88823641a1cd1e9989acaabd71dce2a1c2297e5a5075c323bef6feb88e3555cc

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe
Size

197KB
MD5

df791a96419e19c6634fd1dccd7ca66d
SHA1

add891511bfe7f9ae9e8e26c4a248193487895ed
SHA256

88823641a1cd1e9989acaabd71dce2a1c2297e5a5075c323bef6feb88e3555cc
SHA512

8f7b06adda8bb3a3010c808c3bb8db6a720249843f0e5f4b1384bd3431c88c4c4b52fc6550e5dbc38f972280bdc4577c56d2f1c59bfb6691db2625497a482583
SSDEEP

3072:jEGh0oyl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGUlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122bb-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000126af-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000126af-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122bb-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122bb-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001312a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122bb-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122bb-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000122bb-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}\stubpath = "C:\\Windows\\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe"	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E362CB61-97FF-4207-A456-E119C09C9DED}	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}	{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}\stubpath = "C:\\Windows\\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe"	{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{647738F7-AAE9-4018-B830-5CC10697ECA9}	{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE21076-E9EE-4353-B939-C40716AC790E}\stubpath = "C:\\Windows\\{BBE21076-E9EE-4353-B939-C40716AC790E}.exe"	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}\stubpath = "C:\\Windows\\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe"	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}\stubpath = "C:\\Windows\\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe"	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}\stubpath = "C:\\Windows\\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe"	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E362CB61-97FF-4207-A456-E119C09C9DED}\stubpath = "C:\\Windows\\{E362CB61-97FF-4207-A456-E119C09C9DED}.exe"	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}\stubpath = "C:\\Windows\\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe"	{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE21076-E9EE-4353-B939-C40716AC790E}	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}\stubpath = "C:\\Windows\\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe"	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}	{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{647738F7-AAE9-4018-B830-5CC10697ECA9}\stubpath = "C:\\Windows\\{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe"	{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}\stubpath = "C:\\Windows\\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe"	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe

Deletes itself 1 IoCs

pid	Process
1832	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
1688	{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
2856	{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
1732	{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
1476	{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
File created	C:\Windows\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
File created	C:\Windows\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
File created	C:\Windows\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
File created	C:\Windows\{E362CB61-97FF-4207-A456-E119C09C9DED}.exe	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
File created	C:\Windows\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe	{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
File created	C:\Windows\{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe	{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
File created	C:\Windows\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
File created	C:\Windows\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
File created	C:\Windows\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe	{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
File created	C:\Windows\{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
Token: SeIncBasePriorityPrivilege	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
Token: SeIncBasePriorityPrivilege	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
Token: SeIncBasePriorityPrivilege	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
Token: SeIncBasePriorityPrivilege	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
Token: SeIncBasePriorityPrivilege	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
Token: SeIncBasePriorityPrivilege	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
Token: SeIncBasePriorityPrivilege	1688	{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
Token: SeIncBasePriorityPrivilege	2856	{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
Token: SeIncBasePriorityPrivilege	1732	{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2392	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	28
PID 2384 wrote to memory of 2392	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	28
PID 2384 wrote to memory of 2392	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	28
PID 2384 wrote to memory of 2392	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	28
PID 2384 wrote to memory of 1832	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	29
PID 2384 wrote to memory of 1832	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	29
PID 2384 wrote to memory of 1832	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	29
PID 2384 wrote to memory of 1832	2384	2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe	29
PID 2392 wrote to memory of 2588	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	30
PID 2392 wrote to memory of 2588	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	30
PID 2392 wrote to memory of 2588	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	30
PID 2392 wrote to memory of 2588	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	30
PID 2392 wrote to memory of 2668	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	31
PID 2392 wrote to memory of 2668	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	31
PID 2392 wrote to memory of 2668	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	31
PID 2392 wrote to memory of 2668	2392	{BBE21076-E9EE-4353-B939-C40716AC790E}.exe	31
PID 2588 wrote to memory of 2688	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	32
PID 2588 wrote to memory of 2688	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	32
PID 2588 wrote to memory of 2688	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	32
PID 2588 wrote to memory of 2688	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	32
PID 2588 wrote to memory of 2700	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	33
PID 2588 wrote to memory of 2700	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	33
PID 2588 wrote to memory of 2700	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	33
PID 2588 wrote to memory of 2700	2588	{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe	33
PID 2688 wrote to memory of 2532	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	36
PID 2688 wrote to memory of 2532	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	36
PID 2688 wrote to memory of 2532	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	36
PID 2688 wrote to memory of 2532	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	36
PID 2688 wrote to memory of 2816	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	37
PID 2688 wrote to memory of 2816	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	37
PID 2688 wrote to memory of 2816	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	37
PID 2688 wrote to memory of 2816	2688	{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe	37
PID 2532 wrote to memory of 2356	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	38
PID 2532 wrote to memory of 2356	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	38
PID 2532 wrote to memory of 2356	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	38
PID 2532 wrote to memory of 2356	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	38
PID 2532 wrote to memory of 788	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	39
PID 2532 wrote to memory of 788	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	39
PID 2532 wrote to memory of 788	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	39
PID 2532 wrote to memory of 788	2532	{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe	39
PID 2356 wrote to memory of 932	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	40
PID 2356 wrote to memory of 932	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	40
PID 2356 wrote to memory of 932	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	40
PID 2356 wrote to memory of 932	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	40
PID 2356 wrote to memory of 2548	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	41
PID 2356 wrote to memory of 2548	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	41
PID 2356 wrote to memory of 2548	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	41
PID 2356 wrote to memory of 2548	2356	{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe	41
PID 932 wrote to memory of 2780	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	43
PID 932 wrote to memory of 2780	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	43
PID 932 wrote to memory of 2780	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	43
PID 932 wrote to memory of 2780	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	43
PID 932 wrote to memory of 2824	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	42
PID 932 wrote to memory of 2824	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	42
PID 932 wrote to memory of 2824	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	42
PID 932 wrote to memory of 2824	932	{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe	42
PID 2780 wrote to memory of 1688	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	45
PID 2780 wrote to memory of 1688	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	45
PID 2780 wrote to memory of 1688	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	45
PID 2780 wrote to memory of 1688	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	45
PID 2780 wrote to memory of 1628	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	44
PID 2780 wrote to memory of 1628	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	44
PID 2780 wrote to memory of 1628	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	44
PID 2780 wrote to memory of 1628	2780	{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_df791a96419e19c6634fd1dccd7ca66d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
  C:\Windows\{BBE21076-E9EE-4353-B939-C40716AC790E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
    C:\Windows\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
      C:\Windows\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
        
        C:\Windows\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
        
        C:\Windows\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
        
        C:\Windows\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F70~1.EXE > nul
        8⤵
        
        PID:2824
        
        C:\Windows\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
        
        C:\Windows\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EF36~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
        
        C:\Windows\{E362CB61-97FF-4207-A456-E119C09C9DED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E362C~1.EXE > nul
        10⤵
        
        PID:1656
        
        C:\Windows\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
        
        C:\Windows\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
        
        C:\Windows\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe
        
        C:\Windows\{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDA29~1.EXE > nul
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECEE~1.EXE > nul
        11⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32B77~1.EXE > nul
        7⤵
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5BB~1.EXE > nul
        6⤵
        
        PID:788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10323~1.EXE > nul
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EAB6~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE21~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe

Filesize
139KB

MD5
6d14f9c07dfaf59cf4dc48ea90d43ea0

SHA1
333200e03ffa8fbb3df5a77dc83b4ec9ef3494ba

SHA256
3cec55a481fa3778cc4fef808ad20ff9c06ca5d9b58d7ebbf5b79830bd7871d2

SHA512
2caeff3d86226d38ebf5e097ff3a1d6a9893cba1c9262a7e016add30ab616754e7931281c6d57d1dbe39a32d79a365426ad141567b5cfb81d033c881c25f302b

Download Submit
C:\Windows\{103237E9-3CEB-4dd3-A6B0-CA1355BDFAA2}.exe

Filesize
197KB

MD5
c414bc0875e0e7bcc52476e6939985f5

SHA1
098401527fe678b4626b413fca5155a3f8d36223

SHA256
4cf0a3a933b10195c84d24ff14c71c37b45f00808ba4d366d374d07462102a14

SHA512
c875857c1fa18f58accdea6d250a31dfd51c4021c5cdc7fb59c20af8a636b9191852c40c62b0e9f322ff8d5011cb261847a4f52ffccf2efc2da2d1fdc4eea889

Download Submit
C:\Windows\{32B77CD2-4ADE-4f5d-925B-C67C850D6AC3}.exe

Filesize
197KB

MD5
ecec3dc55415db6e2ece8c07a75901a2

SHA1
fae5130f0b3adf0b815db2a59c3db34bf7f6343c

SHA256
61e1df17446b44420ee7d9f6783541e996a6afd98494c57cd2f2c6670f17f1a2

SHA512
eaefb8ecc4f368a9196e1d20c79f04901849b1c7b05db035f583a6286c41b330efff69052c735edacba38bdc4c72627fc771f6976aded295b7e1d4ff978467c6

Download Submit
C:\Windows\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe

Filesize
197KB

MD5
5ba4237052e36163b38958e220e4f174

SHA1
d03dd92e36018a530d3dca63dde1ed84113cf840

SHA256
ec98f362d305cf8aa874f24ebc26cdde2d928a770ac0f8a8006382c23ccf39bd

SHA512
1dd937c7be435dfc6819ab79ab5e60a1ee1b390c3f071764d6a335034a5f6a437747a66a57310bc831826f65193bf55cdeb5873f6edf48104b6558c8dd9a5eeb

Download Submit
C:\Windows\{4EF36126-DA0F-4b80-A7F8-AB402AC41913}.exe

Filesize
64KB

MD5
e0017fd246391275ebb376227be1d60e

SHA1
80feae74632a443b0d0124e3b541824bce2640e0

SHA256
1b230d16545952a84874e87eff771f4ae3844a8c554557fe45b73e58ac85a8c1

SHA512
c3bba86db47011369506304fb43b2bd0a9801425d08449897da2e569d5a80b209c715b3599fba8be60b2886224a26134be4e5527f462986bc3531a5ac581679b

Download Submit
C:\Windows\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe

Filesize
197KB

MD5
b0e0eae3ce4cb3868d945ccfe616ee73

SHA1
2db0e30ae6ddc45c57c80f383fd4ef269492a7ae

SHA256
f0f4a2a87790516a66244417e49f3bb1c6e66fd348832ffe13b677aee7169d56

SHA512
3d8b1968d3e6201024678739431c4a9da74931803e5a8f64fbe9443105ef81320db761cea9cee0c7a188d56f649b896d51251f8bce37fc2ceb625e865bb52b02

Download Submit
C:\Windows\{5EAB6DD9-391E-46fc-8CA8-54E2651AC40C}.exe

Filesize
177KB

MD5
616e032976f1ed5cab94cf98e2db2871

SHA1
e2379f165cb6fa98a127d75a45f8343c1117d6e0

SHA256
d6f3e6b32c7c3f585bb2127c487cba92db31839e0c6f82e95291cfc7672beba5

SHA512
54c99a3ec0fb44423d3ddbc23564c3e178ee99de41f8395596fbe3f57dec9730423f85d6d0b8e2577c877fe533866fdb47f6e5a82eacc9ae11b52adf8cfe4028

Download Submit
C:\Windows\{647738F7-AAE9-4018-B830-5CC10697ECA9}.exe

Filesize
197KB

MD5
ccffe0360a9a88b1421bac14eb2ae2c1

SHA1
6af4c7b7c22eacb329b8d89bd6be9a236daa72af

SHA256
799cd20c6a686acac4736ea3d07810d5421408c68170afb69ec7ace315671051

SHA512
c437881a75468dfcf42186c7668601dfbe4529dfa3160d38a7a8e92b4852e9c845f69bc896aa930e8e1e54b85ba182b3fa8821a6369e09eeeb522f0000db1fc5

Download Submit
C:\Windows\{7B5BBB45-8121-4273-9719-CD27DA2EDD59}.exe

Filesize
197KB

MD5
801ba0a45748ed58f728b14bb38e1074

SHA1
e6877444c3853cb59eded27b22809c253be9a53f

SHA256
2c5b1ca0ff3f17c51f20a1acfbd90e3457b9a3073f439617cab0aa6987b57cf5

SHA512
4a2d81ef0d544fed2fa48fbafb8fdf68ac5e8ff8800101fbf12c60d4ed7fbed773929c72da27091876876928fc5984d1607b302ec00971dd1f5f68520f4b2d95

Download Submit
C:\Windows\{91F7089C-529A-4c78-9033-3E1F49E7C7D6}.exe

Filesize
197KB

MD5
c7894c5f4122c81c1268a44eaa09b9f5

SHA1
86535c92038e46b7f36065fa3e753d123d8788a5

SHA256
179cc40257ccc55495b71c370c8ef05f607daea49d9b13b8260ecfbafac770c6

SHA512
5e22adc9c08070d959f331f68afed384b17c4b3155ab6eb422c18831c2e7da96337f0a93259bae5d8574e27efd5675202eed1df4530d440aa8bd34e06553ef2d

Download Submit
C:\Windows\{9ECEE94E-0BED-4e36-8A9D-4CEB8869C0C7}.exe

Filesize
197KB

MD5
f997d104fd04cfb991af856b7b02ac5b

SHA1
5bfd5822693d672a58f26d246d59c72132b0b38d

SHA256
c883a3acc97f4119aab79513e2c07873eeb0b471ccecbf7536b8aea1af77cbdb

SHA512
e1b118b332007da115b8ead8ffefd3404286f836d15c306f7287e11df67b73c2811c7fc08812f41cc0c95c28efc5a3e7d2efb88652be57d058f5787c02aceeed

Download Submit
C:\Windows\{BBE21076-E9EE-4353-B939-C40716AC790E}.exe

Filesize
197KB

MD5
78c97ea3ce246434d7ea3f89fe401e28

SHA1
6c4ad0416aadf025ebf89845bbfc2a42cbcdba87

SHA256
bd5132e6246caab75e07ce06adb42628e3778357944cb808de41c6d130cec57e

SHA512
261af7a00a31bbcba2b3ffccd7408dca8fd2c1e70dfe90c3a3c2558268627adac857085ac8aa1e841a1c82cc4e4bfecfdf31c592a973dc05304c637a30546b67

Download Submit
C:\Windows\{BDA298C3-255C-4b3c-B32D-BB9B13776E95}.exe

Filesize
197KB

MD5
b2c4fe1fe767c0597f82bc87f4c32fa4

SHA1
787bcb75bf6213aa63ef5c9aa3094f3d3c536282

SHA256
97db5c64be6e5bbe3012e2ee1d1f2fcf59b67fea2124fd1dcf18d185775414c7

SHA512
07dcb51b6137cfd33d52f383508f2654f3411fdbc98221396af584293fd3b3ce015fd14bddda30647fe8f9324ef7726f3e13ad317a08eda95f6f797b45b7ba55

Download Submit
C:\Windows\{E362CB61-97FF-4207-A456-E119C09C9DED}.exe

Filesize
197KB

MD5
2319a716bb7b2ec1f11a0c3e558c2f50

SHA1
be69556ec7cef0bf5e70fa1cedf120b4eb56db59

SHA256
0575838bbb427bcb73531160505fae32ac7b1c7a9fea06270585e515057b9605

SHA512
e7769fb5452b78b41f2cf0e2976ee5425d94209d32e5f537360706537e013b3b3549ccab225e4c2ac481acc1009a35d8e568a5effe47c85d68524347109a43ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads