ccd1f28296203b60433205d7fe8f7e8a5123cbbec610b41e62f03a81c13dd238

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Size

168KB
MD5

b70c6bde26ef83834f16076bc248a2d4
SHA1

af748f866f88a5de7a239057a6c54df2e061b843
SHA256

ccd1f28296203b60433205d7fe8f7e8a5123cbbec610b41e62f03a81c13dd238
SHA512

bc496ca2dec7018f321a7cd08c2663a98e94d63efed9cb2c1b2d40a3e55662d6aebd08898143d8b05c1b31b0cc373ad73089e6ef03415d3a7b219c374229b372
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142bc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}\stubpath = "C:\\Windows\\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe"	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C169DF2-70EA-479a-930E-02A80352E4FE}	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C169DF2-70EA-479a-930E-02A80352E4FE}\stubpath = "C:\\Windows\\{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe"	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765D15D-DE41-4bbc-A556-D7467564E92D}\stubpath = "C:\\Windows\\{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe"	{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}\stubpath = "C:\\Windows\\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe"	{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765D15D-DE41-4bbc-A556-D7467564E92D}	{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE135210-79CA-45e6-ADBF-54551B652A5B}	{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}\stubpath = "C:\\Windows\\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe"	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4752D898-9061-4888-93FE-DBF3E12E2468}	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4752D898-9061-4888-93FE-DBF3E12E2468}\stubpath = "C:\\Windows\\{4752D898-9061-4888-93FE-DBF3E12E2468}.exe"	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}\stubpath = "C:\\Windows\\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe"	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE135210-79CA-45e6-ADBF-54551B652A5B}\stubpath = "C:\\Windows\\{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe"	{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}\stubpath = "C:\\Windows\\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe"	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}\stubpath = "C:\\Windows\\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe"	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}\stubpath = "C:\\Windows\\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe"	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}	{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
1368	{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
2024	{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
1888	{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
1496	{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
File created	C:\Windows\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
File created	C:\Windows\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe	{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
File created	C:\Windows\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
File created	C:\Windows\{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
File created	C:\Windows\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
File created	C:\Windows\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
File created	C:\Windows\{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
File created	C:\Windows\{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe	{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
File created	C:\Windows\{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe	{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
File created	C:\Windows\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
Token: SeIncBasePriorityPrivilege	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
Token: SeIncBasePriorityPrivilege	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
Token: SeIncBasePriorityPrivilege	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
Token: SeIncBasePriorityPrivilege	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
Token: SeIncBasePriorityPrivilege	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
Token: SeIncBasePriorityPrivilege	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
Token: SeIncBasePriorityPrivilege	1368	{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
Token: SeIncBasePriorityPrivilege	2024	{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
Token: SeIncBasePriorityPrivilege	1888	{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2892	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	28
PID 3044 wrote to memory of 2892	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	28
PID 3044 wrote to memory of 2892	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	28
PID 3044 wrote to memory of 2892	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	28
PID 3044 wrote to memory of 3036	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	29
PID 3044 wrote to memory of 3036	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	29
PID 3044 wrote to memory of 3036	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	29
PID 3044 wrote to memory of 3036	3044	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	29
PID 2892 wrote to memory of 2780	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	30
PID 2892 wrote to memory of 2780	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	30
PID 2892 wrote to memory of 2780	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	30
PID 2892 wrote to memory of 2780	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	30
PID 2892 wrote to memory of 2624	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	31
PID 2892 wrote to memory of 2624	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	31
PID 2892 wrote to memory of 2624	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	31
PID 2892 wrote to memory of 2624	2892	{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe	31
PID 2780 wrote to memory of 2676	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	32
PID 2780 wrote to memory of 2676	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	32
PID 2780 wrote to memory of 2676	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	32
PID 2780 wrote to memory of 2676	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	32
PID 2780 wrote to memory of 2600	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	33
PID 2780 wrote to memory of 2600	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	33
PID 2780 wrote to memory of 2600	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	33
PID 2780 wrote to memory of 2600	2780	{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe	33
PID 2676 wrote to memory of 2508	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	36
PID 2676 wrote to memory of 2508	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	36
PID 2676 wrote to memory of 2508	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	36
PID 2676 wrote to memory of 2508	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	36
PID 2676 wrote to memory of 1532	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	37
PID 2676 wrote to memory of 1532	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	37
PID 2676 wrote to memory of 1532	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	37
PID 2676 wrote to memory of 1532	2676	{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe	37
PID 2508 wrote to memory of 2944	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	38
PID 2508 wrote to memory of 2944	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	38
PID 2508 wrote to memory of 2944	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	38
PID 2508 wrote to memory of 2944	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	38
PID 2508 wrote to memory of 2916	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	39
PID 2508 wrote to memory of 2916	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	39
PID 2508 wrote to memory of 2916	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	39
PID 2508 wrote to memory of 2916	2508	{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe	39
PID 2944 wrote to memory of 1540	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	40
PID 2944 wrote to memory of 1540	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	40
PID 2944 wrote to memory of 1540	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	40
PID 2944 wrote to memory of 1540	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	40
PID 2944 wrote to memory of 1328	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	41
PID 2944 wrote to memory of 1328	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	41
PID 2944 wrote to memory of 1328	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	41
PID 2944 wrote to memory of 1328	2944	{4752D898-9061-4888-93FE-DBF3E12E2468}.exe	41
PID 1540 wrote to memory of 632	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	42
PID 1540 wrote to memory of 632	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	42
PID 1540 wrote to memory of 632	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	42
PID 1540 wrote to memory of 632	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	42
PID 1540 wrote to memory of 1668	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	43
PID 1540 wrote to memory of 1668	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	43
PID 1540 wrote to memory of 1668	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	43
PID 1540 wrote to memory of 1668	1540	{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe	43
PID 632 wrote to memory of 1368	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	44
PID 632 wrote to memory of 1368	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	44
PID 632 wrote to memory of 1368	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	44
PID 632 wrote to memory of 1368	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	44
PID 632 wrote to memory of 1416	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	45
PID 632 wrote to memory of 1416	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	45
PID 632 wrote to memory of 1416	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	45
PID 632 wrote to memory of 1416	632	{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
  C:\Windows\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
    C:\Windows\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
      C:\Windows\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
        
        C:\Windows\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
        
        C:\Windows\{4752D898-9061-4888-93FE-DBF3E12E2468}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
        
        C:\Windows\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
        
        C:\Windows\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
        
        C:\Windows\{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
        
        C:\Windows\{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
        
        C:\Windows\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37E75~1.EXE > nul
        12⤵
        
        PID:1068
        
        C:\Windows\{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe
        
        C:\Windows\{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6765D~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C169~1.EXE > nul
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEFDB~1.EXE > nul
        9⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DE2~1.EXE > nul
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4752D~1.EXE > nul
        7⤵
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F20~1.EXE > nul
        6⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FABD~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66804~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C54~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37E75AB4-6ED2-42af-94DF-FF73E1E7177D}.exe

Filesize
168KB

MD5
7b0bee9b5af1ed6197b767c8f0ff3de6

SHA1
bd20dc62b0e654f1b76ecb067edf9fc9aa0090d5

SHA256
1d76be4beb3f6f352e1b6f9880ee6c25c37801f55bbaf969cce417abc9e263d9

SHA512
4cab6a56b1b0459990db1e2b492fb03c59f114589dd180bb4e86caf6834fab3dbc0e01a65be04e466d6f831a2da21482aef9f468d2ff9bce7da62c612443eae8

Download Submit
C:\Windows\{4752D898-9061-4888-93FE-DBF3E12E2468}.exe

Filesize
168KB

MD5
e11dd38e61a432140f026502b55606bf

SHA1
f9f585df584549e8cb9f5e033e7c67878ad5a989

SHA256
8bea3fc98ee9c742bbb96e83cc696375e01bfc37f61ee2fb8fd143cd89736558

SHA512
322504a3bace656e87ede6bb92dc8cf1e799c9d257bb6a790a6104897174d1eebdc22b258edb76bd3a1096627ed1995d3dcf000ab336c97fd5663c581d8b0b62

Download Submit
C:\Windows\{66804BD4-BEFA-46e8-85DC-D94EF19B2F7F}.exe

Filesize
168KB

MD5
42f5f141f1b32e2df187ec5c409d51cb

SHA1
a3996bc4c74de9827af5e2219aa9457b7bcb5d0f

SHA256
4660884b5f2483768124e5c04b1258871454b00db96c86545c05373be02c007b

SHA512
9aa5dc323648e35b506772b3f371d237d3bcfa1d1384625783503c621589bdcd026d11fa94ff1423c123b1ddb8bc7da8838e2261e5a2f376c69993cbe961bee3

Download Submit
C:\Windows\{6765D15D-DE41-4bbc-A556-D7467564E92D}.exe

Filesize
168KB

MD5
97774ed61ce4fecdeb3788fa8c3ecf36

SHA1
e2707554b24a084e43be9dbf1cb9ef0a081ec316

SHA256
d0368b4f50ef4e441f5f2c2ffc8c2583394395d6fd87c85f557943f6861f6723

SHA512
b0a643cadb865bdb1177b2a4cd9df2aa46ee82f86b22cb477a8ccf36ac58a89ef3cb3c40418d8e2f50df6f447c80ceeb6deaa8656485f4ac06512ef361e8396f

Download Submit
C:\Windows\{74DE2A9E-66BD-476a-BF38-1DE0DF7931E7}.exe

Filesize
168KB

MD5
3c2dc44aca05923b5fcfe3840810ce10

SHA1
4257656f9046481ac75c15365c973b9cbeac14fd

SHA256
60554f83398b5ac556d8e60c0acf9d6486690e75b7dc83304cd8083e85b38d36

SHA512
09f97ad45033e04b1745678a12ba48c9b8cf3223dee107b951d0294586857f751ff76e03d9a3bfd257bf618ed83f2247ba28112d19960e751dc5b6a89d192af1

Download Submit
C:\Windows\{8C169DF2-70EA-479a-930E-02A80352E4FE}.exe

Filesize
168KB

MD5
cc8895f62871787fbff4152f02d30080

SHA1
6ee88c59259ecc02b0ea98f9f78f9bb431240623

SHA256
5adb81eabae130a17f0ce7e24f9ed50ca2b6f9a94bb9d1235e63823bc5d5f99e

SHA512
429a6ebeb29fba10686cf8aca9a8a8a0083e47db18951552e34f5af4826816bd6dcfebaa167504ffb97703a28dc32703c03a1b31b5c30825c3196bbc028882b2

Download Submit
C:\Windows\{9FABDE80-F93D-4cff-B9A5-1BFE17D487F6}.exe

Filesize
168KB

MD5
38e8c88aaac7f1f3c31f47a7b0722368

SHA1
80dc7c35d687cfb172c0cf3d7e843b1e7478e42b

SHA256
f7556562f0a5d7dde3de20813a8dbbd25a49d63d3fbf471ae71dfcfb07548de1

SHA512
870dfcd4a1465a77c7a8b22f04f7e274eb21b895c21f02dd7affc42ab6b83ba2f35ca6d29535118d154ed1014fed438c42e46ba9759d611d49e705fc8245ed0b

Download Submit
C:\Windows\{BE135210-79CA-45e6-ADBF-54551B652A5B}.exe

Filesize
168KB

MD5
4310da25d618c4a922af69422fae897c

SHA1
c34f31329803b9970b6f738b70af0882cbf81a56

SHA256
9bc21ab3bfd9e37dfb9c07b02c737017e1d005daca9533c35596f6e5adf95ce0

SHA512
3242c713a2a848a21aaf564eaed11e6b8e0b012aea4c24ffaf3c351653761a8de85ba329349a7dd0049f82ba29214f95a35bd76257287109493b893d3c49ab47

Download Submit
C:\Windows\{C3F20754-67B7-4ffc-99FD-DBE132FD1DDB}.exe

Filesize
168KB

MD5
acf1897a904743845b341d979b69366c

SHA1
d7e8455f165ba47fcfa07c7418daf052e84e9391

SHA256
1136777f24576303de2c21ab85ec85e96945b67544773f31e56024d51e1cf361

SHA512
0bf8f1acab02b9a63de9944e0894c24c311cf0006f88c231f80e6308dbfea6b71be4309bc2b1a41e343a100357aeeb3a4f02a2ec68334d74db8da061c25f4fb4

Download Submit
C:\Windows\{CEFDB038-3DB2-4055-B809-78505EA3F0F3}.exe

Filesize
168KB

MD5
934fbfdc69a3b1e44adb50c21aa6d6e0

SHA1
b89c61022ec85d454a7269a3a5a5ca33594de80a

SHA256
9d767e63c75f3d641a8b669fab133eef005afda5c25e5efa755359c1295c84aa

SHA512
b1de29898df805ed047c6995e3d45b0660a9838885cebf74c21787189a0c3fe28ee21361a958a367ca9f9355afbb24cd338c25adb9365baf889e9bfe94e7ea63

Download Submit
C:\Windows\{E4C542FD-4256-49a4-B187-393B4A2F9F4A}.exe

Filesize
168KB

MD5
a6071e6763dc3c52d6c975f15595b8fc

SHA1
fca264b8fa483155e735e60f4494c815121710ba

SHA256
2a266ca25d403f8156c7af008d4ed0bd1de62c91858f5f2801c7561455dc1ae4

SHA512
ee8340eddf2fcab4d812f17e68a66cb0137359290619801975e77bd3246628b2b5621ff1f084c2a5df83e83aa46361c393721bdbc7201ebf6e7e052b0d7f6292

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads