855e7dd72b0dd7aa6702f2ba0053a3d5893ce5f37082b7e6a6f03aa2c78f017c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
Size

180KB
MD5

f85592adaaca67a40a59a495a8ad1a01
SHA1

670dbae6dbe50e1410e29bba94874af6d5b29140
SHA256

855e7dd72b0dd7aa6702f2ba0053a3d5893ce5f37082b7e6a6f03aa2c78f017c
SHA512

882e19d4dbdea67b00ad09b1c4d635ddea292b2884ef9adfd84a3bc3583e9e146a213ce20c3e07bb86404828aa10151f3fc8dd23b6866d2f846de3dab9da117b
SSDEEP

3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGwl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012262-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016cd7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}\stubpath = "C:\\Windows\\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe"	{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53A0745-0C60-4499-A2B2-7774DF36E456}	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{490F6776-0C47-40a6-B904-AB2BF2AA5910}\stubpath = "C:\\Windows\\{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe"	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}\stubpath = "C:\\Windows\\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe"	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}\stubpath = "C:\\Windows\\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe"	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}\stubpath = "C:\\Windows\\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe"	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}\stubpath = "C:\\Windows\\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe"	{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}	{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}\stubpath = "C:\\Windows\\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe"	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}\stubpath = "C:\\Windows\\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe"	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}\stubpath = "C:\\Windows\\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe"	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53A0745-0C60-4499-A2B2-7774DF36E456}\stubpath = "C:\\Windows\\{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe"	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}	{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}\stubpath = "C:\\Windows\\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe"	{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{490F6776-0C47-40a6-B904-AB2BF2AA5910}	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}	{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
2872	{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
1152	{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
2036	{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
1632	{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
File created	C:\Windows\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
File created	C:\Windows\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
File created	C:\Windows\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
File created	C:\Windows\{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
File created	C:\Windows\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe	{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
File created	C:\Windows\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe	{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
File created	C:\Windows\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe	{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
File created	C:\Windows\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
File created	C:\Windows\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
File created	C:\Windows\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
Token: SeIncBasePriorityPrivilege	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
Token: SeIncBasePriorityPrivilege	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
Token: SeIncBasePriorityPrivilege	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
Token: SeIncBasePriorityPrivilege	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
Token: SeIncBasePriorityPrivilege	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
Token: SeIncBasePriorityPrivilege	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
Token: SeIncBasePriorityPrivilege	2872	{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
Token: SeIncBasePriorityPrivilege	1152	{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
Token: SeIncBasePriorityPrivilege	2036	{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2412	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	28
PID 2132 wrote to memory of 2412	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	28
PID 2132 wrote to memory of 2412	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	28
PID 2132 wrote to memory of 2412	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	28
PID 2132 wrote to memory of 2712	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	29
PID 2132 wrote to memory of 2712	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	29
PID 2132 wrote to memory of 2712	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	29
PID 2132 wrote to memory of 2712	2132	2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe	29
PID 2412 wrote to memory of 3016	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	30
PID 2412 wrote to memory of 3016	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	30
PID 2412 wrote to memory of 3016	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	30
PID 2412 wrote to memory of 3016	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	30
PID 2412 wrote to memory of 2724	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	31
PID 2412 wrote to memory of 2724	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	31
PID 2412 wrote to memory of 2724	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	31
PID 2412 wrote to memory of 2724	2412	{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe	31
PID 3016 wrote to memory of 2812	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	35
PID 3016 wrote to memory of 2812	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	35
PID 3016 wrote to memory of 2812	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	35
PID 3016 wrote to memory of 2812	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	35
PID 3016 wrote to memory of 2456	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	34
PID 3016 wrote to memory of 2456	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	34
PID 3016 wrote to memory of 2456	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	34
PID 3016 wrote to memory of 2456	3016	{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe	34
PID 2812 wrote to memory of 588	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	36
PID 2812 wrote to memory of 588	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	36
PID 2812 wrote to memory of 588	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	36
PID 2812 wrote to memory of 588	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	36
PID 2812 wrote to memory of 568	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	37
PID 2812 wrote to memory of 568	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	37
PID 2812 wrote to memory of 568	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	37
PID 2812 wrote to memory of 568	2812	{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe	37
PID 588 wrote to memory of 1976	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	39
PID 588 wrote to memory of 1976	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	39
PID 588 wrote to memory of 1976	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	39
PID 588 wrote to memory of 1976	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	39
PID 588 wrote to memory of 1876	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	38
PID 588 wrote to memory of 1876	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	38
PID 588 wrote to memory of 1876	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	38
PID 588 wrote to memory of 1876	588	{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe	38
PID 1976 wrote to memory of 1988	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	41
PID 1976 wrote to memory of 1988	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	41
PID 1976 wrote to memory of 1988	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	41
PID 1976 wrote to memory of 1988	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	41
PID 1976 wrote to memory of 1984	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	40
PID 1976 wrote to memory of 1984	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	40
PID 1976 wrote to memory of 1984	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	40
PID 1976 wrote to memory of 1984	1976	{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe	40
PID 1988 wrote to memory of 2096	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	43
PID 1988 wrote to memory of 2096	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	43
PID 1988 wrote to memory of 2096	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	43
PID 1988 wrote to memory of 2096	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	43
PID 1988 wrote to memory of 2936	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	42
PID 1988 wrote to memory of 2936	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	42
PID 1988 wrote to memory of 2936	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	42
PID 1988 wrote to memory of 2936	1988	{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe	42
PID 2096 wrote to memory of 2872	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	44
PID 2096 wrote to memory of 2872	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	44
PID 2096 wrote to memory of 2872	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	44
PID 2096 wrote to memory of 2872	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	44
PID 2096 wrote to memory of 844	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	45
PID 2096 wrote to memory of 844	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	45
PID 2096 wrote to memory of 844	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	45
PID 2096 wrote to memory of 844	2096	{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_f85592adaaca67a40a59a495a8ad1a01_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
  C:\Windows\{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
    C:\Windows\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B130A~1.EXE > nul
      4⤵
      PID:2456
  - - C:\Windows\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
      C:\Windows\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
        
        C:\Windows\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C252~1.EXE > nul
        6⤵
        
        PID:1876
      - C:\Windows\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
        
        C:\Windows\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C6C6~1.EXE > nul
        7⤵
        
        PID:1984
        
        C:\Windows\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
        
        C:\Windows\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB27~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
        
        C:\Windows\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
        
        C:\Windows\{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
        
        C:\Windows\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
        
        C:\Windows\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe
        
        C:\Windows\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A52C7~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39DFC~1.EXE > nul
        11⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B53A0~1.EXE > nul
        10⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA41D~1.EXE > nul
        9⤵
        
        PID:844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39EB4~1.EXE > nul
        5⤵
        
        PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{490F6~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2521E0-D7C6-415d-8CC6-EF6D821F0F0D}.exe

Filesize
180KB

MD5
1c0f0d3e167c3d79320560acd3d744f9

SHA1
a121ccdac7de9c979c8d722bdb8eb11324a615b8

SHA256
5ff48af33027ac62c05323ecac83e1fff401e00a9687a72d94da47e59ea7d228

SHA512
a54217990a7503001770866fb48b030ddd64125140bf224a63f3a03303fe4264d3f2705ad00b892c27d6047eebd090249ed5d478b79581222c6c8be9cae9a5c3

Download Submit
C:\Windows\{39DFC0DD-BC09-474d-9503-BA571D2D4FB7}.exe

Filesize
180KB

MD5
3a6e91fee0f894c35b73def3d2473164

SHA1
637eceb3adb36f05524e19dd4bf0d628308c1d93

SHA256
188f90014e95654ab651d22782186843af58d7fb544fef2cf771e110c0e7e87b

SHA512
c4e85abfee68c7bf09be832fe740e2d68c5f253a2c312fa6cdfc8bea97c14449f2784e93bad5945f0064b5e3e8b43a422eb14cd3c555d84d1cb4670152193eeb

Download Submit
C:\Windows\{39EB430C-6906-40ed-A0D0-7AED00D0E2E6}.exe

Filesize
180KB

MD5
87abc5a8e2291310fa64e2ff9976b08e

SHA1
d89561d1078188afff4ad6ba59c7bb29f8276d70

SHA256
bec04fb9e5f7cefb1e4cb55013dcdcef2a0956777297ab6497b4d73751bff97c

SHA512
7fc6cf349ae26333b650efd072ad60cee81ec526359ebfd445288ed90bf397b5ec42ea305dfa958bbae0cb3144dfdbcdcd136fae2aacfb704a217400af67732d

Download Submit
C:\Windows\{490F6776-0C47-40a6-B904-AB2BF2AA5910}.exe

Filesize
180KB

MD5
069d95ff18e8268b655e833d6f0620e0

SHA1
bfc82366cfc63d93871d90eb123f0267c9027a05

SHA256
a2d08611af351ae29ce225b483cc0bb6fa62139f31da5f8a41b55b118d23383d

SHA512
075d7d07ba3fddef4be92990c5708020a44becf5f3b2ba404e26d4058772eadc8d368fadb31a95e059ef87616d803ada10acf0730f7f219051666b06e46d036d

Download Submit
C:\Windows\{8C6C6015-23F9-4911-8B5B-11D66BDC0974}.exe

Filesize
180KB

MD5
db16e9efbe8ffe3d1b18049140013ef7

SHA1
0c83274db7162587ac7d9329d0a5f04b60083ff0

SHA256
3af5db7e9b52a804c17ee896d305d389f970c00ebac7e4b62233e7ce98067649

SHA512
b46c0a165b952c043896f04238e95808e85bfce6fea07fa50a69536a6462370973aaec8c69adc7cb265293959179da7bcd1c81f0d8c91242b3634a4f86522f14

Download Submit
C:\Windows\{A52C7F34-11CE-41e5-A994-23D05ADCB4FC}.exe

Filesize
180KB

MD5
806bb759caa1024e79476b3b94079741

SHA1
916096dd4c96c08dc1569bd6066a4c0ea3fec29c

SHA256
ddea2507a0b569ba299500a297c1b8542371d2949ae95cb6f4f351a22fb8620b

SHA512
0b6d9b27b07b58ccd2a8959db3682ac52abfbb3436271319247e7bfbdddf6d0352b56c2ce62ae54d370b695f6dcfd773078e4e893afd8a2cd6eb8708c1137d16

Download Submit
C:\Windows\{B130AEC3-CECC-406e-B5CC-907CC3E07D89}.exe

Filesize
180KB

MD5
a6b6c91643e84ce4a61dc9d070b411d9

SHA1
d56a3558d7977c3b68c5608a20081c7a56920530

SHA256
59c69d9786bd4fb07c5dca15af7dbe52667ebf4befc38ec046e040862df7c5ec

SHA512
791d30ef4ef72b429d0618ac5941345bfe15a3a99045f3566b7f227dae12bf9d53b1b7513bfc74797f225ac5e273df6ee1759b7937a752e9132ba2478859d652

Download Submit
C:\Windows\{B53A0745-0C60-4499-A2B2-7774DF36E456}.exe

Filesize
180KB

MD5
7e15760d9a4e4a82f3a3d96358b7ba76

SHA1
31f67a0aa4d535f73ec2d4859a90d3909c0cc053

SHA256
b181018e88a6b4193bec1f659d07122e301612de1474ababa2e90818e2104f0f

SHA512
ec153daf52637e4cb817ff71960e6271e729846b635c7140d1d541f9728b4dae56f7ff1ec1f2c79c3c14032e80a6470d3f7bed835482c470d0fc1d294147728e

Download Submit
C:\Windows\{BA41DD6C-1456-48a0-8D92-D9CD76A99892}.exe

Filesize
180KB

MD5
93268a36e2a78f5c622f2181841038e2

SHA1
2969dd2c4d6fb218b420feeb7fb5114f89c4bfbf

SHA256
f2989e225e8000855c168371f9ea5b192dca6eb8515670b9d54ee87a587266ce

SHA512
4f11d72be74d2ff77379c26add5b7d26691b135dfcaff2cd088742830c186bce40ea0d0ea25d99af6155350a837c2012eb75456051b1bc9bbcd0ea79731bcf5b

Download Submit
C:\Windows\{D862B9C8-4F60-40d5-A1D2-BF5B3947945D}.exe

Filesize
180KB

MD5
c4073e62980218e27a460ae3e709963d

SHA1
200971319f2702978edaae7088d66cab1d602757

SHA256
2a248aadae993cb21aa19e9cabccb63be669b6162ffc4199a3fafde78d4a4781

SHA512
59dfa1cba0406ef9c3eba7ab04e6878fe7e7569bf266fb860b8fb7928db49eaf5b2cd73b2cd5287fa7fdaeb4c13eed114e877df5ddd2761485e081cefe610699

Download Submit
C:\Windows\{FBB27758-3C09-4863-9E21-9E8D4E7345DB}.exe

Filesize
180KB

MD5
aa2ed2b032309374d7e5a9efd806365e

SHA1
9d79b448b351f7b739393a7bff7bb859be8ac9a4

SHA256
de042fef4e775523b618b7be459133a93f2d39abe145eb9bebbfcddc0ebd464f

SHA512
98b5de5ca562fb3186b7910af49be0ecf91ead9f0513ff24b39941ce0a6ce11582dd19621186d31fd82118f5fc72482cf75201aaf3c71628fe2a55399760b7c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads