b7eada5

SHA256
609e9ce05957b5abb113606b1c9e403b18f4ac3796cc3d3030ad85162cda6201

SHA512
2679a8d99591750a648ada793748e15897705c39741951af64414a6d39cfc5ab5ed66492affd4e3f13b1c26d5e4b59b87e61024b186d98e53d2c2242a1212e85

Download Submit
C:\Windows\{76F0DAC4-FD61-4a0d-9F30-D3A43056C7D1}.exe

Filesize
204KB

MD5
0cdfcad3d9f9542331bbc2a7b28252ff

SHA1
689f13f334f29617314015231d056f75a1a3f2ec

SHA256
7dd845ea491e650f1772a703b5f0976e003941019d8fdaa9a69c39436afd8b43

SHA512
f50ec3a36f05232e62014971880cc01a0b57394e02b30fea89fa764da727e70010f0d6f85ad4f21b59e6db3a286010b234b82e51eea8d0f9db76573af4e62b2a

Download Submit
C:\Windows\{8829DB36-AE80-419d-9904-DAEEFB1CD5B2}.exe

Filesize
204KB

MD5
dbb0f7b7c7d860c6fb71418f1ef9de63

SHA1
5a624499144f4d4ba0825b355db506d848579308

SHA256
755c6196f486a678cac55f623996ad560fbc8ce3eb79a385829b263384c40b1e

SHA512
a157beb177968462378fc81c298e0f5891f0ba736a0c6433d6678da321d386e7c79a2eda5bd7d00b09aeb8f6df14278016ddc5603b1c2bde8a8a976e1d946aa9

Download Submit
C:\Windows\{92BA9732-AC2E-43d1-BB78-6178A5CEA95B}.exe

Filesize
204KB

MD5
e4ee7b190a0e80b01e9015b224ef8d2b

SHA1
3cd4dc198d0b2389cb17ce2fb355082a55cf72c0

SHA256
bcd75ec3246d7f06ca28bb5822759eb806c8b9f86c961795074332cb94e805d1

SHA512
62ec7bda8619159029bf74dfe5167787c6ea5cc93cb32edfbaeac40710c616acbe82179862762c9ae5bf5c7092b9b2499ffce2b52fe0b8eb7f7425f492446bd9

Download Submit
C:\Windows\{A233368C-99AC-4f41-91A5-8B8C43B1ED56}.exe

Filesize
204KB

MD5
42be3f52b133a2e07a5370767b8b66b1

SHA1
38413a84877cab3b77e6017cb810e54a600fab86

SHA256
45190564014cd0135dee00a4518fc60824caed3af26d6d6032381243760235c9

SHA512
e65d5887e5c0953a64c6e243629c4cfbd09e1a6f1a84cb5e59c62a2ec9e4cdd3b19b57a06a9fe37e20516e73c1326cd7c8d11a1cb04c84b11f94cc1fff497fba

Download Submit
C:\Windows\{AC6F06F9-87C6-43b2-B038-B8C5BA7A1A2B}.exe

Filesize
204KB

MD5
086e08b6513f30f4e9e4e45b72a8109c

SHA1
10f9fc3ad377e4b348f61f8f2512ebd5dc839330

SHA256
8ba2734c58848d8d2026b67926252f7b0daac58d1204421385173d6e62f4b29f

SHA512
33a0f245e86a92dd567a9583ca82aae27e7a6f7900aca666db8931a3519e9a212d495eedbc59e2fbcea17081e9fcbdb8cf8232f07958cb239779083fe49d9bd5

Download Submit
C:\Windows\{CA1404C0-624C-499b-8CFA-4B9614DBCC2B}.exe

Filesize
204KB

MD5
0701b9b59eec15d6fa2e27fb588456a3

SHA1
be1b1bb1cc50ac26ed4ef06f30e043cb0280af83

SHA256
4c5a60f0180734400a10069f4d98ab885db7145f5a82be47a119e7957375dc6e

SHA512
db4b435f740141c91480f170073ecddcd74d7b331b2fa0350b6f4706533d4a6d64bf17385842b2cbd118b6aab066319547239e554c057b81c05702fa20008a82

Download Submit
C:\Windows\{E9CFB1E1-449C-4365-9EFC-6FADFFAC018B}.exe

Filesize
204KB

MD5
606be3368f8b62ddb973c0882cef1427

SHA1
0b606110aac6169c9570530c2919fff336c1d8f8

SHA256
8f2ac25d5cfdc7ed0c8f50cb2a312f6b2136488599adefdef7e8f5d178f2c9fe

SHA512
09a8bc1fbaf314e7e6deb55624e41f582744dd85e3ea43fd3213c3b125ecc867441195f29cbe384c1687c00017a3d16c375c9ec9c4f06ba215a5406d2559819e

Download Submit
C:\Windows\{FCBA4B78-0FD8-4217-85B9-BD78F4B8978B}.exe

Filesize
204KB

MD5
e8594e45389549a1ea45a9ff5f85f3aa

SHA1
bffac33d8f25bf60b4c74f0a7f2164d725d39cc8

SHA256
6bcc3c8dbcdf7b7fd6e02de79ac1b8a2fca958c6963d052ddb2cbe04265e2120

SHA512
9cccdbd20fa78b370dd18af83a12899794aa9c4900f69ab1d4e7507be1829dee48ebbae3cba0beb186674b757667b788b2793a5a430f03d79aabe89c9c6186dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads