6135d8a2facd519630a607fad27002069d9dd398ee9aa975795f65a77b541097

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Size

180KB
MD5

96495a758464e06885b3d36dfe87f2ca
SHA1

21726a5e2ea56c2ac1feb1ed7339ba988282ba9e
SHA256

6135d8a2facd519630a607fad27002069d9dd398ee9aa975795f65a77b541097
SHA512

8b3940203a02cdbcdad2a4f482c63f63b3ec3f0378334715f0d1645a0df073485e72addefbb2e2e56cfec76b493c4b20315b2fa5677913296ef9b8378511c79b
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001222d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012270-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001222d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}\stubpath = "C:\\Windows\\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe"	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9F463A8-9F09-41a5-A9E5-752590882A21}	{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}	{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}\stubpath = "C:\\Windows\\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe"	{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}\stubpath = "C:\\Windows\\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe"	{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}\stubpath = "C:\\Windows\\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe"	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06EF3323-F2C9-46de-8156-CD98A39902A6}	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}\stubpath = "C:\\Windows\\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe"	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E51DF00D-878D-45cb-BB7C-086979D5E84E}	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E51DF00D-878D-45cb-BB7C-086979D5E84E}\stubpath = "C:\\Windows\\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe"	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}	{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BD08258-7973-4c21-8672-71EC15AAF19A}\stubpath = "C:\\Windows\\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe"	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}\stubpath = "C:\\Windows\\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe"	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06EF3323-F2C9-46de-8156-CD98A39902A6}\stubpath = "C:\\Windows\\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe"	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14290696-1A52-499e-8C91-97F81A3C22B8}	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14290696-1A52-499e-8C91-97F81A3C22B8}\stubpath = "C:\\Windows\\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe"	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9F463A8-9F09-41a5-A9E5-752590882A21}\stubpath = "C:\\Windows\\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe"	{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BD08258-7973-4c21-8672-71EC15AAF19A}	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
664	{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
572	{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
2444	{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
1716	{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
File created	C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
File created	C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
File created	C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe	{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
File created	C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe	{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
File created	C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
File created	C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
File created	C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
File created	C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
File created	C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
File created	C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe	{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
Token: SeIncBasePriorityPrivilege	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
Token: SeIncBasePriorityPrivilege	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
Token: SeIncBasePriorityPrivilege	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
Token: SeIncBasePriorityPrivilege	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
Token: SeIncBasePriorityPrivilege	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
Token: SeIncBasePriorityPrivilege	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
Token: SeIncBasePriorityPrivilege	664	{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
Token: SeIncBasePriorityPrivilege	572	{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
Token: SeIncBasePriorityPrivilege	2444	{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2396	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	28
PID 2128 wrote to memory of 2396	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	28
PID 2128 wrote to memory of 2396	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	28
PID 2128 wrote to memory of 2396	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	28
PID 2128 wrote to memory of 2724	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	29
PID 2128 wrote to memory of 2724	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	29
PID 2128 wrote to memory of 2724	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	29
PID 2128 wrote to memory of 2724	2128	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	29
PID 2396 wrote to memory of 2592	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	30
PID 2396 wrote to memory of 2592	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	30
PID 2396 wrote to memory of 2592	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	30
PID 2396 wrote to memory of 2592	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	30
PID 2396 wrote to memory of 2740	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	31
PID 2396 wrote to memory of 2740	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	31
PID 2396 wrote to memory of 2740	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	31
PID 2396 wrote to memory of 2740	2396	{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe	31
PID 2592 wrote to memory of 2716	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	32
PID 2592 wrote to memory of 2716	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	32
PID 2592 wrote to memory of 2716	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	32
PID 2592 wrote to memory of 2716	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	32
PID 2592 wrote to memory of 2776	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	33
PID 2592 wrote to memory of 2776	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	33
PID 2592 wrote to memory of 2776	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	33
PID 2592 wrote to memory of 2776	2592	{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe	33
PID 2716 wrote to memory of 108	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	36
PID 2716 wrote to memory of 108	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	36
PID 2716 wrote to memory of 108	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	36
PID 2716 wrote to memory of 108	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	36
PID 2716 wrote to memory of 2912	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	37
PID 2716 wrote to memory of 2912	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	37
PID 2716 wrote to memory of 2912	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	37
PID 2716 wrote to memory of 2912	2716	{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe	37
PID 108 wrote to memory of 1376	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	38
PID 108 wrote to memory of 1376	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	38
PID 108 wrote to memory of 1376	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	38
PID 108 wrote to memory of 1376	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	38
PID 108 wrote to memory of 320	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	39
PID 108 wrote to memory of 320	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	39
PID 108 wrote to memory of 320	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	39
PID 108 wrote to memory of 320	108	{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe	39
PID 1376 wrote to memory of 2476	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	40
PID 1376 wrote to memory of 2476	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	40
PID 1376 wrote to memory of 2476	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	40
PID 1376 wrote to memory of 2476	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	40
PID 1376 wrote to memory of 1008	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	41
PID 1376 wrote to memory of 1008	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	41
PID 1376 wrote to memory of 1008	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	41
PID 1376 wrote to memory of 1008	1376	{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe	41
PID 2476 wrote to memory of 1576	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	43
PID 2476 wrote to memory of 1576	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	43
PID 2476 wrote to memory of 1576	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	43
PID 2476 wrote to memory of 1576	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	43
PID 2476 wrote to memory of 268	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	42
PID 2476 wrote to memory of 268	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	42
PID 2476 wrote to memory of 268	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	42
PID 2476 wrote to memory of 268	2476	{14290696-1A52-499e-8C91-97F81A3C22B8}.exe	42
PID 1576 wrote to memory of 664	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	45
PID 1576 wrote to memory of 664	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	45
PID 1576 wrote to memory of 664	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	45
PID 1576 wrote to memory of 664	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	45
PID 1576 wrote to memory of 1252	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	44
PID 1576 wrote to memory of 1252	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	44
PID 1576 wrote to memory of 1252	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	44
PID 1576 wrote to memory of 1252	1576	{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
  C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
    C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
      C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
        
        C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
      - C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
        
        C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
        
        C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14290~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
        
        C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE9C9~1.EXE > nul
        9⤵
        
        PID:1252
        
        C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
        
        C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
        
        C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6119~1.EXE > nul
        11⤵
        
        PID:2960
        
        C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
        
        C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe
        
        C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F46~1.EXE > nul
        12⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E51DF~1.EXE > nul
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06EF3~1.EXE > nul
        7⤵
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B05F~1.EXE > nul
        6⤵
        
        PID:320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AED1~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E30A3~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD08~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe

Filesize
180KB

MD5
2e32bb520520f4600e4eca29fd7bad21

SHA1
ceaf19bc2814e368c254c6fdc9628c2a7e024be0

SHA256
a241d5ecb6ef04fa57b83a9de69d6cda91f1f21f10cf0096160b3979eabb2f6b

SHA512
c6965f87a64969cf9238390f03261e197ec3070d3830f891d6dc9f64a9bdb257cbe68046d8639a809042e75a82239f6338ef1176f48bce52a2d6cbc4e0d28721

Download Submit
C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe

Filesize
180KB

MD5
ba783672eed8cc370ae70b75b9c4cdda

SHA1
f78713bc036344ce39371af72306023f41a813d3

SHA256
7c77f9a28e2ca141cf524528f7d18d18c5bfb2bdf94da492e338caa7e52a0770

SHA512
7da042e50ccc49621fd3f200c29b7c51254e54500dcea89121a16c21b2617ead8f8a6ca460f2cb8e1c30ee7a24a1fc40d7358cb7efa72c5917f47d5e74f6e027

Download Submit
C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe

Filesize
180KB

MD5
0077c306b321681ee6903b8dc2d0c9ae

SHA1
4ab1e46fe2b16341e9316591d77a18d7f199b5c8

SHA256
ec0862ec51828325203f0c6ba370985b66165b8fc1f977e2c2f23813cf094b4c

SHA512
f99ac3d93ec3ada701c257504749e89e618183e0d2b59bf70eb1d87a051f733738d46a0a564efbdd3177d554d99bcc128b4d254d071f7e03748f221ede36262d

Download Submit
C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe

Filesize
180KB

MD5
5596d43596a5c581228786ce8156560f

SHA1
4d161257d073a0d6f0c090cb28dab1240d53d4ea

SHA256
20b1b9b3c428bda148c5b04c458e519253ff4f4e1a35903578f01f65e41249e4

SHA512
90990b1dbb9cfee51813b90d5ca5acc0402b04fbd8912b18c21f00e9db8e22f720330d39d0a02b434bea02117d19a3a638c64f07aa02d3a9e93fc8c7ec823642

Download Submit
C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe

Filesize
180KB

MD5
40d98e5d6b499030bccba25d6a43fc96

SHA1
1c76600674518e47726f06a052c5821ccf03f186

SHA256
9e1805cbffcd1ab8739a742abc48f18e532eb0fbf468a17540061374767cd13f

SHA512
63fc80c5af87c18bcee228b6f56a2b09abd673fb02e8f639fd5922cd363905b5c01bf7b73fef388852c936718850bb3f7658e0b7c3720b4f48c2aa81a080ee58

Download Submit
C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe

Filesize
180KB

MD5
4bc29995f451f438d33d208dcf13f363

SHA1
5661a1dc8893101e1218393f2cd7094935c79f2a

SHA256
1b531fe6886bd7c761af0945232ec9372422ba6f38c8850bb8bf347d703c5b5f

SHA512
98d5917d29dbaf28e6d31dac7727f00f44f1e5923149e86cabaaf36ba1969743d9567a8a023811ca36648dee8ba0cee6be2120267e2df2b6a79b7d0323505dca

Download Submit
C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe

Filesize
180KB

MD5
1f8b8dfdbd8acdb1e7dffdd7129aace0

SHA1
eca4d23386fef8e040c68155bc86982e8b7c7f74

SHA256
8781e33b54f104dfbe69f20a4c38e4daa4766e2f5b03f05210720f8b79355cda

SHA512
c6ab3cdb4b5a15794bf083bef0c8a4a96fe24033030838e1cda52790b2f78d426faca9a9af1989bfe2d1b2e7228aa7b792ee2598e49e458e261fc9be60793fe9

Download Submit
C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe

Filesize
180KB

MD5
715f2c0ad620cd3b93ae26c6b2092664

SHA1
aa23eda537b1ee7e6d117ee88594f6121f621da1

SHA256
8addc6a3427500caee3d7470af69309ebfb3a0563b043e60d7892512af9c9043

SHA512
358d0cb97dd489e83faa5b6998c87838a7faefb0ac1693030d41826ba739fcdfe136957d16e9bc7d5ce6722960dcd4b598abfadf81ce7210f462e6bf2c5d55aa

Download Submit
C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe

Filesize
180KB

MD5
f68515a0efe911710f0a9055c35d8914

SHA1
beb5b4a5bfb52cf593b29c8535be72a87faf6b54

SHA256
273a61b3ccd34049d6c2cd872a6974a6b1f5bd19d2544a6ec340ce45e3ac6b8e

SHA512
a8aa1c94bd0132692e06534a2bd21e7825863ef3b4b2a83a0f84f49e3430adbcbf0f5d8c6e26603c497183f90cc4f89f7a18e83dd38d5af4e82d96ffd966ca4a

Download Submit
C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe

Filesize
180KB

MD5
23845faba6e2be38265d92542d65f03a

SHA1
04881796f151993cffad10c0ae5cfe966421e5b1

SHA256
13c0e733bfa5384769c84df119c1a6877c2fc6b003bc340735ab9b26a171d444

SHA512
80c64b90c48c5a8aff8922ced41c57de7811dd83e7d56336efb93467e160d242aef64f04d1f467b2b850f1a3af16ae8cd74cdc4333c2c9ca6c2d7aa559569a42

Download Submit
C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe

Filesize
180KB

MD5
82561a27ca6960a9d3a576e992bb2714

SHA1
55994b84c6721ca6771facf31872390f4ec86e2b

SHA256
669fa29ed8df9c6d5bcfc706bccbce05d4a6d9392a41edb6a930be8b2343e02b

SHA512
834d9faa2ee32473bc962a32f43ad399e96bde5613712af3cf9d1328f5980213e1a39707066126ebe8dee6d8f578e15e3a387166d93124cbdf4fe91bada2ad4f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads