0eb49b8b1e9c09d4dac3d001b58b35c668ac760fd4fd27c024e004cde26c3104

Analysis

max time kernel
144s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Size

216KB
MD5

0b1b517e5ce6791ff2124e7be863bb3f
SHA1

76be8dcf7f09e0c7b09a9cbacb12d2118af12145
SHA256

0eb49b8b1e9c09d4dac3d001b58b35c668ac760fd4fd27c024e004cde26c3104
SHA512

eb6a62f9791174cd38c5bfab27d0a2f7f0887b6fb875f56ace265863918d8aa43b94f66ee325af9abc06e005f9471e65556b69282dadbd53152b289b1e3bfeca
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGklEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126a2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}\stubpath = "C:\\Windows\\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe"	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{339BAD73-1C47-4698-B5B8-062321F007FA}	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523C4636-2325-499f-9D71-89E6770D9837}\stubpath = "C:\\Windows\\{523C4636-2325-499f-9D71-89E6770D9837}.exe"	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}	{523C4636-2325-499f-9D71-89E6770D9837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}\stubpath = "C:\\Windows\\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe"	{523C4636-2325-499f-9D71-89E6770D9837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}\stubpath = "C:\\Windows\\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe"	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}	{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}\stubpath = "C:\\Windows\\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe"	{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}\stubpath = "C:\\Windows\\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe"	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}\stubpath = "C:\\Windows\\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe"	{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}	{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}\stubpath = "C:\\Windows\\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe"	{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}\stubpath = "C:\\Windows\\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe"	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523C4636-2325-499f-9D71-89E6770D9837}	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}	{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{339BAD73-1C47-4698-B5B8-062321F007FA}\stubpath = "C:\\Windows\\{339BAD73-1C47-4698-B5B8-062321F007FA}.exe"	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}\stubpath = "C:\\Windows\\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe"	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe
2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
1484	{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
1648	{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
2052	{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
1200	{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
File created	C:\Windows\{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
File created	C:\Windows\{523C4636-2325-499f-9D71-89E6770D9837}.exe	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
File created	C:\Windows\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
File created	C:\Windows\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe	{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
File created	C:\Windows\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe	{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
File created	C:\Windows\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe	{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
File created	C:\Windows\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
File created	C:\Windows\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
File created	C:\Windows\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
File created	C:\Windows\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	{523C4636-2325-499f-9D71-89E6770D9837}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
Token: SeIncBasePriorityPrivilege	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
Token: SeIncBasePriorityPrivilege	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
Token: SeIncBasePriorityPrivilege	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
Token: SeIncBasePriorityPrivilege	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
Token: SeIncBasePriorityPrivilege	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe
Token: SeIncBasePriorityPrivilege	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
Token: SeIncBasePriorityPrivilege	1484	{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
Token: SeIncBasePriorityPrivilege	1648	{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
Token: SeIncBasePriorityPrivilege	2052	{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2356	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	28
PID 1996 wrote to memory of 2356	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	28
PID 1996 wrote to memory of 2356	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	28
PID 1996 wrote to memory of 2356	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	28
PID 1996 wrote to memory of 2684	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	29
PID 1996 wrote to memory of 2684	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	29
PID 1996 wrote to memory of 2684	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	29
PID 1996 wrote to memory of 2684	1996	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	29
PID 2356 wrote to memory of 2980	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	30
PID 2356 wrote to memory of 2980	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	30
PID 2356 wrote to memory of 2980	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	30
PID 2356 wrote to memory of 2980	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	30
PID 2356 wrote to memory of 2884	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	31
PID 2356 wrote to memory of 2884	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	31
PID 2356 wrote to memory of 2884	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	31
PID 2356 wrote to memory of 2884	2356	{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe	31
PID 2980 wrote to memory of 2692	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	32
PID 2980 wrote to memory of 2692	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	32
PID 2980 wrote to memory of 2692	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	32
PID 2980 wrote to memory of 2692	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	32
PID 2980 wrote to memory of 2668	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	33
PID 2980 wrote to memory of 2668	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	33
PID 2980 wrote to memory of 2668	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	33
PID 2980 wrote to memory of 2668	2980	{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe	33
PID 2692 wrote to memory of 240	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	36
PID 2692 wrote to memory of 240	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	36
PID 2692 wrote to memory of 240	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	36
PID 2692 wrote to memory of 240	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	36
PID 2692 wrote to memory of 2920	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	37
PID 2692 wrote to memory of 2920	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	37
PID 2692 wrote to memory of 2920	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	37
PID 2692 wrote to memory of 2920	2692	{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe	37
PID 240 wrote to memory of 2424	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	39
PID 240 wrote to memory of 2424	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	39
PID 240 wrote to memory of 2424	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	39
PID 240 wrote to memory of 2424	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	39
PID 240 wrote to memory of 2164	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	38
PID 240 wrote to memory of 2164	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	38
PID 240 wrote to memory of 2164	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	38
PID 240 wrote to memory of 2164	240	{339BAD73-1C47-4698-B5B8-062321F007FA}.exe	38
PID 2424 wrote to memory of 2148	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	40
PID 2424 wrote to memory of 2148	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	40
PID 2424 wrote to memory of 2148	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	40
PID 2424 wrote to memory of 2148	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	40
PID 2424 wrote to memory of 2152	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	41
PID 2424 wrote to memory of 2152	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	41
PID 2424 wrote to memory of 2152	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	41
PID 2424 wrote to memory of 2152	2424	{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe	41
PID 2148 wrote to memory of 2776	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	42
PID 2148 wrote to memory of 2776	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	42
PID 2148 wrote to memory of 2776	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	42
PID 2148 wrote to memory of 2776	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	42
PID 2148 wrote to memory of 528	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	43
PID 2148 wrote to memory of 528	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	43
PID 2148 wrote to memory of 528	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	43
PID 2148 wrote to memory of 528	2148	{523C4636-2325-499f-9D71-89E6770D9837}.exe	43
PID 2776 wrote to memory of 1484	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	44
PID 2776 wrote to memory of 1484	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	44
PID 2776 wrote to memory of 1484	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	44
PID 2776 wrote to memory of 1484	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	44
PID 2776 wrote to memory of 2780	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	45
PID 2776 wrote to memory of 2780	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	45
PID 2776 wrote to memory of 2780	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	45
PID 2776 wrote to memory of 2780	2776	{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
  C:\Windows\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
    C:\Windows\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
      C:\Windows\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
        
        C:\Windows\{339BAD73-1C47-4698-B5B8-062321F007FA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{339BA~1.EXE > nul
        6⤵
        
        PID:2164
      - C:\Windows\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
        
        C:\Windows\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{523C4636-2325-499f-9D71-89E6770D9837}.exe
        
        C:\Windows\{523C4636-2325-499f-9D71-89E6770D9837}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
        
        C:\Windows\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
        
        C:\Windows\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BEB1~1.EXE > nul
        10⤵
        
        PID:1524
        
        C:\Windows\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
        
        C:\Windows\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
        
        C:\Windows\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe
        
        C:\Windows\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe
        12⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86BF2~1.EXE > nul
        12⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96A07~1.EXE > nul
        11⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFCC~1.EXE > nul
        9⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{523C4~1.EXE > nul
        8⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A7F~1.EXE > nul
        7⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB09~1.EXE > nul
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{624DA~1.EXE > nul
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69A45~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AB09FFA-D845-413e-BF5B-DBC22E3BCC3B}.exe

Filesize
216KB

MD5
fb8be78233a16d33573e29b1a5212b65

SHA1
179f92382d11b734da20644843a20a23dad7d3fb

SHA256
048571276cf27a8fe4134668be829152baa5888d624e1bb8dbe801ab88be9682

SHA512
9e5f89453294b16ebee47244e06c4ad05e79e7a851a3b31a3b916a143fb10c775cabfdebf84e412291eb56de173930e337ab755fdb76a928d589b938dfa90a91

Download Submit
C:\Windows\{339BAD73-1C47-4698-B5B8-062321F007FA}.exe

Filesize
216KB

MD5
eb0a4f70b129832b8e2f2bfc8f1123db

SHA1
c23ebb904cabd6ecf9d08eceb2fed6e7828d915b

SHA256
ce39d89b4bc86752fb1a78e31968ca9525035a15ed0da1dcc8f71cc2054d7359

SHA512
e93d1937e446f5bb6e4925d914b42f58c45946313a5bd07441149e3ffe25aba2151ccc03452d4731beeb23b4df1b92527317e8dd66f0c181ad0752025a683bdc

Download Submit
C:\Windows\{523C4636-2325-499f-9D71-89E6770D9837}.exe

Filesize
216KB

MD5
3a87bb801d3f3cb171001a467536ae6e

SHA1
4d1acf943d1e9ee47bc90fe9c1cfa52a75a28b86

SHA256
4155923e28efb7f00b4c3ad0e39f2cdd9852565808c7cebc455b3323ea4f79e0

SHA512
69eaada77dfeddbfafdf1e7dea090c295aabbe8212a5ece880bbaedd26e846ed858d20a9d303682c9115c2562f930362df8214574b556a79c200826ba060921a

Download Submit
C:\Windows\{624DAC38-6D30-4b25-9C6D-6B5E8D0F1696}.exe

Filesize
216KB

MD5
03d4e2d38d62f9c0dfd198bd96ca94da

SHA1
8497a9982e8b6b3f237d531c10ee1fec7a84c47d

SHA256
4c674dd3ab038be3869210076c94af25436472f0d404d8ff52070969ebb9f15a

SHA512
74f19695314a7feb43be26172f9d5db1494a4e003ca4f2116f871c6c70a4a7162cd997b818c456d73431da663954e4de751a036654d1e9100d40abd023a2a91a

Download Submit
C:\Windows\{69A456B5-7D9E-40c8-8796-66BB0C7F0C16}.exe

Filesize
216KB

MD5
e9ec8b44d59e8d5cdde442b6bcf2c848

SHA1
f1d38f8a78cc6b53a8adcd868c8d240f4ca87b9c

SHA256
5348198af0d10ec1a33bb23d84a6db44d130f7688099d1cace1730874f940861

SHA512
04b8aa83c9c63df3b7ea92d90a5092c30dc31899b23dc6327b6f3e67705185bf84df1337120493b40ff4e6943bb84d7188cb7664a03e5946432006ee489f7c2f

Download Submit
C:\Windows\{86BF21D7-51D8-4d74-B96B-0285FDFD9930}.exe

Filesize
216KB

MD5
0b20c0b30ec646e08e1d59a7285ea97c

SHA1
7fa9a8d0cc22858ac23e0cb4dae57b1405cdc0ac

SHA256
eaf565f9e70498c0eaaa32529f3a857ea893ec48785908a1b60603d395b64898

SHA512
69f66a378400d277f9cd8458ebff04f8cc8527930d94932f6b648ed9cf5bd10f59d2b438785920e2be6dcdd9fe3a655c3efcfb2e50f04b421fd8a541620207d4

Download Submit
C:\Windows\{8BEB1349-2AB1-4ccc-8D00-4A393D924437}.exe

Filesize
216KB

MD5
040e90822d08fe2eb641d60c5262d16c

SHA1
c8501fa1e5d2a57dfce57d071fdd1838dd0f8b26

SHA256
21110c1548ce71d362f96e6c8b04483d94108190cfcbbaab9ca3589fb9a6aee3

SHA512
e29df408fba477d98169888b590e471375a8ef33b698d6a1024a0f6be242356e50a1f6ab7066ec55b6be3058aff2cf979c8cab16c500921ce8a0b4dcbae3b803

Download Submit
C:\Windows\{96A0714E-3C2F-444b-B1E2-2B0F76CEF154}.exe

Filesize
216KB

MD5
5ebcf6cc35b07745b0a57766d168ea4e

SHA1
87690e4103a9e948a0593ceb1483808a208beab1

SHA256
13bebb81d1c7b6bb4a134cceb0fb454457ebea4de9037c525666da7625eda038

SHA512
6f097ffe4f8ce1e3452cd1980c87a0d8aa992b367b10fc2c629db66edcd51ecee30e61c2e4267acbfad7eaaf1efc50aa0ccb4edd7ab5ff062a7fbe83ea203d78

Download Submit
C:\Windows\{A1A7FF2A-EE05-4cf4-82B6-CC6B6677C331}.exe

Filesize
216KB

MD5
9f2e590b8f36a13f2def5cd1d3ccceed

SHA1
973f940da08cb9601355fc19bb91e68174f4d930

SHA256
450e3fe153bcc62e26fd2f74df1bba9e70ad4d1cc73e0b2e807e77b24477ceaa

SHA512
56c86dbd92be39a9672391656b4603b3d6b0cb4a2e3b54015ed2d1106d1dcd89613909fa6d0bc7169965472b344ff900cc06660c838d85bf21ee7112e4ecbbec

Download Submit
C:\Windows\{C9DF7306-653E-4e4f-BEEE-0C1D463DA206}.exe

Filesize
216KB

MD5
d270275a7a3e55cc7aad996770354718

SHA1
dcdcb1e054dfe6702dbf7dfb6cd65d6ecf7c1672

SHA256
65a7b5082a06b7d79547866b9552bc731190b0eef3f2b781fe00da19cbc68afa

SHA512
30556a9e17789327c4ff899bc10f4700af0611c3a90c80effa05971a50551df163d24f98e890332c87e702fb4d7bd6705408633c575f68d5b78430102297b85e

Download Submit
C:\Windows\{DBFCCA14-C672-4a1d-9662-DCACE3CEC388}.exe

Filesize
216KB

MD5
7afcd5e25037ad716a454a820c265332

SHA1
5cea2b8963a40874494e9bb2701ba303e1125b07

SHA256
b705e916d7d9064aeccc3a4abb8b4cd4305b7219d3667952a3a8578381cc022c

SHA512
791d974c2299af065a62a6574fca77a2fd2c5e178b3a89096a3b68775b69469ae521d4d277cd7063eb160258ae7d167280171a08d507699b4ce9c13250816d36

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads