316d2b06ca1b01034404cfd9eac593751eda7a3caa36f1148264d953f87113a2

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
Size

180KB
MD5

ee8bd5bee960f84f344221fd89465385
SHA1

bfb3e2b62a435a5aa4530a89c39a3852392827cd
SHA256

316d2b06ca1b01034404cfd9eac593751eda7a3caa36f1148264d953f87113a2
SHA512

7ca8d5e374bb9512a12a88deff395a6a526a4c387eb76d1306efa4f291c360bfaf6e9db2b97b16874bc90fc8a0867ad3e9cdd1908edb529de1128211a97d75f4
SSDEEP

3072:jEGh0ohlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGLl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012246-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012246-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000146c8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012246-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012246-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012246-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C881FCC-4F85-496a-947A-86549E503A9F}\stubpath = "C:\\Windows\\{5C881FCC-4F85-496a-947A-86549E503A9F}.exe"	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5866F0-CC62-412a-B191-76CDAE241E8E}	{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}	{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}\stubpath = "C:\\Windows\\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe"	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}\stubpath = "C:\\Windows\\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe"	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237334FC-659B-43f4-86CE-755A29A17C39}\stubpath = "C:\\Windows\\{237334FC-659B-43f4-86CE-755A29A17C39}.exe"	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07999661-4E5E-462d-B9F5-D1D06A37069B}	{237334FC-659B-43f4-86CE-755A29A17C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07999661-4E5E-462d-B9F5-D1D06A37069B}\stubpath = "C:\\Windows\\{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe"	{237334FC-659B-43f4-86CE-755A29A17C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}\stubpath = "C:\\Windows\\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe"	{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237334FC-659B-43f4-86CE-755A29A17C39}	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}\stubpath = "C:\\Windows\\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe"	{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0224ADAE-F556-42ad-82BE-3B074FFAD326}	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}\stubpath = "C:\\Windows\\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe"	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}	{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0224ADAE-F556-42ad-82BE-3B074FFAD326}\stubpath = "C:\\Windows\\{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe"	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5EFC00-D76C-4993-B1E0-A33A37613951}	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5EFC00-D76C-4993-B1E0-A33A37613951}\stubpath = "C:\\Windows\\{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe"	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C881FCC-4F85-496a-947A-86549E503A9F}	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5866F0-CC62-412a-B191-76CDAE241E8E}\stubpath = "C:\\Windows\\{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe"	{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe
320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
1912	{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
3028	{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
2264	{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe
1484	{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
File created	C:\Windows\{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
File created	C:\Windows\{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
File created	C:\Windows\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
File created	C:\Windows\{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe	{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
File created	C:\Windows\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe	{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
File created	C:\Windows\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
File created	C:\Windows\{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
File created	C:\Windows\{237334FC-659B-43f4-86CE-755A29A17C39}.exe	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
File created	C:\Windows\{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	{237334FC-659B-43f4-86CE-755A29A17C39}.exe
File created	C:\Windows\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe	{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
Token: SeIncBasePriorityPrivilege	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
Token: SeIncBasePriorityPrivilege	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
Token: SeIncBasePriorityPrivilege	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
Token: SeIncBasePriorityPrivilege	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe
Token: SeIncBasePriorityPrivilege	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
Token: SeIncBasePriorityPrivilege	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
Token: SeIncBasePriorityPrivilege	1912	{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
Token: SeIncBasePriorityPrivilege	3028	{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
Token: SeIncBasePriorityPrivilege	2264	{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2520	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	28
PID 2672 wrote to memory of 2520	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	28
PID 2672 wrote to memory of 2520	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	28
PID 2672 wrote to memory of 2520	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	28
PID 2672 wrote to memory of 2104	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	29
PID 2672 wrote to memory of 2104	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	29
PID 2672 wrote to memory of 2104	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	29
PID 2672 wrote to memory of 2104	2672	2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe	29
PID 2520 wrote to memory of 2872	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	30
PID 2520 wrote to memory of 2872	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	30
PID 2520 wrote to memory of 2872	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	30
PID 2520 wrote to memory of 2872	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	30
PID 2520 wrote to memory of 2444	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	31
PID 2520 wrote to memory of 2444	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	31
PID 2520 wrote to memory of 2444	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	31
PID 2520 wrote to memory of 2444	2520	{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe	31
PID 2872 wrote to memory of 2824	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	32
PID 2872 wrote to memory of 2824	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	32
PID 2872 wrote to memory of 2824	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	32
PID 2872 wrote to memory of 2824	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	32
PID 2872 wrote to memory of 2720	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	33
PID 2872 wrote to memory of 2720	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	33
PID 2872 wrote to memory of 2720	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	33
PID 2872 wrote to memory of 2720	2872	{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe	33
PID 2824 wrote to memory of 2656	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	36
PID 2824 wrote to memory of 2656	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	36
PID 2824 wrote to memory of 2656	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	36
PID 2824 wrote to memory of 2656	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	36
PID 2824 wrote to memory of 2608	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	37
PID 2824 wrote to memory of 2608	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	37
PID 2824 wrote to memory of 2608	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	37
PID 2824 wrote to memory of 2608	2824	{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe	37
PID 2656 wrote to memory of 2248	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	38
PID 2656 wrote to memory of 2248	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	38
PID 2656 wrote to memory of 2248	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	38
PID 2656 wrote to memory of 2248	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	38
PID 2656 wrote to memory of 1940	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	39
PID 2656 wrote to memory of 1940	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	39
PID 2656 wrote to memory of 1940	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	39
PID 2656 wrote to memory of 1940	2656	{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe	39
PID 2248 wrote to memory of 320	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	40
PID 2248 wrote to memory of 320	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	40
PID 2248 wrote to memory of 320	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	40
PID 2248 wrote to memory of 320	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	40
PID 2248 wrote to memory of 1684	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	41
PID 2248 wrote to memory of 1684	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	41
PID 2248 wrote to memory of 1684	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	41
PID 2248 wrote to memory of 1684	2248	{237334FC-659B-43f4-86CE-755A29A17C39}.exe	41
PID 320 wrote to memory of 1248	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	43
PID 320 wrote to memory of 1248	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	43
PID 320 wrote to memory of 1248	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	43
PID 320 wrote to memory of 1248	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	43
PID 320 wrote to memory of 1580	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	42
PID 320 wrote to memory of 1580	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	42
PID 320 wrote to memory of 1580	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	42
PID 320 wrote to memory of 1580	320	{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe	42
PID 1248 wrote to memory of 1912	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	44
PID 1248 wrote to memory of 1912	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	44
PID 1248 wrote to memory of 1912	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	44
PID 1248 wrote to memory of 1912	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	44
PID 1248 wrote to memory of 1204	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	45
PID 1248 wrote to memory of 1204	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	45
PID 1248 wrote to memory of 1204	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	45
PID 1248 wrote to memory of 1204	1248	{5C881FCC-4F85-496a-947A-86549E503A9F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_ee8bd5bee960f84f344221fd89465385_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
  C:\Windows\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
    C:\Windows\{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
      C:\Windows\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
        
        C:\Windows\{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\{237334FC-659B-43f4-86CE-755A29A17C39}.exe
        
        C:\Windows\{237334FC-659B-43f4-86CE-755A29A17C39}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
        
        C:\Windows\{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07999~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
        
        C:\Windows\{5C881FCC-4F85-496a-947A-86549E503A9F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
        
        C:\Windows\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F39DC~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
        
        C:\Windows\{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe
        
        C:\Windows\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe
        
        C:\Windows\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe
        12⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{170FE~1.EXE > nul
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D586~1.EXE > nul
        11⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C881~1.EXE > nul
        9⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23733~1.EXE > nul
        7⤵
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F5EF~1.EXE > nul
        6⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC1D~1.EXE > nul
        5⤵
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0224A~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD7E4~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0224ADAE-F556-42ad-82BE-3B074FFAD326}.exe

Filesize
180KB

MD5
994fcc910b9de714d8abb272e4b63f61

SHA1
e15a24a212d55ec13effdd91781084199dc83044

SHA256
dca706b471663e47d05de5f5eab1f6861874622af3c5ea2dc3147efba4e827a2

SHA512
6fc119ab4e5bb12489a7eac94359dfb7f456491e017470dfb1db307ddec5c3ef08afdb1a3a9a6ae93e7d283fa0c99367c82d72410f2b90e858a780c7496b71b3

Download Submit
C:\Windows\{07999661-4E5E-462d-B9F5-D1D06A37069B}.exe

Filesize
180KB

MD5
f96c43723836096ef619662bd0a1a50e

SHA1
b1e82121a2b0de9591b364e0ce49e2b6befbcc28

SHA256
2659facaf8a05e8b7c93bb1a904461f847a7b40973b7262a40c305ca1ef566a5

SHA512
9467dafca5902776eca32a67c1e6b687d793c287092ea6e69753db8c6b7ea5e5e71907ffb26e3171f4d09dce206115e293ac369a6dc39d0b3d7bdb465ab0421b

Download Submit
C:\Windows\{0D5866F0-CC62-412a-B191-76CDAE241E8E}.exe

Filesize
180KB

MD5
12a603b2882552c4f8a45c82164472cf

SHA1
8202c3dd37267c4bdff620a1c61d5060fd14f676

SHA256
cc4536c7657ce061cd0c14b5e1f03600fa27107953aed3a469eec8908b038842

SHA512
a448d8a149da3f2cb1b1feca8bc97e00b468db088d05a2baa1ba81241e4231c712d51cc66ad24c1b3ca4eb3c52f92a41fc6e69c18aeda84af792db5385082b3e

Download Submit
C:\Windows\{170FE610-9B15-4bd4-89AA-B523A6FF96A3}.exe

Filesize
180KB

MD5
5c2b54bc9b285051b42b1ebdfca173e7

SHA1
a18c56035a49bee8bb444eaa19178252315e862c

SHA256
a1df584acfa916a0bb33f74a964e17884951bfa1008950e76ef637e77556e49c

SHA512
f526ff142816bda3d4c842979309176e17c0f2fbd69eda6ae335994eb676c9e605d6d51c30ed2bbf0d28778ad8d6e8a775cf997d5c4c78bb0afa8a9926f69dd8

Download Submit
C:\Windows\{1AC1DC2A-F0F5-4b8e-8961-70F915A76BDF}.exe

Filesize
180KB

MD5
2e19531306f087dd9b3e40746ffd3b77

SHA1
c729f5206caa43476df7e4ca27ff8b11322a3686

SHA256
cb5b8ca8d37a97f2fbeae4bf26a3ac36b29c89472e2e2b5c9518b0396f2ef2f9

SHA512
deba7f2536c7414746ee1b2bc6e39d5e657109ff73bfb38a2a3068e7f7baa2f044bb8094b4214cb1b3a683c5c206a2b4feb0bd2e0283b6e2f9bf7cbc37b4048b

Download Submit
C:\Windows\{237334FC-659B-43f4-86CE-755A29A17C39}.exe

Filesize
180KB

MD5
0990e573e08097cae8395e6eeb91608b

SHA1
9463871278bbe1063f4a2e5fd1165e0fef49a7ff

SHA256
12bd0d99edc4836eb43c547832107af8106f06f483fcfeeaf1ec848731da5aee

SHA512
bd1f48feb83efc8bb1a5c6ee6c1d96d8df97a3c264d59937185114af2489198297e58c682b6498b025a75c1002c2470f916f0cd0b99f4b2948e6f3a96b2983e9

Download Submit
C:\Windows\{5C881FCC-4F85-496a-947A-86549E503A9F}.exe

Filesize
180KB

MD5
0b4e9452dd4603255046df5fe1943562

SHA1
75a27e90e585f396ba3c28a3cb5431150dfa876d

SHA256
bab72d969cd74d612b619603b3e3f2bf49412bacaefec327fde3f4b7262b1821

SHA512
49d183a2077ceaa56e6589f6df619f2daee40e4bc4cea9d155cb861b91f99314a5c950b485c5777ff6172fe49be161d3022a80f504b483cb3dfddda7dffc718a

Download Submit
C:\Windows\{8F5EFC00-D76C-4993-B1E0-A33A37613951}.exe

Filesize
180KB

MD5
6e62e6673250dbf6c3f73fbb0de4ef99

SHA1
a18e5e5e18408e6e85c9c2f9e4d47c62995d578f

SHA256
0b53da8995d1c94ce86497f050343f8c8fcef9beba2d6f06687e15cd6387336a

SHA512
7924b5ae4d4f72a3c5a0f2f7ee5e84b32194c74b4c55b375769838329c1b697a47e80720ae5bfef4a9ea494a5073d688fe553c6030193b44e460bbc4a96f7525

Download Submit
C:\Windows\{DD7E4BAB-96D7-4476-8CBB-071E4F85FEC1}.exe

Filesize
180KB

MD5
7d181fa31ed66e7ae5ef8d35fc970ec1

SHA1
2e2cbf01c6ffb50db9db8eca7698838a5aa01311

SHA256
8fbc2a57e0b86f6d53c564a4ada28f54b5cf1a2ce659b510a9950a931c4aa169

SHA512
1667297e1759a5eccb96e2fe9bfee7138843e059ce6f282fc52078596eadd9166f2f07997cc4a36e108be8bff28d1667058381846a82faa2fae90730247987d5

Download Submit
C:\Windows\{EF57E3F2-18F4-49fc-8B49-9D66F297C660}.exe

Filesize
180KB

MD5
780fd6202aad9f6df2cedb8b53a47857

SHA1
33266db9154afccec6fb5d019b89304cf4380aa6

SHA256
f1dc1252e68d8fddec99b55a66d8c11256d3088ffee78495cab32356df55d66c

SHA512
e5c6fff8f2e8976fbd27b7190e9a976a60dc2d3b22ec5d025e2a9defe6883c32aa1b89f45bf0ab71486bfb14ad881d1f874127bedcf77748ebabcfcb44963fe7

Download Submit
C:\Windows\{F39DC87D-7B05-4b22-9DA9-05E884FF0D4B}.exe

Filesize
180KB

MD5
38f4ec3eaf4de53e9e699d30d4a4fdd8

SHA1
0b2cc56d4e7c5cda7b288b08540906c8cc8dd749

SHA256
ef51aa4491db007db680be5a5d13b7d18b498de74753e9dd5c9625ffcb2952b8

SHA512
bb00d52f0be60f0d594ccda139a0ba2f2952d0b7c462e4c6d1bfa72bef23f91866fd1aae0c7caa0360b9794d47732bb7b1cc60bd52efb08034e789bbfa4594e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads