bdbd1f0d43f53a3fbf019381c0ccf661401fb7a6bba1914a6f3b400d1ca89480

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
Size

180KB
MD5

24471f9a8df3f9edcb678263f3c7d491
SHA1

594c5325cc31a26bd2ba29abb3cd8d85ad5a1df9
SHA256

bdbd1f0d43f53a3fbf019381c0ccf661401fb7a6bba1914a6f3b400d1ca89480
SHA512

6717618ea628c4eb7b99bd0af96d16577a9c88b8781dbe6d35ca4fbb30210577b04e5df1eddd250afa41247ec0ff4f6a36a81278c473e668d1986fe7ea3b50ff
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}\stubpath = "C:\\Windows\\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe"	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18592A30-16A1-426b-9224-951B01EE777D}\stubpath = "C:\\Windows\\{18592A30-16A1-426b-9224-951B01EE777D}.exe"	{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C10B39-02C0-4954-820D-1EF3852B5985}\stubpath = "C:\\Windows\\{49C10B39-02C0-4954-820D-1EF3852B5985}.exe"	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DFE192-0691-471e-8C92-865186CE08DE}\stubpath = "C:\\Windows\\{79DFE192-0691-471e-8C92-865186CE08DE}.exe"	{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}\stubpath = "C:\\Windows\\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe"	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}\stubpath = "C:\\Windows\\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe"	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}\stubpath = "C:\\Windows\\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe"	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}\stubpath = "C:\\Windows\\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe"	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18592A30-16A1-426b-9224-951B01EE777D}	{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}	{18592A30-16A1-426b-9224-951B01EE777D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}\stubpath = "C:\\Windows\\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe"	{18592A30-16A1-426b-9224-951B01EE777D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{535A86E6-18C5-4e47-B222-4CA05D15C830}	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{535A86E6-18C5-4e47-B222-4CA05D15C830}\stubpath = "C:\\Windows\\{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe"	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}\stubpath = "C:\\Windows\\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe"	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DFE192-0691-471e-8C92-865186CE08DE}	{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C10B39-02C0-4954-820D-1EF3852B5985}	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
1896	{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
2932	{18592A30-16A1-426b-9224-951B01EE777D}.exe
3056	{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe
2352	{79DFE192-0691-471e-8C92-865186CE08DE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
File created	C:\Windows\{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
File created	C:\Windows\{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
File created	C:\Windows\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
File created	C:\Windows\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
File created	C:\Windows\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
File created	C:\Windows\{18592A30-16A1-426b-9224-951B01EE777D}.exe	{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
File created	C:\Windows\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe	{18592A30-16A1-426b-9224-951B01EE777D}.exe
File created	C:\Windows\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
File created	C:\Windows\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
File created	C:\Windows\{79DFE192-0691-471e-8C92-865186CE08DE}.exe	{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
Token: SeIncBasePriorityPrivilege	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
Token: SeIncBasePriorityPrivilege	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
Token: SeIncBasePriorityPrivilege	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
Token: SeIncBasePriorityPrivilege	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
Token: SeIncBasePriorityPrivilege	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
Token: SeIncBasePriorityPrivilege	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
Token: SeIncBasePriorityPrivilege	1896	{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
Token: SeIncBasePriorityPrivilege	2932	{18592A30-16A1-426b-9224-951B01EE777D}.exe
Token: SeIncBasePriorityPrivilege	3056	{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2248	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	28
PID 2032 wrote to memory of 2248	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	28
PID 2032 wrote to memory of 2248	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	28
PID 2032 wrote to memory of 2248	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	28
PID 2032 wrote to memory of 2724	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	29
PID 2032 wrote to memory of 2724	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	29
PID 2032 wrote to memory of 2724	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	29
PID 2032 wrote to memory of 2724	2032	2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe	29
PID 2248 wrote to memory of 2796	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	30
PID 2248 wrote to memory of 2796	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	30
PID 2248 wrote to memory of 2796	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	30
PID 2248 wrote to memory of 2796	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	30
PID 2248 wrote to memory of 1060	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	31
PID 2248 wrote to memory of 1060	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	31
PID 2248 wrote to memory of 1060	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	31
PID 2248 wrote to memory of 1060	2248	{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe	31
PID 2796 wrote to memory of 2696	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	35
PID 2796 wrote to memory of 2696	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	35
PID 2796 wrote to memory of 2696	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	35
PID 2796 wrote to memory of 2696	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	35
PID 2796 wrote to memory of 3028	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	34
PID 2796 wrote to memory of 3028	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	34
PID 2796 wrote to memory of 3028	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	34
PID 2796 wrote to memory of 3028	2796	{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe	34
PID 2696 wrote to memory of 524	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	37
PID 2696 wrote to memory of 524	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	37
PID 2696 wrote to memory of 524	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	37
PID 2696 wrote to memory of 524	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	37
PID 2696 wrote to memory of 700	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	36
PID 2696 wrote to memory of 700	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	36
PID 2696 wrote to memory of 700	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	36
PID 2696 wrote to memory of 700	2696	{49C10B39-02C0-4954-820D-1EF3852B5985}.exe	36
PID 524 wrote to memory of 2640	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	39
PID 524 wrote to memory of 2640	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	39
PID 524 wrote to memory of 2640	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	39
PID 524 wrote to memory of 2640	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	39
PID 524 wrote to memory of 2672	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	38
PID 524 wrote to memory of 2672	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	38
PID 524 wrote to memory of 2672	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	38
PID 524 wrote to memory of 2672	524	{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe	38
PID 2640 wrote to memory of 2784	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	41
PID 2640 wrote to memory of 2784	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	41
PID 2640 wrote to memory of 2784	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	41
PID 2640 wrote to memory of 2784	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	41
PID 2640 wrote to memory of 1488	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	40
PID 2640 wrote to memory of 1488	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	40
PID 2640 wrote to memory of 1488	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	40
PID 2640 wrote to memory of 1488	2640	{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe	40
PID 2784 wrote to memory of 2496	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	42
PID 2784 wrote to memory of 2496	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	42
PID 2784 wrote to memory of 2496	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	42
PID 2784 wrote to memory of 2496	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	42
PID 2784 wrote to memory of 2168	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	43
PID 2784 wrote to memory of 2168	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	43
PID 2784 wrote to memory of 2168	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	43
PID 2784 wrote to memory of 2168	2784	{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe	43
PID 2496 wrote to memory of 1896	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	44
PID 2496 wrote to memory of 1896	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	44
PID 2496 wrote to memory of 1896	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	44
PID 2496 wrote to memory of 1896	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	44
PID 2496 wrote to memory of 1980	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	45
PID 2496 wrote to memory of 1980	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	45
PID 2496 wrote to memory of 1980	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	45
PID 2496 wrote to memory of 1980	2496	{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_24471f9a8df3f9edcb678263f3c7d491_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
  C:\Windows\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
    C:\Windows\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E86C~1.EXE > nul
      4⤵
      PID:3028
  - - C:\Windows\{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
      C:\Windows\{49C10B39-02C0-4954-820D-1EF3852B5985}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C10~1.EXE > nul
        5⤵
        
        PID:700
    - - C:\Windows\{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
        
        C:\Windows\{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{535A8~1.EXE > nul
        6⤵
        
        PID:2672
      - C:\Windows\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
        
        C:\Windows\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16930~1.EXE > nul
        7⤵
        
        PID:1488
        
        C:\Windows\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
        
        C:\Windows\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
        
        C:\Windows\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
        
        C:\Windows\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\{18592A30-16A1-426b-9224-951B01EE777D}.exe
        
        C:\Windows\{18592A30-16A1-426b-9224-951B01EE777D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18592~1.EXE > nul
        11⤵
        
        PID:2228
        
        C:\Windows\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe
        
        C:\Windows\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{79DFE192-0691-471e-8C92-865186CE08DE}.exe
        
        C:\Windows\{79DFE192-0691-471e-8C92-865186CE08DE}.exe
        12⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6212C~1.EXE > nul
        12⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E64D1~1.EXE > nul
        10⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00C6F~1.EXE > nul
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B3A4~1.EXE > nul
        8⤵
        
        PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E8BD~1.EXE > nul
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C6F6CF-4475-4053-A56C-3CA7A32A713B}.exe

Filesize
180KB

MD5
33a25c6cc6183d36d0df96993e77a781

SHA1
511f0489dd6cbe4ad621ef0325348c42c1d83981

SHA256
576df4deb622bd4101bf5de73bfbd5f71e5df0eeeb34e3d3bc0d1cc38cd286df

SHA512
d8db8a8ce11619a0784cad8c24fca268fd7d8f516a86a58cf03a5cf4d76bbd0667ea224606068447477ef538a78340a4d2e370f9e7a415f0330e037304f18f72

Download Submit
C:\Windows\{0E86C2D9-31DE-4d73-817D-5D98C920C8DB}.exe

Filesize
180KB

MD5
652310d9a0cac27e023bd5cf4edf87fd

SHA1
6854cf431885f3a2263e700ac43b9e379059ae73

SHA256
2702842e4016b29eaf648d9b15b344911e3948d938183011a2ef8e6be7e4e6a0

SHA512
0b3fb2229787f51e1e08424db57463ada98e92dd68052d34959a2296c41580f33f3fbe27000bc049fc223e99156b51420ccf118645e90ba0064ec659f82ca124

Download Submit
C:\Windows\{16930AB5-61EB-4d0f-BE30-D290AC578CE4}.exe

Filesize
180KB

MD5
373aa275644de83ac49b2e3c78b2b550

SHA1
46a958d00be8278f1b44de87e6e1029693300392

SHA256
6b583bbbd4d64ae20d7bd5f91415af1bef59b9e9ac20f78237677b57fd53ebb5

SHA512
c475ee5f005bbb9471b0285fb57e3c0115479e51f8ad0fc05e4fb6fb320ba595f21520ded091c3d2075fbcda1045b549faae19c2a144d23e9b9a65359bd3c360

Download Submit
C:\Windows\{18592A30-16A1-426b-9224-951B01EE777D}.exe

Filesize
180KB

MD5
7882ae6f3bcbc59c58bdbb29e9a1b0e1

SHA1
a077d1f436f8ac7a0f9fb82e5ec774e1cd6b395a

SHA256
39caeb64fa110b883649324dbf0bcc2f85f33f23cd56301a38a7e0cc14f864ae

SHA512
7a86e60e90476ec1632a4b00e5bfb54f88da1894fd358c4e8441104e4d2c480b4542c2593dd126feb55e9f5fcf97036080038c36b43c0bba5db7f38630d49ce1

Download Submit
C:\Windows\{49C10B39-02C0-4954-820D-1EF3852B5985}.exe

Filesize
180KB

MD5
df9fca467616b15c9d0a07733c64527a

SHA1
5d1fb9f8383ede61b482519738f354649f0c2244

SHA256
f67e56d3355ed5f433966b44b7f35316333bf49d04a8ae0018ed6e83b1f7e912

SHA512
bcee05fca9c97a13c6da20922b04fc1776e62b73d93b6a68472a639b11ebd5600279862c8e4d92ebd7853e17e6e400a5259488c5b259c5714a8bb3ec6b6d1503

Download Submit
C:\Windows\{535A86E6-18C5-4e47-B222-4CA05D15C830}.exe

Filesize
180KB

MD5
b0b0723ab2e082c30f5019f6def338d6

SHA1
2d99d35b63090089bef84829d601569610494b29

SHA256
9226385082b60d059ba0b8e870b1d2c3b2c3d2d256685f36c282e1a87a0edce0

SHA512
197e4290730aba963325159875430d283bfb31043896a6710b4dcb25f68d345fd992319093ed606fa786ea8ba6a7ce629e931435665cb5d97cbb06c9cfae7d51

Download Submit
C:\Windows\{6212CBB2-6826-4ac7-B5C9-F5AFE3B0E1FF}.exe

Filesize
180KB

MD5
c681f1a3a12f11667e8663b7ba09d935

SHA1
ace5d95dcc17c1b2ace6c061d541f5707c57e0d2

SHA256
436a412474fa77802014d595bdd49369d73e61f491ab0eefde809c45ec49c1a3

SHA512
175f5d34a8594e6cba29d30a4dc312d8fef06f76c36151130fbfec01854dc8d94ff65c067320ae8a44206b23928fe130f67a6e2cf137475b2829b456ce2ed32e

Download Submit
C:\Windows\{6E8BD805-18DA-4a44-8B85-D6A5D2CEE6C8}.exe

Filesize
180KB

MD5
40662132af3e91f5170f83765b8c171d

SHA1
8e3e8df441935c6720a176919753e3efc0532b5f

SHA256
a1e3ec0b0f5a7f63b920b35a17beba1c5a3ea8b93a6844eaf65a8a8d3a1b121c

SHA512
9e2505ecb8cc4a436c6288b7ae618676ced2f13e6f570f14dc712898ce14bb8e2161c3010df91a72616118c6e7a820f2d50cad25b0528251c96b1e69a31e61e6

Download Submit
C:\Windows\{79DFE192-0691-471e-8C92-865186CE08DE}.exe

Filesize
180KB

MD5
7b75fec2f800deee04dd720e4fa37d58

SHA1
c98ddb387c2f264789ce4bbb74e2b4b216ce80d3

SHA256
318b159c9077b189802789a814fe06a169d174792678c4a4521facfae12ba91e

SHA512
9c8deaae6ee212cdb14ea387d19c60d47ac7063ee7785d5bee5541d1731d4734c8855f00808b64835bb124e7da6983f44621367f7feec19c458225bc89a12653

Download Submit
C:\Windows\{8B3A4D69-C620-4a3b-BF7A-0C6219053636}.exe

Filesize
180KB

MD5
0b1d882ce6b0172b2e537b4f22feddee

SHA1
972fe2a195e696b05f7228285023f03a47d2c088

SHA256
deeae56d0c41945d0e085f34e66fd46bbccf5503a828bed56b3ebafaba3bbb0c

SHA512
6b2c0838cba5950f79c176a233f6d8e0856667d240773b3e51b37481b843b2718c50a79104c950473cf0906d2d3307a56c802eaefd5a3fb9ab4e1675dc53062c

Download Submit
C:\Windows\{E64D10D3-92BE-43f3-8EEC-0410CD4EDE21}.exe

Filesize
180KB

MD5
529b57491dd2178ee7fc363677d06a78

SHA1
cc81d7480f4c883f4fa118e99d932132b3b40fd7

SHA256
c21fb02bb86c03fdd6557e2a96acec432aae45b53ca604f1d3dba718f651d5c6

SHA512
eaf675d45f9ee3202547e5ef3845c70ad1a989fd50aae38da86d138e878b37e720aef9a4c9fdf882385e8a79f8b3e6e699531847748f78d7e2378d5f005f0ea7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads