860bb45f54aca7a4689a0fd8b8c5b7598077814797b59a460fb3db0a1411c01c

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
Size

204KB
MD5

65c8f385a614845c4a47c858e19975a8
SHA1

82efe53e5b9b1e92e43fdf3dcb230067bccc6295
SHA256

860bb45f54aca7a4689a0fd8b8c5b7598077814797b59a460fb3db0a1411c01c
SHA512

ac9fad90e52989e927203805a87513cd282c486489f20049054ca8da2609069625007d3f454b41b8f17b14d4fd4284fd4598bb3184db31d64c0ef4fcfa4146c6
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014227-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014313-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014227-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001458f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001458f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001458f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001458f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}\stubpath = "C:\\Windows\\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe"	{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{707BB2EB-2389-41cc-8972-529443A42426}	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{707BB2EB-2389-41cc-8972-529443A42426}\stubpath = "C:\\Windows\\{707BB2EB-2389-41cc-8972-529443A42426}.exe"	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}\stubpath = "C:\\Windows\\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe"	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B974C4-53AA-4a13-8D50-29728290B8F9}	{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}\stubpath = "C:\\Windows\\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe"	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C30360-E77E-4095-A0B9-E6645641B68F}\stubpath = "C:\\Windows\\{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe"	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD767BD-9E6D-4cfa-9A23-999123640713}	{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD767BD-9E6D-4cfa-9A23-999123640713}\stubpath = "C:\\Windows\\{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe"	{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B974C4-53AA-4a13-8D50-29728290B8F9}\stubpath = "C:\\Windows\\{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe"	{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242A588C-EC70-49ba-BAC9-983816D27F49}	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92192227-F3B1-4794-B84A-3A2CF183211B}	{707BB2EB-2389-41cc-8972-529443A42426}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92192227-F3B1-4794-B84A-3A2CF183211B}\stubpath = "C:\\Windows\\{92192227-F3B1-4794-B84A-3A2CF183211B}.exe"	{707BB2EB-2389-41cc-8972-529443A42426}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C30360-E77E-4095-A0B9-E6645641B68F}	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}	{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242A588C-EC70-49ba-BAC9-983816D27F49}\stubpath = "C:\\Windows\\{242A588C-EC70-49ba-BAC9-983816D27F49}.exe"	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}\stubpath = "C:\\Windows\\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe"	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}\stubpath = "C:\\Windows\\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe"	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe
2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
828	{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
2096	{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
596	{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe
2272	{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
File created	C:\Windows\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
File created	C:\Windows\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
File created	C:\Windows\{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
File created	C:\Windows\{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe	{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
File created	C:\Windows\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe	{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
File created	C:\Windows\{707BB2EB-2389-41cc-8972-529443A42426}.exe	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
File created	C:\Windows\{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	{707BB2EB-2389-41cc-8972-529443A42426}.exe
File created	C:\Windows\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
File created	C:\Windows\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
File created	C:\Windows\{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe	{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
Token: SeIncBasePriorityPrivilege	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
Token: SeIncBasePriorityPrivilege	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe
Token: SeIncBasePriorityPrivilege	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
Token: SeIncBasePriorityPrivilege	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
Token: SeIncBasePriorityPrivilege	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
Token: SeIncBasePriorityPrivilege	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
Token: SeIncBasePriorityPrivilege	828	{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
Token: SeIncBasePriorityPrivilege	2096	{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
Token: SeIncBasePriorityPrivilege	596	{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1132	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	28
PID 2444 wrote to memory of 1132	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	28
PID 2444 wrote to memory of 1132	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	28
PID 2444 wrote to memory of 1132	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	28
PID 2444 wrote to memory of 1312	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	29
PID 2444 wrote to memory of 1312	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	29
PID 2444 wrote to memory of 1312	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	29
PID 2444 wrote to memory of 1312	2444	2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe	29
PID 1132 wrote to memory of 2764	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	30
PID 1132 wrote to memory of 2764	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	30
PID 1132 wrote to memory of 2764	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	30
PID 1132 wrote to memory of 2764	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	30
PID 1132 wrote to memory of 2804	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	31
PID 1132 wrote to memory of 2804	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	31
PID 1132 wrote to memory of 2804	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	31
PID 1132 wrote to memory of 2804	1132	{242A588C-EC70-49ba-BAC9-983816D27F49}.exe	31
PID 2764 wrote to memory of 3012	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	32
PID 2764 wrote to memory of 3012	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	32
PID 2764 wrote to memory of 3012	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	32
PID 2764 wrote to memory of 3012	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	32
PID 2764 wrote to memory of 2404	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	33
PID 2764 wrote to memory of 2404	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	33
PID 2764 wrote to memory of 2404	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	33
PID 2764 wrote to memory of 2404	2764	{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe	33
PID 3012 wrote to memory of 2696	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	36
PID 3012 wrote to memory of 2696	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	36
PID 3012 wrote to memory of 2696	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	36
PID 3012 wrote to memory of 2696	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	36
PID 3012 wrote to memory of 2232	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	37
PID 3012 wrote to memory of 2232	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	37
PID 3012 wrote to memory of 2232	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	37
PID 3012 wrote to memory of 2232	3012	{707BB2EB-2389-41cc-8972-529443A42426}.exe	37
PID 2696 wrote to memory of 1760	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	38
PID 2696 wrote to memory of 1760	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	38
PID 2696 wrote to memory of 1760	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	38
PID 2696 wrote to memory of 1760	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	38
PID 2696 wrote to memory of 2860	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	39
PID 2696 wrote to memory of 2860	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	39
PID 2696 wrote to memory of 2860	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	39
PID 2696 wrote to memory of 2860	2696	{92192227-F3B1-4794-B84A-3A2CF183211B}.exe	39
PID 1760 wrote to memory of 2376	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	40
PID 1760 wrote to memory of 2376	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	40
PID 1760 wrote to memory of 2376	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	40
PID 1760 wrote to memory of 2376	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	40
PID 1760 wrote to memory of 1228	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	41
PID 1760 wrote to memory of 1228	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	41
PID 1760 wrote to memory of 1228	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	41
PID 1760 wrote to memory of 1228	1760	{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe	41
PID 2376 wrote to memory of 380	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	42
PID 2376 wrote to memory of 380	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	42
PID 2376 wrote to memory of 380	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	42
PID 2376 wrote to memory of 380	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	42
PID 2376 wrote to memory of 2720	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	43
PID 2376 wrote to memory of 2720	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	43
PID 2376 wrote to memory of 2720	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	43
PID 2376 wrote to memory of 2720	2376	{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe	43
PID 380 wrote to memory of 828	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	44
PID 380 wrote to memory of 828	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	44
PID 380 wrote to memory of 828	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	44
PID 380 wrote to memory of 828	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	44
PID 380 wrote to memory of 1720	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	45
PID 380 wrote to memory of 1720	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	45
PID 380 wrote to memory of 1720	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	45
PID 380 wrote to memory of 1720	380	{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_65c8f385a614845c4a47c858e19975a8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
  C:\Windows\{242A588C-EC70-49ba-BAC9-983816D27F49}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
    C:\Windows\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{707BB2EB-2389-41cc-8972-529443A42426}.exe
      C:\Windows\{707BB2EB-2389-41cc-8972-529443A42426}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
        
        C:\Windows\{92192227-F3B1-4794-B84A-3A2CF183211B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
        
        C:\Windows\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
        
        C:\Windows\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
        
        C:\Windows\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
        
        C:\Windows\{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
        
        C:\Windows\{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe
        
        C:\Windows\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe
        
        C:\Windows\{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50DD7~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DD76~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C30~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF08~1.EXE > nul
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E246~1.EXE > nul
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BCE~1.EXE > nul
        7⤵
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92192~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707BB~1.EXE > nul
        5⤵
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0EF5~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{242A5~1.EXE > nul
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09B974C4-53AA-4a13-8D50-29728290B8F9}.exe

Filesize
204KB

MD5
c7b35f674647cb819172fee33acc04ad

SHA1
304e3dbd0e6756af8214d4bd88c82a246ed7f8db

SHA256
b4f3ef0b38868046a59079ae5395825742a7bc0046796738029be192a01e1917

SHA512
119f6bdb5d8c609a993a203433876d4184dd6602b34ce4f8a45009bce7e415ffa487bb6a13e0fc4027551beee43da92ae290338f3c0bb448c72c4b70169afbe5

Download Submit
C:\Windows\{0DD767BD-9E6D-4cfa-9A23-999123640713}.exe

Filesize
204KB

MD5
d0283f012ecc51801ab1f8854e519225

SHA1
61f38df2bd5f2fcbd7311686c3da885c2f64c548

SHA256
73550b7b8d356597d33c9d3f5316531ebee25610167945d4e77e91453d4d2d14

SHA512
9d30f4af1e27bd20acfb636d4daa9dd8809a846c5d897cc8394734b672892d3dc9ff81fe09ff7c9de383b094e26f7d52993d1b83a6f05fa8effd012dfe875b45

Download Submit
C:\Windows\{242A588C-EC70-49ba-BAC9-983816D27F49}.exe

Filesize
204KB

MD5
146a83fa69c97c301de431e96a4991ed

SHA1
8b7294e8bc909218272613d71719a7b324e3aaa8

SHA256
8e7948090a34341e40a6fc7d392ee80818edb12edea928d6224a6f17a45f1dfa

SHA512
d02512420a5b041cf2ec2a521b7ad5132a31bd0e95824c202a0516d43fb740a8a520f1852031fe5b8ab2a502f41dfc81b138f6b6f53962b315c5cc56f017e325

Download Submit
C:\Windows\{4AF0827E-D7B1-4401-8D5B-450B0F1F0A7A}.exe

Filesize
204KB

MD5
8f5f4fb3225d94a353f7d0935c4bccbe

SHA1
090dc625fae53915a48908f347aa885ea04fc1a9

SHA256
0dd75a2be946b54b0ef6247dd24b0d0fe5f7c6f9f05375df1d354ee9c5be2798

SHA512
2eff3f177bdf43858848d3d0e76ad6c2e2fe2235c4bc9f4cae587c32fa4fe120a9ad3abb27dcd5e32c27e983f0b7442057fb8763eb471fffb2c440ba81bc0a81

Download Submit
C:\Windows\{4E246EE8-A619-46e8-A16C-D7EFC2B04C4C}.exe

Filesize
204KB

MD5
6a716b8c3a12a7320101d94bff7becf9

SHA1
991ab207c243b713686feda6b32d38ef19faf386

SHA256
c22d9b4cc22af7af842a1c73ae9c9c4c6ec6a911bfc5f056dabdea319865e7fe

SHA512
e056cdde0a9a98111c149ca519c200cb268eb091d63f33819ef96d71c14fab4856c21a6894ef38b1d46fa0a3cf2c937da091cc3c950dec908b95756d2281cfa2

Download Submit
C:\Windows\{50DD7AEB-A479-40a4-84ED-6E4B91557D9C}.exe

Filesize
204KB

MD5
b72e610773dc191d7c38d0ac1519e6ef

SHA1
0a3b3df5454c046a0d9fc138bf18308a277ca69c

SHA256
d7c0d16516e48741e2d7ff44373c390b9d07f78628c316af539d4394609002bb

SHA512
10c42fee5ed8f2339743609912ddf1a549ca5c242950f2aebe8197e69a4f959751aa6de0a64c14cce68b458331c7533206f2536adc0c63513cf78f5ddc5016f9

Download Submit
C:\Windows\{53BCE1F1-CAF0-4b23-AE3E-915D204B2277}.exe

Filesize
204KB

MD5
03049bffa20294f189cf5c74354ca79a

SHA1
b409a793f4afc051461152efeeb0175f4d8ac9a1

SHA256
526462090f943245bd8492841431288d411c14eeea2dde1da4241a478e9e9598

SHA512
0f4ae034b89f629f978da48eefc965b67976059c3bd21297e99a693cd62315ac154638f080510b54ef1ba56f75b21638480ce54a1df0b9d1a05d20a6dc0b79a8

Download Submit
C:\Windows\{707BB2EB-2389-41cc-8972-529443A42426}.exe

Filesize
204KB

MD5
debd2aa3c0c2811452a80767eece1e74

SHA1
190b7d867278c02f5058c5aaffeb9b1a57b60c7a

SHA256
6f2608788c4f4f84cd0b58e63ab6b4409c52944950db151927983388873e75c6

SHA512
129b4a5d66dfee37ec2ed230305c1a6f1b641c075c22c8dfa1531c8198d5c8a2978b5fa6f290a1229289345627efca262a7d7a03bb3e0213dc4242f7aec2374e

Download Submit
C:\Windows\{92192227-F3B1-4794-B84A-3A2CF183211B}.exe

Filesize
204KB

MD5
092c1338021557d62cb4e1eb5bea6ffa

SHA1
08c812a38bd2013f56ffa5c21b37eaba35ac7f37

SHA256
2c2bcfe41ee853e395ca8f6b20a89189f9ca309c9d7f8971e661275f552c21d8

SHA512
ea43f0b8771c1f1e8124cd876ec5b9ccca454604cfd8326d8c09ccbaa1cfe9e832e9a071b93dec3bdb9a2dc365d2bf71ea2c04bd4333d2dff58687e8202e1c30

Download Submit
C:\Windows\{F0EF5445-9C49-4656-868D-AE1A00E59B6D}.exe

Filesize
204KB

MD5
3c70592a68d694e4a1998e76d5fddb19

SHA1
f730d5c55f2f394bc119848b4d4266e09c2af30f

SHA256
05582ae5cc972f78e6bf4a49c78e9ed68e262679c78f9a8a95fb20887a50b160

SHA512
9b158b472019422e0459c218b257c0a43552d7957097818fc2ea80453dc3c259a64af9c2061531be0f876473535823a9ea7b6e81bba3b91017693bd9bf46e95f

Download Submit
C:\Windows\{F6C30360-E77E-4095-A0B9-E6645641B68F}.exe

Filesize
204KB

MD5
a952b6685353f74b1cf5c21093b9ef64

SHA1
9c4f5f5d0fdb6b57b14dd107adc6d8675a271501

SHA256
b1582a78bd6fa8b4512bdb2ea60a4e472aba248403d78917df9f2e207079ad93

SHA512
527a3fa4ffd266b136cad0a7af87e2631e1e55ecae99f08b4fc4ee77fde3543b426844831dfe84458137ec68890fda1f021609e29a73215e72ea4be8fcecc203

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads