6e2c4eeec4d859eeccaaaac5b14f818a82d80585bc2d0436093a36a62ab6ebe0

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Size

380KB
MD5

cda6422a7356a40ac2e60140dac6b5be
SHA1

61694d817e90b3fbe4a223f2e4487ec11d4c6d9a
SHA256

6e2c4eeec4d859eeccaaaac5b14f818a82d80585bc2d0436093a36a62ab6ebe0
SHA512

70e515599a8ca9c7ea5403059b689db00da0ca844102aabb0185a65fc4455551cd80a3d92b791c8c9b8706871995266ed1015e93c0596ae8425b7a0ab19411cb
SSDEEP

3072:mEGh0oXlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGpl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122f0-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122f0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000149f5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122f0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122f0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122f0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}\stubpath = "C:\\Windows\\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe"	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FB4864-E663-4229-8B17-E32A7E4F72C9}\stubpath = "C:\\Windows\\{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe"	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81BE3617-9CE7-41ca-9AFC-663AC385169A}\stubpath = "C:\\Windows\\{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe"	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}\stubpath = "C:\\Windows\\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe"	{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88D7468E-E983-4de1-A802-ADAB99103E08}\stubpath = "C:\\Windows\\{88D7468E-E983-4de1-A802-ADAB99103E08}.exe"	{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}\stubpath = "C:\\Windows\\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe"	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81BE3617-9CE7-41ca-9AFC-663AC385169A}	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}\stubpath = "C:\\Windows\\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe"	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}\stubpath = "C:\\Windows\\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe"	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32C78425-C057-4dbc-B16A-4DB96B46C306}	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}	{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88D7468E-E983-4de1-A802-ADAB99103E08}	{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FB4864-E663-4229-8B17-E32A7E4F72C9}	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE798255-56CA-4bfe-A06C-33B250DED660}	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE798255-56CA-4bfe-A06C-33B250DED660}\stubpath = "C:\\Windows\\{FE798255-56CA-4bfe-A06C-33B250DED660}.exe"	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}	{88D7468E-E983-4de1-A802-ADAB99103E08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}\stubpath = "C:\\Windows\\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe"	{88D7468E-E983-4de1-A802-ADAB99103E08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32C78425-C057-4dbc-B16A-4DB96B46C306}\stubpath = "C:\\Windows\\{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe"	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
1516	{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
2232	{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
2224	{88D7468E-E983-4de1-A802-ADAB99103E08}.exe
2552	{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
File created	C:\Windows\{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
File created	C:\Windows\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
File created	C:\Windows\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe	{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
File created	C:\Windows\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
File created	C:\Windows\{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
File created	C:\Windows\{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
File created	C:\Windows\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
File created	C:\Windows\{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
File created	C:\Windows\{88D7468E-E983-4de1-A802-ADAB99103E08}.exe	{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
File created	C:\Windows\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe	{88D7468E-E983-4de1-A802-ADAB99103E08}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
Token: SeIncBasePriorityPrivilege	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
Token: SeIncBasePriorityPrivilege	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
Token: SeIncBasePriorityPrivilege	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
Token: SeIncBasePriorityPrivilege	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
Token: SeIncBasePriorityPrivilege	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
Token: SeIncBasePriorityPrivilege	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
Token: SeIncBasePriorityPrivilege	1516	{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
Token: SeIncBasePriorityPrivilege	2232	{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
Token: SeIncBasePriorityPrivilege	2224	{88D7468E-E983-4de1-A802-ADAB99103E08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2172	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	28
PID 756 wrote to memory of 668	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	29
PID 2172 wrote to memory of 2600	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	30
PID 2172 wrote to memory of 2600	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	30
PID 2172 wrote to memory of 2600	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	30
PID 2172 wrote to memory of 2600	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	30
PID 2172 wrote to memory of 2672	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	31
PID 2172 wrote to memory of 2672	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	31
PID 2172 wrote to memory of 2672	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	31
PID 2172 wrote to memory of 2672	2172	{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe	31
PID 2600 wrote to memory of 2692	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	32
PID 2600 wrote to memory of 2692	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	32
PID 2600 wrote to memory of 2692	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	32
PID 2600 wrote to memory of 2692	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	32
PID 2600 wrote to memory of 2568	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	33
PID 2600 wrote to memory of 2568	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	33
PID 2600 wrote to memory of 2568	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	33
PID 2600 wrote to memory of 2568	2600	{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe	33
PID 2692 wrote to memory of 2572	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	36
PID 2692 wrote to memory of 2572	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	36
PID 2692 wrote to memory of 2572	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	36
PID 2692 wrote to memory of 2572	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	36
PID 2692 wrote to memory of 2988	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	37
PID 2692 wrote to memory of 2988	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	37
PID 2692 wrote to memory of 2988	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	37
PID 2692 wrote to memory of 2988	2692	{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe	37
PID 2572 wrote to memory of 2748	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	38
PID 2572 wrote to memory of 2748	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	38
PID 2572 wrote to memory of 2748	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	38
PID 2572 wrote to memory of 2748	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	38
PID 2572 wrote to memory of 2160	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	39
PID 2572 wrote to memory of 2160	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	39
PID 2572 wrote to memory of 2160	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	39
PID 2572 wrote to memory of 2160	2572	{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe	39
PID 2748 wrote to memory of 1972	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	41
PID 2748 wrote to memory of 1972	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	41
PID 2748 wrote to memory of 1972	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	41
PID 2748 wrote to memory of 1972	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	41
PID 2748 wrote to memory of 2852	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	40
PID 2748 wrote to memory of 2852	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	40
PID 2748 wrote to memory of 2852	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	40
PID 2748 wrote to memory of 2852	2748	{FE798255-56CA-4bfe-A06C-33B250DED660}.exe	40
PID 1972 wrote to memory of 2760	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	42
PID 1972 wrote to memory of 2760	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	42
PID 1972 wrote to memory of 2760	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	42
PID 1972 wrote to memory of 2760	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	42
PID 1972 wrote to memory of 2772	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	43
PID 1972 wrote to memory of 2772	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	43
PID 1972 wrote to memory of 2772	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	43
PID 1972 wrote to memory of 2772	1972	{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe	43
PID 2760 wrote to memory of 1516	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	44
PID 2760 wrote to memory of 1516	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	44
PID 2760 wrote to memory of 1516	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	44
PID 2760 wrote to memory of 1516	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	44
PID 2760 wrote to memory of 2984	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	45
PID 2760 wrote to memory of 2984	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	45
PID 2760 wrote to memory of 2984	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	45
PID 2760 wrote to memory of 2984	2760	{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
  C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
    C:\Windows\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
      C:\Windows\{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
        
        C:\Windows\{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
        
        C:\Windows\{FE798255-56CA-4bfe-A06C-33B250DED660}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE798~1.EXE > nul
        7⤵
        
        PID:2852
        
        C:\Windows\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
        
        C:\Windows\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
        
        C:\Windows\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
        
        C:\Windows\{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
        
        C:\Windows\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{88D7468E-E983-4de1-A802-ADAB99103E08}.exe
        
        C:\Windows\{88D7468E-E983-4de1-A802-ADAB99103E08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe
        
        C:\Windows\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88D74~1.EXE > nul
        12⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EB31~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C78~1.EXE > nul
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA36~1.EXE > nul
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785B5~1.EXE > nul
        8⤵
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BE3~1.EXE > nul
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51FB4~1.EXE > nul
        5⤵
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6164F~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05D66~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe

Filesize
140KB

MD5
0ac1b62883441d6c9fdc7da884951e64

SHA1
5cc0e9bcbfc7d325a6d70eae1792e2ad14c40828

SHA256
6de3f151aa85f9d1c2fa9d5d59f50499c44f88b05fb6a9394c4e78f06108740e

SHA512
1ff1b09c812fe477fa138ee32423b3b54c4ede48b0b41fcb5c921a2cbaa6b9fb61ece03396aa6a3b1fca8780422d672c5b073b827fbbbf6c13b766ae0f227168

Download Submit
C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe

Filesize
192KB

MD5
041187acf7aaba7244959d1069494d36

SHA1
054a679bc5dbd4ea89e37764f6746133d8155ec7

SHA256
cb7acc0f7aeee0fc2430a8b870cabc4d5186780cdf1b6b5d56db6219f9fe0417

SHA512
83b39da0d5d8007d971cbbe27e6eb22277a71b43729901cd804f2f16cd2731458374819c46f10825322766154da7c88db92d66e59731543c9dcd4e3557e9d410

Download Submit
C:\Windows\{05D66E64-71B3-4829-8E17-FCDB8C4BC693}.exe

Filesize
380KB

MD5
8e6ffb3cc73f24a6dcc044f4bfd0aa16

SHA1
f01870c0ba3914b5cdc98095c213d3bcf0e3401c

SHA256
08e924a87cf302250c241b1a8cb4c2e909623bcad65d1fb8009e97f5c2bab930

SHA512
08325f44f00455ce6cba91955b4641b919af3003d86fe34a94bd376fc9c4ebaf1225290f0ef7df9610033566903174978eb5fd3897ed9c763ca7952598a825b4

Download Submit
C:\Windows\{0CA36ED1-84CD-4fb5-99A6-F7C4C84D4AB8}.exe

Filesize
380KB

MD5
7bdf2e7d3528594aa9b12ffa57131530

SHA1
f7a1b5fd7d36e3ae93856344b27649a36f5e3deb

SHA256
2bfce8fd33d717cd6d9c621aade04eb507a76752293a48fad5c237356a2c1f00

SHA512
341b83c1f71e11d3fc32b17c5f4c7860df17256539d4f6970cbe154f52dcfca706c8a8d3768764bbf249a14c12cf6b494e21fa299ecfe70206aec0a8463d2f4b

Download Submit
C:\Windows\{32C78425-C057-4dbc-B16A-4DB96B46C306}.exe

Filesize
380KB

MD5
efcef5217c5d6f6c7bdd7e2ac823d2a6

SHA1
e54fa3cc3871946ef5c389f2741f355054330689

SHA256
32f78decb5dbeb5732dd1de127ee93f9d8a1c97da131ec2e6cce528a9015ec94

SHA512
fde4e25c32007201168d00a141b2c84d6dbed55613da9be2d5aaac38dde7fe35f277a60c01bf8761646006b1a8d65741b349000b3f68c0baf8f13186e861130c

Download Submit
C:\Windows\{3B14E9B7-DAFD-4b1a-864E-3433A96A12B1}.exe

Filesize
380KB

MD5
0dbdfa3cb6ca64cdcafeca612dbd3956

SHA1
e46b4ee64f0cb73c0ed98721d08865b164b8e59f

SHA256
29811657837dd49b85d61e1e18db272a9582eaafa8df80e71f8acc3c44dd66c3

SHA512
2cc76530b1f62d34e433df7fe2f8bb3ea6ce103e7bf08f8102e39d73c72f50d1270859fc2fb6e002cca5e4766c520063ec4eced9abe74b6a40f269954a50f0e1

Download Submit
C:\Windows\{51FB4864-E663-4229-8B17-E32A7E4F72C9}.exe

Filesize
380KB

MD5
adaf1862280e67b24a3eef370357e803

SHA1
0b5c5c8f8c71840d561c6112a7b026faf565595f

SHA256
f66e98e5244640d40d2d7af21c9fa48be9a41441b5c095a21ab507c2465f046e

SHA512
6e0f0992c33962040d23649e32de9a5e56e01345ae4184ccdcea9380bddcfab1e70ab3be85eec3eadd6d505f0edadd8bbfc5ce5501517c3b3575766fe82ac490

Download Submit
C:\Windows\{6164F3DF-32DB-4369-BD0C-4A31DA0D06D6}.exe

Filesize
380KB

MD5
0e06f3b7306177288000486af9aa7534

SHA1
fb1fe8d5f168085e215cb391fb1383143fb0133f

SHA256
ad6d75f2a263b61712b91d2463055fbb14ffb2a316fed4f53be12091dc165e12

SHA512
a60e06a33058a46353d6f914246399036b1b01e890bd58bd43394f26bf90fa3c3fe14802a686f851b49f3150b9cd0fd0df54bb41290aaf4af1390736e4c928f5

Download Submit
C:\Windows\{785B5054-C6DF-49d2-8A3B-D3C6D508B9EE}.exe

Filesize
380KB

MD5
1c00a2fe0536663ef38c0a640190bb2f

SHA1
36e5522613d085e5d3b886469ec140c4b064b292

SHA256
84f14824f6fa8d0d65365b6218a45a5b3bf71b802b5ac660844b5e602c919227

SHA512
96451f52d0a2a129bf2655d23d95453013e8cc74aaf14478303099220902d951b68b3601596652d95b352f914e2cf8ac3a50747b95fde566c78a44c014a72c2c

Download Submit
C:\Windows\{81BE3617-9CE7-41ca-9AFC-663AC385169A}.exe

Filesize
380KB

MD5
1424c2548ae309089263f404cbdca941

SHA1
b975e550da8d3eb9571ef01b0bba5f6cc1cf608d

SHA256
ed02556e9b4d2b173ecfac2a8eeb83d8f30156923c02759bd3409be659a3af69

SHA512
acd3945295c8b13e500dba4210494e192ce1ea3c9536da920bc75203eede0accb2910343d3c5002948e98b5512de89a84dff82b0800892e7a82abad57c52cabd

Download Submit
C:\Windows\{88D7468E-E983-4de1-A802-ADAB99103E08}.exe

Filesize
380KB

MD5
66b4cd047379d977bba275a41c7f7ec6

SHA1
debf166d318bbff22a63e53afc42b4b7dd2246cc

SHA256
f1323209ebaf42d3fdd8c6fac32152cf5960ffb25a1477c81e2fe36a8d73b279

SHA512
97172f0a4140a07f27b94dd6ab3b70fefbc866d6d6e60b7e5996bc19c659ca87c842b136470a28ff850201862b12d2bec59a2cca037f315b9ce55dde34b31be8

Download Submit
C:\Windows\{9EB31FAB-C7DE-4dc9-9803-5DAF9A498563}.exe

Filesize
380KB

MD5
bb79d4dbabb82d54a68d8416108af0bc

SHA1
1f92f054706f55c1e1567d7ba034b97fb0efe89a

SHA256
d51036df7d442dc5e46c606c683ec5f1611352d1a9ea1337209f99d36d80ddc2

SHA512
c5fca23ef54cd1419cd4b9c6f28c44b0c6e2716c43560660d4788a8c1dafd7158660f075a43259f43c19f5c1af8cb779f052f35e9bcb9b582e85bbcff9afdb74

Download Submit
C:\Windows\{FE798255-56CA-4bfe-A06C-33B250DED660}.exe

Filesize
380KB

MD5
280ba07dd3a3213f9540492f550954b2

SHA1
4ca16753c1fbb9d9b20dcfd1f335505735b2185b

SHA256
eadf2489aec39c788ce7b6ef22d7ed26f53a79e13f0a34ec10d6c58099f0edf8

SHA512
9dbc9e953251ac3f2486f98ce1853899e3063554c26794b8f4ee456f99e2abb0103f414c688d9ffdeb27fc397808202ce70984c182cb599f381ccdb93ae97975

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads