0821af32da8909170e7ee4aa08b09631b18c0b77b63a8c1440b8674b582c3d3d

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Size

408KB
MD5

93ee1ef4d187c0d866d4679df4c802cf
SHA1

addd362847360c7958ee8f4464d4ed6317d9cc60
SHA256

0821af32da8909170e7ee4aa08b09631b18c0b77b63a8c1440b8674b582c3d3d
SHA512

abe47ec1c726740c4e1be55e777a950eea70d1dcc545e65244fd580d400a49b030d7c456519176064ff86bde07c57a014ed3a506306a65aeb67e939e6943ebe7
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012185-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ca-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122ca-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122ca-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122ca-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122ca-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}\stubpath = "C:\\Windows\\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe"	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}\stubpath = "C:\\Windows\\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe"	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}\stubpath = "C:\\Windows\\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe"	{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}\stubpath = "C:\\Windows\\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe"	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66B317BA-3A68-44d3-BDBB-4B754317ED08}\stubpath = "C:\\Windows\\{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe"	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}\stubpath = "C:\\Windows\\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe"	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}	{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}\stubpath = "C:\\Windows\\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe"	{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}\stubpath = "C:\\Windows\\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe"	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}\stubpath = "C:\\Windows\\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe"	{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}	{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033875CF-3CA7-4c54-A7AC-1049FA783330}\stubpath = "C:\\Windows\\{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe"	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}	{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{816B3861-CC68-4457-AACC-722533DF2E6C}	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{816B3861-CC68-4457-AACC-722533DF2E6C}\stubpath = "C:\\Windows\\{816B3861-CC68-4457-AACC-722533DF2E6C}.exe"	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66B317BA-3A68-44d3-BDBB-4B754317ED08}	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033875CF-3CA7-4c54-A7AC-1049FA783330}	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
956	{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
1580	{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
2176	{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
2952	{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe	{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
File created	C:\Windows\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
File created	C:\Windows\{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
File created	C:\Windows\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
File created	C:\Windows\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe	{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
File created	C:\Windows\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe	{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
File created	C:\Windows\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
File created	C:\Windows\{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
File created	C:\Windows\{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
File created	C:\Windows\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
File created	C:\Windows\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
Token: SeIncBasePriorityPrivilege	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
Token: SeIncBasePriorityPrivilege	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
Token: SeIncBasePriorityPrivilege	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
Token: SeIncBasePriorityPrivilege	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
Token: SeIncBasePriorityPrivilege	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
Token: SeIncBasePriorityPrivilege	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
Token: SeIncBasePriorityPrivilege	956	{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
Token: SeIncBasePriorityPrivilege	1580	{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
Token: SeIncBasePriorityPrivilege	2176	{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2668	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	28
PID 2656 wrote to memory of 2668	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	28
PID 2656 wrote to memory of 2668	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	28
PID 2656 wrote to memory of 2668	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	28
PID 2656 wrote to memory of 2716	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	29
PID 2656 wrote to memory of 2716	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	29
PID 2656 wrote to memory of 2716	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	29
PID 2656 wrote to memory of 2716	2656	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	29
PID 2668 wrote to memory of 2856	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	31
PID 2668 wrote to memory of 2856	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	31
PID 2668 wrote to memory of 2856	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	31
PID 2668 wrote to memory of 2856	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	31
PID 2668 wrote to memory of 3000	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	30
PID 2668 wrote to memory of 3000	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	30
PID 2668 wrote to memory of 3000	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	30
PID 2668 wrote to memory of 3000	2668	{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe	30
PID 2856 wrote to memory of 2836	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	34
PID 2856 wrote to memory of 2836	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	34
PID 2856 wrote to memory of 2836	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	34
PID 2856 wrote to memory of 2836	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	34
PID 2856 wrote to memory of 2100	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	35
PID 2856 wrote to memory of 2100	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	35
PID 2856 wrote to memory of 2100	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	35
PID 2856 wrote to memory of 2100	2856	{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe	35
PID 2836 wrote to memory of 704	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	37
PID 2836 wrote to memory of 704	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	37
PID 2836 wrote to memory of 704	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	37
PID 2836 wrote to memory of 704	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	37
PID 2836 wrote to memory of 240	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	36
PID 2836 wrote to memory of 240	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	36
PID 2836 wrote to memory of 240	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	36
PID 2836 wrote to memory of 240	2836	{816B3861-CC68-4457-AACC-722533DF2E6C}.exe	36
PID 704 wrote to memory of 1928	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	38
PID 704 wrote to memory of 1928	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	38
PID 704 wrote to memory of 1928	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	38
PID 704 wrote to memory of 1928	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	38
PID 704 wrote to memory of 2764	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	39
PID 704 wrote to memory of 2764	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	39
PID 704 wrote to memory of 2764	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	39
PID 704 wrote to memory of 2764	704	{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe	39
PID 1928 wrote to memory of 2152	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	41
PID 1928 wrote to memory of 2152	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	41
PID 1928 wrote to memory of 2152	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	41
PID 1928 wrote to memory of 2152	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	41
PID 1928 wrote to memory of 1972	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	40
PID 1928 wrote to memory of 1972	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	40
PID 1928 wrote to memory of 1972	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	40
PID 1928 wrote to memory of 1972	1928	{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe	40
PID 2152 wrote to memory of 2156	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	43
PID 2152 wrote to memory of 2156	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	43
PID 2152 wrote to memory of 2156	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	43
PID 2152 wrote to memory of 2156	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	43
PID 2152 wrote to memory of 1596	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	42
PID 2152 wrote to memory of 1596	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	42
PID 2152 wrote to memory of 1596	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	42
PID 2152 wrote to memory of 1596	2152	{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe	42
PID 2156 wrote to memory of 956	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	44
PID 2156 wrote to memory of 956	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	44
PID 2156 wrote to memory of 956	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	44
PID 2156 wrote to memory of 956	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	44
PID 2156 wrote to memory of 1968	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	45
PID 2156 wrote to memory of 1968	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	45
PID 2156 wrote to memory of 1968	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	45
PID 2156 wrote to memory of 1968	2156	{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
  C:\Windows\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B2B~1.EXE > nul
    3⤵
    PID:3000
- - C:\Windows\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
    C:\Windows\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
      C:\Windows\{816B3861-CC68-4457-AACC-722533DF2E6C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{816B3~1.EXE > nul
        5⤵
        
        PID:240
    - - C:\Windows\{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
        
        C:\Windows\{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
      - C:\Windows\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
        
        C:\Windows\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1ADB~1.EXE > nul
        7⤵
        
        PID:1972
        
        C:\Windows\{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
        
        C:\Windows\{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03387~1.EXE > nul
        8⤵
        
        PID:1596
        
        C:\Windows\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
        
        C:\Windows\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
        
        C:\Windows\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
        
        C:\Windows\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
        
        C:\Windows\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe
        
        C:\Windows\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe
        12⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E15C~1.EXE > nul
        12⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE8F~1.EXE > nul
        11⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CFBD~1.EXE > nul
        10⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AAE3~1.EXE > nul
        9⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66B31~1.EXE > nul
        6⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D34~1.EXE > nul
      4⤵
      PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033875CF-3CA7-4c54-A7AC-1049FA783330}.exe

Filesize
408KB

MD5
0b03a353ce55fb80a55ee69e09adb328

SHA1
501e0ae05c69540d465d0e5d4994150e36892dea

SHA256
b72bfabde5c4aef6491d22799ea507b99baef933fb9708a379504ba677d09727

SHA512
ea4763ed39fb0a30732265ac5e932572b67df9c50c0ac492d8dc6edefa879b689884d05a2619cb63b589d5d17134ab7ff93add7bd1f6bf598aa8a46c4790261d

Download Submit
C:\Windows\{4CFBD92B-857D-415d-9DA8-52FAEC67B73C}.exe

Filesize
408KB

MD5
40add9ded109b21c69d318d07988a3de

SHA1
c55e056fe3a2b1619cdc78348b1082d7eaa347b1

SHA256
578b7bd201d93ceee71755da7d69f0e06469de68277afb2ce3ba64006c772f58

SHA512
c68e7f5dd4a79d55b72598c5430512477fa8847a10b219609bc50f2f16b7e313361d4c68faf04cdd629a5e772698c98d814caf4a46dffa7c34c02374c1df2494

Download Submit
C:\Windows\{66B317BA-3A68-44d3-BDBB-4B754317ED08}.exe

Filesize
408KB

MD5
e367da729d624f76ac4f04e6ecfd7bbd

SHA1
de764040e3c09b0676179bc8755a25b30bc71ae3

SHA256
dad32e344524216a3ef46ce5052a67ebbe850f31764e38509b47d1cba88fce6e

SHA512
331c87c148d841e19e0ef499f014ec90d923b5f57ee5d5f63e23235cabfb6a2304c9b0aad16cc78fe02af0af0164c147fd55e22dc6b1bf470b020250928af01d

Download Submit
C:\Windows\{6AAE3F8E-9AFA-42b5-B98E-AB37EA6CE33C}.exe

Filesize
408KB

MD5
d6fd83c95cdafce787557d5b9bd70420

SHA1
44baf76835d7df7386b8c994ae5f497cd1f80f89

SHA256
7501cc92b2fec10054f74feb7af394039db7ffdc9bd3ca93347b33e27d794002

SHA512
67f10243394ed234bf54925654c6bbdf25647f75914841d0173838f22700aa0a9314bf57a04598772d8ddf962bbb2cac58b6701184b1c3eb874a9136a8652c27

Download Submit
C:\Windows\{7E15CEAE-EA51-4629-94ED-AB2BB131E8F3}.exe

Filesize
408KB

MD5
cd23a14de46f994eef1aa8f526c30afe

SHA1
3c078c64111502c15754869ef7d603016d82c700

SHA256
70665c5fa810d4365774a04ed9c3f869b677d6572edc61eaf59fcd9dcc629c09

SHA512
b1d09db97d1c58b1e185e64f2f8c2b13bd3c5d7012a6eb888a044cc05382d0ec75b15cfbf54f0766ab4bea526bd8f5c1aecf5fb05bfd8849daf8a96dc43fcde7

Download Submit
C:\Windows\{816B3861-CC68-4457-AACC-722533DF2E6C}.exe

Filesize
408KB

MD5
b40f94030e2a838ef07181a844eeb087

SHA1
5179696e8850a2559b74d976c3f73143e53cbb95

SHA256
dd9e4a1b9fe5c2627b9bea3c2677cdba0999a2b7dce9e8e24cd6d8599a904fa7

SHA512
06286b4c8fbbe1963b6c9a239959540af5dc0c7ead482d0112f7f9075e22321fa3e77fe1db18339d3adeadea5b0e7beba937787bf0471f630eeb6b8c37bb3568

Download Submit
C:\Windows\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe

Filesize
408KB

MD5
c5f5103c41c61194fef2b7b5dd586fd3

SHA1
714fdfa14cecd1f43d3ee53bdc6ff159e6c9a531

SHA256
bae847f8e5e1f209dcd30ed9d6aca576c8a0eee212ea515f274b58da56c63bcd

SHA512
0e7785d284490cbfec920249425b5869fa6c3a822b3c8737964ffef408d2b1e3bc8fc4f4123e6ea33ed404a2ee446c8417cc0a24df32eca351021bfcc28c681e

Download Submit
C:\Windows\{BBE8FE35-8218-43a2-9C22-CE963FD8B429}.exe

Filesize
256KB

MD5
6ae19ba9e0ce10e6bac94193b874509c

SHA1
8e25950ceeebbf704767efcf582187a66de2ac2c

SHA256
c20f0635bd8df5315aae58fe6ab35dab4b085fa9ce4cb8d58d6d16972d6626d1

SHA512
ccd6a11806ec5a47d8f500cf6e316edfe59acf4612285fd2c5697b50c09107e56d9e5eeec74d51b57540f84f39378e290e8b1ccaa8477130cb72247d1ec52ba5

Download Submit
C:\Windows\{C3D346E4-33A7-4439-B4A5-7C1BB0FCBA35}.exe

Filesize
408KB

MD5
5a3ba7005992734a4e2b7ace9b92e8f0

SHA1
3663b4953efa82bb5b04d813c6d5b53b6b9aaf63

SHA256
f6cca1ecb6972c8040f54af39aa44a77ec366aaf812c7b80dc9ca415b1b2eecf

SHA512
3114eaaa8c1151e983fac75a57521ffea367772beba2c9566c37ac6248c75202b8fdf84116e3af1dcab0cc191e8e519cacb5ab79dd9c64e564867d685e3c1d14

Download Submit
C:\Windows\{E6B2B951-5F06-4c00-8F77-04422EBE28A3}.exe

Filesize
408KB

MD5
e09b0e81612c55e9ee6f5a01cef1f511

SHA1
04eccbc57a785c2931dc0bd88ef6e9a407d1cc35

SHA256
6f05dc787160710dca10d7ac863abdfe6aa5c582cb11b4af4b75acd844f8575e

SHA512
8b3f01cc8a54c991d81b0361670bdab9cf1a9d1908777248c87453fb35cbe8343731d0f207c51cb762d723b144eae6033b3d7ea404e078461d27a8b318a54a20

Download Submit
C:\Windows\{F1ADBD5E-80FD-4df8-BB2C-79DACDFD76E5}.exe

Filesize
408KB

MD5
996995952452ad8c8f52dee1e8ba787b

SHA1
7521bdbc533a8a11790cc50d4d972bf325f62001

SHA256
2b5e7f7523e383a5b1964aad7f59530e221fc3dd89ecc812acc3fac0e9ef20c7

SHA512
28ca1bdcd188f0f1185d8966c8a35c7577bd10d4fe77aa06b4d49595a7b934b39970f86aa058a819976a0888371435f4f7d4a0b501322af63eed1b9c12f1968b

Download Submit
C:\Windows\{FBFFE457-D31F-46ca-9EB1-B5731D3F08AE}.exe

Filesize
408KB

MD5
bed224c7610ed506385b818fe0dd3cad

SHA1
b5e4d2064eff5d65873a4f1bdde63b29e90e2959

SHA256
aa382886ea6a48fea32d8a177777cb12cf126af0482f8760bb074c03d9d8e43c

SHA512
edc4b8aefd0f3ff5e6de3ac220aabdc655f84d47cac0942a8023ce69e8683653fdd274f786a14610bbdf94c90a0b51d9d043ed834719233c294ed5874b0ad538

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads