093312433e929c2679134e0a3149cfe361e4cee0beecb0bc4b0d5974d8be2fe2

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Size

197KB
MD5

b07b25ff46e4ec1313ad891a5a3292eb
SHA1

e59c118a9431521febb259750b20f8a46a524381
SHA256

093312433e929c2679134e0a3149cfe361e4cee0beecb0bc4b0d5974d8be2fe2
SHA512

d05df002791471adca9c3029d5d1fdace56cbede6ad65bdcfa69bd678f95160fe7c2928890082dccb5455c13490a3cacce3df5376681a161453cd00c28aa413f
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGolEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012716-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012716-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012716-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00310000000139be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000139ea-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000139be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000139ea-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{913C7B81-4127-4870-A890-5D6D75BF69FD}	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}\stubpath = "C:\\Windows\\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe"	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}\stubpath = "C:\\Windows\\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe"	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8B902A-89E9-4633-9705-F9852EDE0033}	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8B902A-89E9-4633-9705-F9852EDE0033}\stubpath = "C:\\Windows\\{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe"	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B708F9B6-6D5C-4613-A806-2D4E44502551}\stubpath = "C:\\Windows\\{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe"	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}\stubpath = "C:\\Windows\\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe"	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{913C7B81-4127-4870-A890-5D6D75BF69FD}\stubpath = "C:\\Windows\\{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe"	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44A1857-19AB-4e92-96C9-7A42F453B022}	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C44809-F1A3-4972-9054-722D6313F513}\stubpath = "C:\\Windows\\{65C44809-F1A3-4972-9054-722D6313F513}.exe"	{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8032BE-19AF-41b8-8590-D2007527C1B1}\stubpath = "C:\\Windows\\{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe"	{65C44809-F1A3-4972-9054-722D6313F513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}\stubpath = "C:\\Windows\\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe"	{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387561EB-6096-4a1d-B920-7AE5E9799DBA}	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C44809-F1A3-4972-9054-722D6313F513}	{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8032BE-19AF-41b8-8590-D2007527C1B1}	{65C44809-F1A3-4972-9054-722D6313F513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B708F9B6-6D5C-4613-A806-2D4E44502551}	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387561EB-6096-4a1d-B920-7AE5E9799DBA}\stubpath = "C:\\Windows\\{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe"	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44A1857-19AB-4e92-96C9-7A42F453B022}\stubpath = "C:\\Windows\\{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe"	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}	{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
1524	{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
1672	{65C44809-F1A3-4972-9054-722D6313F513}.exe
1364	{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe
2436	{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
File created	C:\Windows\{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
File created	C:\Windows\{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe	{65C44809-F1A3-4972-9054-722D6313F513}.exe
File created	C:\Windows\{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
File created	C:\Windows\{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
File created	C:\Windows\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
File created	C:\Windows\{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
File created	C:\Windows\{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
File created	C:\Windows\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
File created	C:\Windows\{65C44809-F1A3-4972-9054-722D6313F513}.exe	{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
File created	C:\Windows\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe	{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
Token: SeIncBasePriorityPrivilege	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
Token: SeIncBasePriorityPrivilege	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
Token: SeIncBasePriorityPrivilege	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
Token: SeIncBasePriorityPrivilege	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
Token: SeIncBasePriorityPrivilege	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
Token: SeIncBasePriorityPrivilege	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
Token: SeIncBasePriorityPrivilege	1524	{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
Token: SeIncBasePriorityPrivilege	1672	{65C44809-F1A3-4972-9054-722D6313F513}.exe
Token: SeIncBasePriorityPrivilege	1364	{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2652	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	28
PID 2916 wrote to memory of 2652	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	28
PID 2916 wrote to memory of 2652	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	28
PID 2916 wrote to memory of 2652	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	28
PID 2916 wrote to memory of 2776	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	29
PID 2916 wrote to memory of 2776	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	29
PID 2916 wrote to memory of 2776	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	29
PID 2916 wrote to memory of 2776	2916	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	29
PID 2652 wrote to memory of 2736	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	30
PID 2652 wrote to memory of 2736	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	30
PID 2652 wrote to memory of 2736	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	30
PID 2652 wrote to memory of 2736	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	30
PID 2652 wrote to memory of 2128	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	31
PID 2652 wrote to memory of 2128	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	31
PID 2652 wrote to memory of 2128	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	31
PID 2652 wrote to memory of 2128	2652	{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe	31
PID 2736 wrote to memory of 3004	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	34
PID 2736 wrote to memory of 3004	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	34
PID 2736 wrote to memory of 3004	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	34
PID 2736 wrote to memory of 3004	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	34
PID 2736 wrote to memory of 2316	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	35
PID 2736 wrote to memory of 2316	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	35
PID 2736 wrote to memory of 2316	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	35
PID 2736 wrote to memory of 2316	2736	{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe	35
PID 3004 wrote to memory of 2504	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	36
PID 3004 wrote to memory of 2504	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	36
PID 3004 wrote to memory of 2504	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	36
PID 3004 wrote to memory of 2504	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	36
PID 3004 wrote to memory of 1912	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	37
PID 3004 wrote to memory of 1912	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	37
PID 3004 wrote to memory of 1912	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	37
PID 3004 wrote to memory of 1912	3004	{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe	37
PID 2504 wrote to memory of 548	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	38
PID 2504 wrote to memory of 548	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	38
PID 2504 wrote to memory of 548	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	38
PID 2504 wrote to memory of 548	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	38
PID 2504 wrote to memory of 2860	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	39
PID 2504 wrote to memory of 2860	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	39
PID 2504 wrote to memory of 2860	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	39
PID 2504 wrote to memory of 2860	2504	{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe	39
PID 548 wrote to memory of 2892	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	40
PID 548 wrote to memory of 2892	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	40
PID 548 wrote to memory of 2892	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	40
PID 548 wrote to memory of 2892	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	40
PID 548 wrote to memory of 1600	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	41
PID 548 wrote to memory of 1600	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	41
PID 548 wrote to memory of 1600	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	41
PID 548 wrote to memory of 1600	548	{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe	41
PID 2892 wrote to memory of 800	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	42
PID 2892 wrote to memory of 800	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	42
PID 2892 wrote to memory of 800	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	42
PID 2892 wrote to memory of 800	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	42
PID 2892 wrote to memory of 1936	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	43
PID 2892 wrote to memory of 1936	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	43
PID 2892 wrote to memory of 1936	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	43
PID 2892 wrote to memory of 1936	2892	{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe	43
PID 800 wrote to memory of 1524	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	44
PID 800 wrote to memory of 1524	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	44
PID 800 wrote to memory of 1524	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	44
PID 800 wrote to memory of 1524	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	44
PID 800 wrote to memory of 1656	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	45
PID 800 wrote to memory of 1656	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	45
PID 800 wrote to memory of 1656	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	45
PID 800 wrote to memory of 1656	800	{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
  C:\Windows\{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
    C:\Windows\{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
      C:\Windows\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
        
        C:\Windows\{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
        
        C:\Windows\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
        
        C:\Windows\{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
        
        C:\Windows\{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
        
        C:\Windows\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{65C44809-F1A3-4972-9054-722D6313F513}.exe
        
        C:\Windows\{65C44809-F1A3-4972-9054-722D6313F513}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe
        
        C:\Windows\{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe
        
        C:\Windows\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F803~1.EXE > nul
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C44~1.EXE > nul
        11⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC50F~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8B9~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E44A1~1.EXE > nul
        8⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCD1A~1.EXE > nul
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{913C7~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF3F~1.EXE > nul
        5⤵
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38756~1.EXE > nul
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B708F~1.EXE > nul
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A8B902A-89E9-4633-9705-F9852EDE0033}.exe

Filesize
197KB

MD5
1283f554ae60ab2201d9b5deeaab4490

SHA1
627e4320e182bf996958598d220ebfd92134c97c

SHA256
9054da2021f8a52a0648d734b7d1c389ec519fc802137eaa14625761d88f60ad

SHA512
44b22034242fc392d6f260eae4cca4f3be92b2240d9f91fc2cf33b7ed177f268f64c57eded308b4930df197f558f4de98d3230582ea3ce68499d0807ffe3dfea

Download Submit
C:\Windows\{387561EB-6096-4a1d-B920-7AE5E9799DBA}.exe

Filesize
197KB

MD5
6745d3eb8d8370f579e5368a7bb5a3db

SHA1
470fa1bcae6d214cd7ee3f37fc91bb8202d13886

SHA256
af668bc9d66f8b069306c361849622eef590690b884f251686776c75cd80d3b2

SHA512
e0ae0f4eb9aa24d55899c0b5a8701a1d32eeb0cc2fd79509bc84b3c775ee60ece579fe7c17d0f7753b3e4d5c09641501ce2a689f90b4e71247f6b800466adcca

Download Submit
C:\Windows\{65C44809-F1A3-4972-9054-722D6313F513}.exe

Filesize
197KB

MD5
f27cc857b94a41dc154f504b5e0b6f61

SHA1
6c1569bea50401191e60168b2f568a6f40a3e025

SHA256
2ee4938aca1762c0d6b0bb96b482f4f70a938dfe707cf4f98ab13eb89067bb32

SHA512
2081ada5dc435876edaaac3b007e6552f6a45c19e6f052e78718b142008566235243fff30ecaf4094afbf41538cc72e194cfeba0e853b18eb6ed0ac241905f74

Download Submit
C:\Windows\{913C7B81-4127-4870-A890-5D6D75BF69FD}.exe

Filesize
197KB

MD5
badc2f21996b1e4710c038a4e2194dd2

SHA1
e6388477cc90dedd770c58cee31e9fbbaa6da9c7

SHA256
ebb5e4a7f2dcb5b9e34f512c81e63211f7d87d86492d281dd31ca740f36ac49e

SHA512
771fed026daac135031cd3e7b78d89452af791271791c8cf5734a48e2fa8fa3a7cbe0bbe18d44f9778a85f67817f85d8e98063bb58bbd7439d1385780135ea6b

Download Submit
C:\Windows\{9F8032BE-19AF-41b8-8590-D2007527C1B1}.exe

Filesize
197KB

MD5
f44427b2be365176d0b8d72972ddcd9b

SHA1
c4a478e62d98e11bd359908bda507b7db868db79

SHA256
7067ddf7bb3d08eca88cdb2d38100fb467cbc6e53e931d57ce591d404c982699

SHA512
87d3d0ae84be1a7bc88470b2cbbc12801de333bc02303af57b88b525a4e37ceff289050ca794f411cfc9d173d4e44e048c13eeb41e6695471f1d56490fcf3579

Download Submit
C:\Windows\{AFF3F489-C13E-40b0-9FE3-AFC8AC7C88E9}.exe

Filesize
197KB

MD5
976543a7f73941c75041303d6e14bb9f

SHA1
0651786aff5e01be058a5be731b85f8c2e1a57cd

SHA256
f6ce84101d637824897a89965a746b81de234d840fbf647729e0d4f183a058db

SHA512
79f34388739e981c24324ddcf150e7f1d2bd4165696b372171e5dfab1b87864cbfb743ca3757b4a607a89ee1f48e9d4aff68978009628037b2ab8b60546eaca4

Download Submit
C:\Windows\{B708F9B6-6D5C-4613-A806-2D4E44502551}.exe

Filesize
197KB

MD5
444240bd79de51e0479d182e88e6f8c5

SHA1
3fb581a5b0ca751a8784151755d3f949588072b8

SHA256
4ad3c298b8dc7a65b92a2c21961bed64e35e7b65704b624ad8bb4a14bba5d530

SHA512
7fe53071e16056feac0343e54deb0f772cafd926a34a550c0e89dcd87310f0995e2c5cfc8ffb7a6b2fa706269126305b703846f871a27b537247e6af8252c805

Download Submit
C:\Windows\{BCD1A943-CB2D-4f88-B2A5-9D386C90532D}.exe

Filesize
197KB

MD5
65de22e6f25ca2986d567f83a31aaf4b

SHA1
938096fd15dff1809b9d86aacae13405332ae432

SHA256
ee0702cb0ca5fb675992d0def59e23b21c54487d24fe99ec680482218ea19cd6

SHA512
63f25862646b6acc2a264fb44a8e8b02d9a6206aa1e9044ca9100ea4960a473695be2782a635089a3c1b3e600302b8bccb1abe6c8733488462f917d2a08287cc

Download Submit
C:\Windows\{CC50FE68-C6DB-4b2f-B13E-DE8441B0A90E}.exe

Filesize
197KB

MD5
7dd21cc927f78aba2481920d46c097e3

SHA1
7bf3bb2678acfdef6ef6665f0d91bce3737c5647

SHA256
308d072d580158fa5f013bc6d93cf5cce616182df98153b7328af4f6b28708a9

SHA512
2d1a4f48aa5ac515e3675b392e8ee77bd0313cb7640f47797f7b0c836f2c7109bed12b83d15c47b9c5ebfa95b8961aa40f4787bf8d641e459afc4bebaa84618c

Download Submit
C:\Windows\{CD42A3A6-366E-4fe7-AEC3-2571D6D301CC}.exe

Filesize
197KB

MD5
df09d1e9a49313bed3825cf54f86b2b4

SHA1
b0029dda1d001049ce687acf2fd26eab0ae56eca

SHA256
adbe1ada1a71fad1b3fe9bc9254ae1de628d158db8e7d3c17215c7ae04c51dab

SHA512
7ff2ace8d7cff9d4abb66bdea3bed5fe8c500f918c8655cd5ddd080c13f0074581160107df3c6eb933c9118a85aad2e1e015bb2881accc8842a5e2c5d8949e41

Download Submit
C:\Windows\{E44A1857-19AB-4e92-96C9-7A42F453B022}.exe

Filesize
197KB

MD5
d6dd2aeb42395612bccce32048500c0e

SHA1
dae7453562069263519f6a120a82b3ee613cface

SHA256
60ed99dcaf0e4ca3cca911948323348b8a9365a70d6068d91defba32e876cec7

SHA512
f3d97fc07abd542306d8d991e905c7fa44a58e521dfcc80e462df696f5a8e4e1862f58a47d389f102523b5b48bccb5258000c760024deb6ddf76b4456f4bdf47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads