cdec75d84293d2420dcbde6aabe333fad821752c0b43643a4e57e00630a42567

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
Size

197KB
MD5

19af4b70248ed5cf9ddccefba91d7334
SHA1

93ed4027715ed026c0721dbc8c46508d11ee01e4
SHA256

cdec75d84293d2420dcbde6aabe333fad821752c0b43643a4e57e00630a42567
SHA512

fa2dab702bc48adde1e7c6028faa1563fd712b1c69f83ffb66fe2d138383acd5eaa106477df334da9bc68bf4cf16b4356cfb767bec144a548a35045031f362b7
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGvlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014323-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014502-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014323-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014662-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014323-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014323-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014323-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}\stubpath = "C:\\Windows\\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe"	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}\stubpath = "C:\\Windows\\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe"	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}\stubpath = "C:\\Windows\\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe"	{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}\stubpath = "C:\\Windows\\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe"	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}\stubpath = "C:\\Windows\\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe"	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5793A14B-9905-4d16-95A7-CA346142AF93}\stubpath = "C:\\Windows\\{5793A14B-9905-4d16-95A7-CA346142AF93}.exe"	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}	{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}\stubpath = "C:\\Windows\\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe"	{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}\stubpath = "C:\\Windows\\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe"	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9326AA-6584-47bb-AB64-7ACB853128A8}\stubpath = "C:\\Windows\\{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe"	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}\stubpath = "C:\\Windows\\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe"	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}	{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}	{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5793A14B-9905-4d16-95A7-CA346142AF93}	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9326AA-6584-47bb-AB64-7ACB853128A8}	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}\stubpath = "C:\\Windows\\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe"	{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
2368	{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe
2268	{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
1744	{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
1500	{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
File created	C:\Windows\{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
File created	C:\Windows\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
File created	C:\Windows\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe	{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
File created	C:\Windows\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe	{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
File created	C:\Windows\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
File created	C:\Windows\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
File created	C:\Windows\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
File created	C:\Windows\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
File created	C:\Windows\{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
File created	C:\Windows\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe	{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
Token: SeIncBasePriorityPrivilege	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
Token: SeIncBasePriorityPrivilege	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
Token: SeIncBasePriorityPrivilege	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
Token: SeIncBasePriorityPrivilege	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
Token: SeIncBasePriorityPrivilege	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
Token: SeIncBasePriorityPrivilege	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
Token: SeIncBasePriorityPrivilege	2368	{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe
Token: SeIncBasePriorityPrivilege	2268	{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
Token: SeIncBasePriorityPrivilege	1744	{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2656	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	28
PID 2984 wrote to memory of 2656	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	28
PID 2984 wrote to memory of 2656	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	28
PID 2984 wrote to memory of 2656	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	28
PID 2984 wrote to memory of 2596	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	29
PID 2984 wrote to memory of 2596	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	29
PID 2984 wrote to memory of 2596	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	29
PID 2984 wrote to memory of 2596	2984	2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe	29
PID 2656 wrote to memory of 3028	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	30
PID 2656 wrote to memory of 3028	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	30
PID 2656 wrote to memory of 3028	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	30
PID 2656 wrote to memory of 3028	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	30
PID 2656 wrote to memory of 2560	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	31
PID 2656 wrote to memory of 2560	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	31
PID 2656 wrote to memory of 2560	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	31
PID 2656 wrote to memory of 2560	2656	{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe	31
PID 3028 wrote to memory of 2680	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	32
PID 3028 wrote to memory of 2680	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	32
PID 3028 wrote to memory of 2680	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	32
PID 3028 wrote to memory of 2680	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	32
PID 3028 wrote to memory of 2616	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	33
PID 3028 wrote to memory of 2616	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	33
PID 3028 wrote to memory of 2616	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	33
PID 3028 wrote to memory of 2616	3028	{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe	33
PID 2680 wrote to memory of 2336	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	36
PID 2680 wrote to memory of 2336	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	36
PID 2680 wrote to memory of 2336	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	36
PID 2680 wrote to memory of 2336	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	36
PID 2680 wrote to memory of 2404	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	37
PID 2680 wrote to memory of 2404	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	37
PID 2680 wrote to memory of 2404	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	37
PID 2680 wrote to memory of 2404	2680	{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe	37
PID 2336 wrote to memory of 2628	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	38
PID 2336 wrote to memory of 2628	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	38
PID 2336 wrote to memory of 2628	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	38
PID 2336 wrote to memory of 2628	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	38
PID 2336 wrote to memory of 2836	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	39
PID 2336 wrote to memory of 2836	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	39
PID 2336 wrote to memory of 2836	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	39
PID 2336 wrote to memory of 2836	2336	{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe	39
PID 2628 wrote to memory of 2408	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	40
PID 2628 wrote to memory of 2408	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	40
PID 2628 wrote to memory of 2408	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	40
PID 2628 wrote to memory of 2408	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	40
PID 2628 wrote to memory of 1288	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	41
PID 2628 wrote to memory of 1288	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	41
PID 2628 wrote to memory of 1288	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	41
PID 2628 wrote to memory of 1288	2628	{5793A14B-9905-4d16-95A7-CA346142AF93}.exe	41
PID 2408 wrote to memory of 1660	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	42
PID 2408 wrote to memory of 1660	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	42
PID 2408 wrote to memory of 1660	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	42
PID 2408 wrote to memory of 1660	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	42
PID 2408 wrote to memory of 1968	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	43
PID 2408 wrote to memory of 1968	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	43
PID 2408 wrote to memory of 1968	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	43
PID 2408 wrote to memory of 1968	2408	{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe	43
PID 1660 wrote to memory of 2368	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	44
PID 1660 wrote to memory of 2368	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	44
PID 1660 wrote to memory of 2368	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	44
PID 1660 wrote to memory of 2368	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	44
PID 1660 wrote to memory of 1536	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	45
PID 1660 wrote to memory of 1536	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	45
PID 1660 wrote to memory of 1536	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	45
PID 1660 wrote to memory of 1536	1660	{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_19af4b70248ed5cf9ddccefba91d7334_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
  C:\Windows\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
    C:\Windows\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
      C:\Windows\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
        
        C:\Windows\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
        
        C:\Windows\{5793A14B-9905-4d16-95A7-CA346142AF93}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
        
        C:\Windows\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
        
        C:\Windows\{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe
        
        C:\Windows\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
        
        C:\Windows\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
        
        C:\Windows\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe
        
        C:\Windows\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB71~1.EXE > nul
        12⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39CD3~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D11D~1.EXE > nul
        10⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C932~1.EXE > nul
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE93~1.EXE > nul
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5793A~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0B1~1.EXE > nul
        6⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CDDD~1.EXE > nul
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E4F2~1.EXE > nul
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7769F~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CDDD677-9F7F-4121-B0F5-E76D5A0D69E6}.exe

Filesize
197KB

MD5
3bb984704ae358a3f0500dbc39f66275

SHA1
71ff5131f737c805556cd77617a0e68feb3ca117

SHA256
11d44f20c1aa3aa0ce54f75e7f6c6bf37d0d17ffab67a0938bb71735196f2ebb

SHA512
9d16ea6c536daf3ccd7b07ddede086758e99770e7ed718109b0b628f35a3d2ade753a05bac102a102f811b8eed4157b12cbf0783f2b09f0ae1a4f06355ab1515

Download Submit
C:\Windows\{36FEE3BA-56B3-4c2a-9DA6-FB1FDE1485B1}.exe

Filesize
197KB

MD5
1e3931ba223725c7029c6599b199d905

SHA1
ec1525a45b6f3744cb2d9aa89c6317e22b766d25

SHA256
8ed7fcc39ea0748fd9fedc4a284a8b3c90af224eb5c66ace3e859ab03e8fbb00

SHA512
62281b01d439f6e0c14050b84231544ee849a8da5bc2e65aceb5da3728901012cdba53490fece996351a407d08b16145da1deb2850ae1bf885c9932e1494c23b

Download Submit
C:\Windows\{39CD33C4-8DFF-4039-9AB5-7C6596896B5B}.exe

Filesize
197KB

MD5
2d061ed815a4b1052cd01ea6d03fcfed

SHA1
33a8d2f17a4151835170b444c24309d0e0f468ba

SHA256
5df65678c1de1cf527121a647479d153a87daaf08eb139067abb4cd844abb2b5

SHA512
7a6af6ce477a3bef7e84cf6b25b53024fc5f57405b6c46c84e8de53517c85afa87955a5bbe4f7cbedd670e5473ffb15c52fcf4a5633f5cccfbe40fc8e8e1e4d7

Download Submit
C:\Windows\{4C9326AA-6584-47bb-AB64-7ACB853128A8}.exe

Filesize
197KB

MD5
2eecfa0d7d89625f3a1a91d7dc8abd67

SHA1
8e30f737abbe529515e1e568f0cf973c499c9158

SHA256
bcf03efaa37252c74e4fe2e4d82b35572c5aa3e5844df0f8601bf6b35966dbd3

SHA512
449722dc8f59a0cad2b1ba23b159b56d2cd574cfdcbe486cabe6dcf401d1ba6146e2d74e9b3ed365ccd30bf6e169365cefba0548771bc91c4bfdc7db1ef38360

Download Submit
C:\Windows\{5793A14B-9905-4d16-95A7-CA346142AF93}.exe

Filesize
197KB

MD5
a0c81d06e6ae739147bed33f0a7eea6d

SHA1
c8786c9e167b7f0e0a031c4f4c721fd11f6848b2

SHA256
aff97fb7c24699adc57c39132eea931cc9619c780e422f4ce8c05487fb5d3e73

SHA512
f636472057b3a37035722a90856346f7aca04350308fa3ac641abeef80917613ad7b617f56d110b2a1b71b4052e66b0b170fb38ab555f7646fbe573e60aca3c5

Download Submit
C:\Windows\{5D11D12F-614A-4308-AB4C-5F932EDF6ED8}.exe

Filesize
197KB

MD5
606d9ff327e8cfb07489a76c4c5acc25

SHA1
84f0bc27da216abda457f086de8cc25db5dbe089

SHA256
16acb816586cc33ed960e7afaacf3576f389264c6bbdc36c433a1a26e1d4468b

SHA512
acbf6e5d687b02d495fcff862bebb91d02df349642ae9c075e3735811b9b4f395deb46db37ac9eec52bb445c0c117512886c5cebb6adb12e32d0103bf40a683d

Download Submit
C:\Windows\{5E4F2B5F-D73C-46d7-8BE1-CCB69D35306B}.exe

Filesize
197KB

MD5
501b8d472db4a058335b9ba906784d7c

SHA1
8075f94deabbf15e3cd5190320b666ae04d2ebac

SHA256
b7c58a1a3879ca9d827362b05f5b28e67d4a3a8502ac41567f55ec21d7f93be2

SHA512
239f94ae1a3300a1fb11ca59fd435c413e2917eb1c5ffce47ce27d2dfc37f1a9b42fe52723d84de4fa959dee3f8e5f2daef589723d6f402879a7183573331834

Download Submit
C:\Windows\{7769F9C4-EB77-4c6a-909F-1EE42A0BCD68}.exe

Filesize
197KB

MD5
15e6e9fe92e45adefb13ee6a0e7558ed

SHA1
b0f9e5abc66f9d16070e94df489406d7b781bd9a

SHA256
f8ce1127468549dcaaa585c3131aa1a9523a87a4dc39a8fd3719aaebc760dcba

SHA512
bea3d1821a7911733667405d7bcf761ae9b10cc5c96f5da29f86bab86fadb0914e3c9fed36486295f4e7365e37403163d60af579bb8b40a578d3f7e979b3fa45

Download Submit
C:\Windows\{BB0B158E-38A3-4c93-ADB6-42FB55F9DF22}.exe

Filesize
197KB

MD5
1529bd50ead674810c53fb66011efe57

SHA1
721cc627568d109f6e3490dca8d6a72121063010

SHA256
1fea49fdafa5f8f3f8c2b8e243d46d3779155021dec60091bfb1f3b90ef3003e

SHA512
ec4134c527f12e09a0907d73194e3bca9254482d3fde2e9934c6f0aa41c4c9a8b7191f88741859ed54659a96f1ad93f3c67e3f6a3554a2a940107394690ddd51

Download Submit
C:\Windows\{BBE933B2-37F3-492b-A1EC-24F1D4D961A8}.exe

Filesize
197KB

MD5
4c448c91c6b2223af43b8cca38d896ae

SHA1
20237647bd5b0012578b26956a50a56f3b504638

SHA256
4ebdd8df315f40136154a9ee649d40e85c97d19c4a91f6ba63f6960f4494e968

SHA512
20243e2f72419f4e7289fe05a85a89abfe26d4ad724f707b438698db2316471aa5cc463e9a14b652003500656b424f05780db27bdbd51db3d043fe33f16c9e44

Download Submit
C:\Windows\{FBB71DE0-F894-4b38-B8BE-A61B96C65B52}.exe

Filesize
197KB

MD5
ea5622c03fdfa0cb8f9b1e04b57fbef6

SHA1
8064ec25e70fb117aec050818ef03053ce9e74d9

SHA256
2c1af175c0d0380d02347ccb694a99d5c5b9e68a6b99a2444d433df99b630b23

SHA512
01aa0242c268593d2c08d0c44be82c4c932b9580d1d0bf80edc084268eab7c35c642bfb92ff5c6f9e1fae265f2ec9cf5ae82f72a89f11629be99451a2daa44fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads