0d0bdcf2fee770d60719e9a5378f171e9f903e5ab176d63f2ba8b304d3c666ec

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Size

216KB
MD5

047cb09bf916b529e3bbf8866bbd2134
SHA1

1ede60e2d213f71b0dd3f7d0b55b8e088df4ce9d
SHA256

0d0bdcf2fee770d60719e9a5378f171e9f903e5ab176d63f2ba8b304d3c666ec
SHA512

f043b9dc8fd64c09e3b1115001020f430e33c31308e77394c2a56a83429a47be1ea8e5f52936a005d7a1f085590d5e5bb0f8e0172d71ec2f808fb676bf338a40
SSDEEP

3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG7lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012252-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012262-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015eb6-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B96858B5-63BE-4fbc-883D-1E28624053F6}	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B96858B5-63BE-4fbc-883D-1E28624053F6}\stubpath = "C:\\Windows\\{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe"	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01386580-85F5-41ee-84F4-2F11D59E37DB}	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}\stubpath = "C:\\Windows\\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe"	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A95DECE-1828-48a7-B76C-656DBA25046E}	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2725B578-61C8-4ddf-A40D-6D0E96C13845}\stubpath = "C:\\Windows\\{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe"	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{839018C4-A693-4b40-B33C-D1B0775DBC59}\stubpath = "C:\\Windows\\{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe"	{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}	{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A95DECE-1828-48a7-B76C-656DBA25046E}\stubpath = "C:\\Windows\\{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe"	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E119A52-9A10-45de-9913-94E70713EEFE}	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01386580-85F5-41ee-84F4-2F11D59E37DB}\stubpath = "C:\\Windows\\{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe"	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC18877C-FB2A-4135-9591-79F582E98A13}	{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75346FEB-B035-4d6a-962A-407CA7CB3C19}	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75346FEB-B035-4d6a-962A-407CA7CB3C19}\stubpath = "C:\\Windows\\{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe"	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2725B578-61C8-4ddf-A40D-6D0E96C13845}	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{839018C4-A693-4b40-B33C-D1B0775DBC59}	{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}\stubpath = "C:\\Windows\\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe"	{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC18877C-FB2A-4135-9591-79F582E98A13}\stubpath = "C:\\Windows\\{DC18877C-FB2A-4135-9591-79F582E98A13}.exe"	{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}\stubpath = "C:\\Windows\\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe"	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E119A52-9A10-45de-9913-94E70713EEFE}\stubpath = "C:\\Windows\\{6E119A52-9A10-45de-9913-94E70713EEFE}.exe"	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
572	{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
1116	{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
924	{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
2292	{DC18877C-FB2A-4135-9591-79F582E98A13}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
File created	C:\Windows\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe	{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
File created	C:\Windows\{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
File created	C:\Windows\{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
File created	C:\Windows\{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
File created	C:\Windows\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
File created	C:\Windows\{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe	{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
File created	C:\Windows\{DC18877C-FB2A-4135-9591-79F582E98A13}.exe	{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
File created	C:\Windows\{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
File created	C:\Windows\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
File created	C:\Windows\{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
Token: SeIncBasePriorityPrivilege	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
Token: SeIncBasePriorityPrivilege	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
Token: SeIncBasePriorityPrivilege	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
Token: SeIncBasePriorityPrivilege	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
Token: SeIncBasePriorityPrivilege	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
Token: SeIncBasePriorityPrivilege	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
Token: SeIncBasePriorityPrivilege	572	{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
Token: SeIncBasePriorityPrivilege	1116	{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
Token: SeIncBasePriorityPrivilege	924	{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2736	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	28
PID 1152 wrote to memory of 2736	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	28
PID 1152 wrote to memory of 2736	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	28
PID 1152 wrote to memory of 2736	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	28
PID 1152 wrote to memory of 2832	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	29
PID 1152 wrote to memory of 2832	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	29
PID 1152 wrote to memory of 2832	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	29
PID 1152 wrote to memory of 2832	1152	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	29
PID 2736 wrote to memory of 2828	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	30
PID 2736 wrote to memory of 2828	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	30
PID 2736 wrote to memory of 2828	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	30
PID 2736 wrote to memory of 2828	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	30
PID 2736 wrote to memory of 2864	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	31
PID 2736 wrote to memory of 2864	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	31
PID 2736 wrote to memory of 2864	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	31
PID 2736 wrote to memory of 2864	2736	{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe	31
PID 2828 wrote to memory of 2716	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	35
PID 2828 wrote to memory of 2716	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	35
PID 2828 wrote to memory of 2716	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	35
PID 2828 wrote to memory of 2716	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	35
PID 2828 wrote to memory of 2996	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	34
PID 2828 wrote to memory of 2996	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	34
PID 2828 wrote to memory of 2996	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	34
PID 2828 wrote to memory of 2996	2828	{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe	34
PID 2716 wrote to memory of 1940	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	36
PID 2716 wrote to memory of 1940	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	36
PID 2716 wrote to memory of 1940	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	36
PID 2716 wrote to memory of 1940	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	36
PID 2716 wrote to memory of 1636	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	37
PID 2716 wrote to memory of 1636	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	37
PID 2716 wrote to memory of 1636	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	37
PID 2716 wrote to memory of 1636	2716	{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe	37
PID 1940 wrote to memory of 2876	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	38
PID 1940 wrote to memory of 2876	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	38
PID 1940 wrote to memory of 2876	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	38
PID 1940 wrote to memory of 2876	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	38
PID 1940 wrote to memory of 596	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	39
PID 1940 wrote to memory of 596	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	39
PID 1940 wrote to memory of 596	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	39
PID 1940 wrote to memory of 596	1940	{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe	39
PID 2876 wrote to memory of 280	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	40
PID 2876 wrote to memory of 280	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	40
PID 2876 wrote to memory of 280	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	40
PID 2876 wrote to memory of 280	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	40
PID 2876 wrote to memory of 1440	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	41
PID 2876 wrote to memory of 1440	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	41
PID 2876 wrote to memory of 1440	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	41
PID 2876 wrote to memory of 1440	2876	{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe	41
PID 280 wrote to memory of 2012	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	42
PID 280 wrote to memory of 2012	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	42
PID 280 wrote to memory of 2012	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	42
PID 280 wrote to memory of 2012	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	42
PID 280 wrote to memory of 548	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	43
PID 280 wrote to memory of 548	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	43
PID 280 wrote to memory of 548	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	43
PID 280 wrote to memory of 548	280	{6E119A52-9A10-45de-9913-94E70713EEFE}.exe	43
PID 2012 wrote to memory of 572	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	45
PID 2012 wrote to memory of 572	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	45
PID 2012 wrote to memory of 572	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	45
PID 2012 wrote to memory of 572	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	45
PID 2012 wrote to memory of 2520	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	44
PID 2012 wrote to memory of 2520	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	44
PID 2012 wrote to memory of 2520	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	44
PID 2012 wrote to memory of 2520	2012	{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
  C:\Windows\{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
    C:\Windows\{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75346~1.EXE > nul
      4⤵
      PID:2996
  - - C:\Windows\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
      C:\Windows\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
        
        C:\Windows\{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
        
        C:\Windows\{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
        
        C:\Windows\{6E119A52-9A10-45de-9913-94E70713EEFE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
        
        C:\Windows\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{895BE~1.EXE > nul
        9⤵
        
        PID:2520
        
        C:\Windows\{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
        
        C:\Windows\{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2725B~1.EXE > nul
        10⤵
        
        PID:312
        
        C:\Windows\{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
        
        C:\Windows\{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
        
        C:\Windows\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{428C7~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\{DC18877C-FB2A-4135-9591-79F582E98A13}.exe
        
        C:\Windows\{DC18877C-FB2A-4135-9591-79F582E98A13}.exe
        12⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83901~1.EXE > nul
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E119~1.EXE > nul
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01386~1.EXE > nul
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9685~1.EXE > nul
        6⤵
        
        PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A597~1.EXE > nul
        5⤵
        
        PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A95D~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01386580-85F5-41ee-84F4-2F11D59E37DB}.exe

Filesize
216KB

MD5
e27a04116b9deb680fa508af1d2d6a7b

SHA1
a8a6c37326556227e4a07458108c78dbaae6bf98

SHA256
cb07c8958193e1d5cd7d64a499be2208e7c0bf3c7dc2bd5d2d52111a18a3431f

SHA512
fb2c94bdbf52cbe6f95b3d60b2ee48986e304519d066d366553d774183f048aa04d666719d87db4bd515e5acdf2429e17b6e5175554afddf500eaa334f29f531

Download Submit
C:\Windows\{2725B578-61C8-4ddf-A40D-6D0E96C13845}.exe

Filesize
216KB

MD5
a13645111d4eba9b12ffc2e4f3c2297c

SHA1
58e6bec45fe69a73f384623d836a28e4f74548fc

SHA256
6b94d968a02b4d9fc3bc24d12a2d4f42bba06a8d099add7431c28590786bb5f1

SHA512
c9c8a11c96dd590320b6494be82cd93eb7c2905ef3112c0df1ad9cb5191bddf17734bb8acb0818f83e0eb8658456b5ad8b945c1df9925196ac9ceb4533ba68d8

Download Submit
C:\Windows\{2A95DECE-1828-48a7-B76C-656DBA25046E}.exe

Filesize
216KB

MD5
e89e543ee4d16164b9095ede09b2d2dd

SHA1
d8dada451420ff89c0cd66449c27fb70caa6936f

SHA256
b017b55611a4ec26784bb9d1cb52f9bc8ac053fe31203c1a990442bddafa855b

SHA512
0c11f3e2ed7a255a45bb847fd18dd5178ee1b2a808b2460d58a3f919a420516fbd4a002844c23572e06ed340cd2f0ccd8770efc93180d3c8db6c6f5e53b02277

Download Submit
C:\Windows\{428C7BBB-2572-4cb0-A1C7-6CC86722917B}.exe

Filesize
216KB

MD5
0b5e9da390cac95567bd9d9e2777caeb

SHA1
d7010daacdea737ed42851f3668cd8729f70f907

SHA256
6ea0545853c7e8b03bf6b8a12bbb708574e480babce0dc487b8172cc40328de0

SHA512
c645eb8810b001f8d338410eb6201d79cf757700c7446563193ae4e2154b650104fcd111d5cd4606524adac45a91414bee254a8477f3cc264ae6d6b6a24bb339

Download Submit
C:\Windows\{4A597158-C3AE-47f6-B17E-B37F0C4BB84A}.exe

Filesize
216KB

MD5
da14e65d8f0177cd62cd6d02011c2d54

SHA1
8eba1b869bd23bd3e5e308f95172198fca3b86b0

SHA256
5e8084aad11814c3343f428287e32d00b93c2151c9634dedfadc8606cedb0c63

SHA512
116d6c231ae231ce1fd325405d60396e51bae711378fe5424547d9678d32c535e345d7753dd93adea241a666a8666cb4b1b8116800a17b1b01bfd61a9894f279

Download Submit
C:\Windows\{6E119A52-9A10-45de-9913-94E70713EEFE}.exe

Filesize
216KB

MD5
e1f4206376ca11ca54e7a5121602e36d

SHA1
1ec31dc701a62b8d2d8d1fc3e9d9a472c8b29760

SHA256
0087f6593c243b629d594f8e0f3629743791aa50275b1543e4bfc53c3f6bb602

SHA512
e039a4d608c630d7b2367ed0207d0748744d8383ef5a690400168a8d4628d288ddded0831e4f9e4dcb9320a0a7f13d6c63c429a7279a43c64a914c9a7506421d

Download Submit
C:\Windows\{75346FEB-B035-4d6a-962A-407CA7CB3C19}.exe

Filesize
216KB

MD5
e5001cecd5e962aeeba77860808f3f25

SHA1
d764e66f61e7a096c0226f1319b14d6c8995792b

SHA256
0fbaaeda0eacbc51beece8ebac57c4893752084906899e1c3d4192fe47a3ca3f

SHA512
845674232a2ff50c85647f637dadd413c27fe73dd8929d1afd3e9f51fbc8b5ca979c303bcbf856bd7a2db771e98ea63e1c95942ceeb577f16b68ca2c1143f181

Download Submit
C:\Windows\{839018C4-A693-4b40-B33C-D1B0775DBC59}.exe

Filesize
216KB

MD5
9256e93587551dfcb9f50d1fb3a1687d

SHA1
b8d72c70a2bfe6f54db07a57df7200c0da37c28b

SHA256
5e35cdea7a21c26dc5457a103ea188b68f75e9f54b46f0ff4a454a0411faefbd

SHA512
d6d31ced6208c3c7ba04b1eacd5593dfe2133853deb615271b5f645bc7acb6094d8c0a742410f7a0963673db09aec1dfe7191f2fe8987804640868c2aa103cea

Download Submit
C:\Windows\{895BE842-52A7-4e22-9E0A-64B0E34A0F87}.exe

Filesize
216KB

MD5
8687ed0c9125e1de37a797cd070cad59

SHA1
bda6cc1cb11f40351767631f794cd1cd76d8f940

SHA256
d473c7ae62d573e906c162a391c0d71995c63692d5ce6100da640688a102d84f

SHA512
dd902ac9ca9d9828cc7cfa5ba3fe2883d6448ff521306b906fc4bb92cd57360e09e318ce25f14053a61cfeb0ded90a1bb275a3c15623a106bbc155d9a0e1a609

Download Submit
C:\Windows\{B96858B5-63BE-4fbc-883D-1E28624053F6}.exe

Filesize
216KB

MD5
85a756530790b540425e317e6bf67322

SHA1
8e325d229a4f7aefd668e74ceb0d1d9ff1ad2346

SHA256
a44ceecb52bad4042d7d0ed63fb41541e1e39e7b879db7501592cc3c6cb5d2ee

SHA512
d9c734b5cbd89de7dd8e60119b6c6a0cdc4d06957cd8e317c27f68b7b09109fc44ceddaeccf21bef0c145ab364cc5b278772ae6849bd7b5acf1ea72b5e727532

Download Submit
C:\Windows\{DC18877C-FB2A-4135-9591-79F582E98A13}.exe

Filesize
216KB

MD5
229434f6a604f57a8448b431b8e472af

SHA1
4488939968e51d1a9054e7cea7440b5f193d2e06

SHA256
f806be756dca3a292b121346acf60be829aab6e0ca5cf9a1d9b0016f428bb2ef

SHA512
02a032fc95b5230b49174c505a8a6d4a1d64b98b97abc71d916f00c6527f4bebfb54b14fee5f197c895f1edbf2369a6607c9f36accd489414177edec28a5f550

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads