aac3ca9e9ceea7a87d0a621b7111a22eb0789705ef45efb01fa8e5bcd5a39d60

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Size

197KB
MD5

ba2c75d2f5a5890eae7e81ddc4f57d02
SHA1

d4ba26631dc142e5c8ab6704717b992acdf130c3
SHA256

aac3ca9e9ceea7a87d0a621b7111a22eb0789705ef45efb01fa8e5bcd5a39d60
SHA512

4e2433629739c1c4811e261a85375a078fd3304c3b785c9f8d107ea00b688ad3aca8cb7fecff9a2132616802fa00e6614710315090ae7866423527642310e243
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGIlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012317-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000143e3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-67.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}\stubpath = "C:\\Windows\\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe"	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16831CEB-EAD4-492d-A8C3-7259AA132C90}	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F5B231A-B9FF-47bf-932A-430CC3229F89}\stubpath = "C:\\Windows\\{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe"	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}\stubpath = "C:\\Windows\\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe"	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}\stubpath = "C:\\Windows\\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe"	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}	{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F5B231A-B9FF-47bf-932A-430CC3229F89}	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}\stubpath = "C:\\Windows\\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe"	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2893D36-CB76-4144-8E03-22E06708ABEA}	{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2893D36-CB76-4144-8E03-22E06708ABEA}\stubpath = "C:\\Windows\\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe"	{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8204FB-020C-421f-B77F-233AE100B34E}	{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8204FB-020C-421f-B77F-233AE100B34E}\stubpath = "C:\\Windows\\{DF8204FB-020C-421f-B77F-233AE100B34E}.exe"	{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0832797D-E23F-48b1-961E-D059FD09DC3F}	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}\stubpath = "C:\\Windows\\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe"	{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0832797D-E23F-48b1-961E-D059FD09DC3F}\stubpath = "C:\\Windows\\{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe"	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16831CEB-EAD4-492d-A8C3-7259AA132C90}\stubpath = "C:\\Windows\\{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe"	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}\stubpath = "C:\\Windows\\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe"	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
1568	{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
2980	{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
536	{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
1412	{DF8204FB-020C-421f-B77F-233AE100B34E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
File created	C:\Windows\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
File created	C:\Windows\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
File created	C:\Windows\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe	{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
File created	C:\Windows\{DF8204FB-020C-421f-B77F-233AE100B34E}.exe	{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
File created	C:\Windows\{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
File created	C:\Windows\{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
File created	C:\Windows\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
File created	C:\Windows\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
File created	C:\Windows\{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
File created	C:\Windows\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe	{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
Token: SeIncBasePriorityPrivilege	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
Token: SeIncBasePriorityPrivilege	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
Token: SeIncBasePriorityPrivilege	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
Token: SeIncBasePriorityPrivilege	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
Token: SeIncBasePriorityPrivilege	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
Token: SeIncBasePriorityPrivilege	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
Token: SeIncBasePriorityPrivilege	1568	{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
Token: SeIncBasePriorityPrivilege	2980	{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
Token: SeIncBasePriorityPrivilege	536	{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2436	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	28
PID 1820 wrote to memory of 2436	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	28
PID 1820 wrote to memory of 2436	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	28
PID 1820 wrote to memory of 2436	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	28
PID 1820 wrote to memory of 2732	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	29
PID 1820 wrote to memory of 2732	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	29
PID 1820 wrote to memory of 2732	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	29
PID 1820 wrote to memory of 2732	1820	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	29
PID 2436 wrote to memory of 2716	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	30
PID 2436 wrote to memory of 2716	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	30
PID 2436 wrote to memory of 2716	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	30
PID 2436 wrote to memory of 2716	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	30
PID 2436 wrote to memory of 2708	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	31
PID 2436 wrote to memory of 2708	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	31
PID 2436 wrote to memory of 2708	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	31
PID 2436 wrote to memory of 2708	2436	{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe	31
PID 2716 wrote to memory of 3032	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	32
PID 2716 wrote to memory of 3032	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	32
PID 2716 wrote to memory of 3032	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	32
PID 2716 wrote to memory of 3032	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	32
PID 2716 wrote to memory of 2764	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	33
PID 2716 wrote to memory of 2764	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	33
PID 2716 wrote to memory of 2764	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	33
PID 2716 wrote to memory of 2764	2716	{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe	33
PID 3032 wrote to memory of 772	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	36
PID 3032 wrote to memory of 772	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	36
PID 3032 wrote to memory of 772	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	36
PID 3032 wrote to memory of 772	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	36
PID 3032 wrote to memory of 1616	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	37
PID 3032 wrote to memory of 1616	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	37
PID 3032 wrote to memory of 1616	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	37
PID 3032 wrote to memory of 1616	3032	{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe	37
PID 772 wrote to memory of 2660	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	38
PID 772 wrote to memory of 2660	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	38
PID 772 wrote to memory of 2660	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	38
PID 772 wrote to memory of 2660	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	38
PID 772 wrote to memory of 2692	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	39
PID 772 wrote to memory of 2692	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	39
PID 772 wrote to memory of 2692	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	39
PID 772 wrote to memory of 2692	772	{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe	39
PID 2660 wrote to memory of 1812	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	40
PID 2660 wrote to memory of 1812	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	40
PID 2660 wrote to memory of 1812	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	40
PID 2660 wrote to memory of 1812	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	40
PID 2660 wrote to memory of 1868	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	41
PID 2660 wrote to memory of 1868	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	41
PID 2660 wrote to memory of 1868	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	41
PID 2660 wrote to memory of 1868	2660	{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe	41
PID 1812 wrote to memory of 2156	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	42
PID 1812 wrote to memory of 2156	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	42
PID 1812 wrote to memory of 2156	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	42
PID 1812 wrote to memory of 2156	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	42
PID 1812 wrote to memory of 1264	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	43
PID 1812 wrote to memory of 1264	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	43
PID 1812 wrote to memory of 1264	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	43
PID 1812 wrote to memory of 1264	1812	{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe	43
PID 2156 wrote to memory of 1568	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	44
PID 2156 wrote to memory of 1568	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	44
PID 2156 wrote to memory of 1568	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	44
PID 2156 wrote to memory of 1568	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	44
PID 2156 wrote to memory of 1136	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	45
PID 2156 wrote to memory of 1136	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	45
PID 2156 wrote to memory of 1136	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	45
PID 2156 wrote to memory of 1136	2156	{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
  C:\Windows\{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
    C:\Windows\{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
      C:\Windows\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
        
        C:\Windows\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
        
        C:\Windows\{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
        
        C:\Windows\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
        
        C:\Windows\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
        
        C:\Windows\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
        
        C:\Windows\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
        
        C:\Windows\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{DF8204FB-020C-421f-B77F-233AE100B34E}.exe
        
        C:\Windows\{DF8204FB-020C-421f-B77F-233AE100B34E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2893~1.EXE > nul
        12⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B1E~1.EXE > nul
        11⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F77~1.EXE > nul
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B4D~1.EXE > nul
        9⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{674AC~1.EXE > nul
        8⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08327~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE523~1.EXE > nul
        6⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6335E~1.EXE > nul
        5⤵
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F5B2~1.EXE > nul
      4⤵
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16831~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B4D115-4D03-42a9-A1E8-1B8553273D4C}.exe

Filesize
197KB

MD5
85fe502d0fe5cc2e9d30fc9240b90686

SHA1
528e68979381d77eed90e60ee7128acefc6fdd7c

SHA256
b455234754699f731c2ff680eb93a11349829964efecf965b1c1ab29f179f7e5

SHA512
722f2beff7dae88101e0be1b328f759d2609573e0b5c27bc25af4d789b0f33e4030455a363fda54fb7cc4ee65bc7a8ef65da68650c61ee5a914e9ce0c2441b9b

Download Submit
C:\Windows\{0832797D-E23F-48b1-961E-D059FD09DC3F}.exe

Filesize
197KB

MD5
2e533bfd412ff7d2152c7eaecafc829f

SHA1
ff563dc2d1924867523a6182ff4f2df86e665aed

SHA256
cf2dd4302005437c53937a398510a82a356bc73fd8f4c6b6a922c30cefcc47ac

SHA512
f5ed338440a3b644eb4c5b6102e9f4f39a830b11b053b0d27f5d6af2bac610d3950b83081c586cf180a7c0308dca7b59cb2409f9936838a23631a0c57c83e6bb

Download Submit
C:\Windows\{16831CEB-EAD4-492d-A8C3-7259AA132C90}.exe

Filesize
197KB

MD5
155dcbce4b17c4b034d03ee8de0f8026

SHA1
c96a1eac37b97419def6bd12f0423ff0a8a38a2b

SHA256
42c77defbee5efe51360e0865a605964184457e1668517161ca117bb2491481b

SHA512
dc66d80b3b8fad39de3847bac1df3a7d5ba7166b8dce1d8152fb9ba2d3aafa25ece970c62f2df86443bac14ddcef9400b315ffeb33b0ab86a34b65554d193ed9

Download Submit
C:\Windows\{3F5B231A-B9FF-47bf-932A-430CC3229F89}.exe

Filesize
197KB

MD5
bf920ebb56c80be303185b9d320d08e4

SHA1
54427e02cac40a8481d1b54487c1b838d5dc0076

SHA256
4b9f530650ab0c4d29e4fe3f58f474370f0d08972c8afb81995b6395e4071d96

SHA512
8836b4e2ff815bec13ec9ffd32382b8078fb9726cce36fafc507edb9e708e8db32fe9367b024e03725aedff2ac906d213fef2931425939de6585513295473523

Download Submit
C:\Windows\{6335E2CC-0016-42cd-97A8-4D269DCC0CEF}.exe

Filesize
197KB

MD5
680fee0614b952e8aff00be523b73a4b

SHA1
f149d432deddcdba34987abfc97ad04ba79a6ca6

SHA256
6e8aa325ce662ea53d01cfea3cbd5ceb5e2d07e360c390c543a854593377de3c

SHA512
cae30d50f58d4a6b8fcd3ae268393d69c49390fda589c5a5f26bdfc4788f688af92d1405ac6c4caa678077a61a850fbe1ca51ea37364e0f5a0157a7f407e7dad

Download Submit
C:\Windows\{674AC404-F310-4ec7-8BA8-5ECFD1EACCCC}.exe

Filesize
197KB

MD5
628f181edc41e773abc2dcb31a73c7f7

SHA1
8252b4b1893dc2b662c38b703bb0dd95bc743957

SHA256
d63239ef8094082ff877264474401fe9f6e0c45e5458c5ee8395d5490c0562d6

SHA512
53641313de4f44757f8b5c452385d2e9602f8b46f473181a399510b6d6570e38b0969d45419f94ddecd1617201fdf43afac39e46877847a27a11d91a5dd437ab

Download Submit
C:\Windows\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe

Filesize
197KB

MD5
6a9022c0e0e6dc638e4a0e0210a31a1a

SHA1
eb2d969164db964ceadf78b6145382b034faed3f

SHA256
5a0f4d2926b57db9019d512340b6471e755b45f9221a88c8715e48a805f63eb3

SHA512
3907e2835d3246bbabab5d4baabadb7748b8c0f30d7a6135d31043f089dcc1d2d32d3196df1e048fa92bf74820236c45423e082de09137b1ecd5f238d8b11952

Download Submit
C:\Windows\{B2893D36-CB76-4144-8E03-22E06708ABEA}.exe

Filesize
1KB

MD5
4bc0c8a9188ba80b6b1d123f1538b01c

SHA1
f970f1d1eb981593f5dce6c92a843c45a5c93db2

SHA256
8d808b2a37d78acca7fb3cf18ce2a6c378433f6f09a1700955074eec9d0673ec

SHA512
c9ee2ff3915c0df23c16a774bcd2e4a8584e4d938b10e998e95e7095975d88c825c7d1d681916823e64f9076d739769afadff629f6aa608e4e14a41b9d5b5bd4

Download Submit
C:\Windows\{B7F77715-CE62-4a2c-8645-9B0AE13678A5}.exe

Filesize
197KB

MD5
8cac1a7870ded01b5497efaf6ad6184f

SHA1
b4e36810e51ae86248023932d11926ed247cfe96

SHA256
510626192fc3cef421ef9f131e31f4248ccaf392d4fe6ac01a199c2499d5ef85

SHA512
bb73dcff123945e45856e50cc804914ba45e08d436ec28839c63eb8bb854be32b89066d742bdda84bdb62c97ed2412fb1b154283641d4c5c99d1d9556abc3df7

Download Submit
C:\Windows\{C9B1E3A9-0847-4b2d-91C6-0C8F28AE8FD0}.exe

Filesize
197KB

MD5
e81ff84eeaf7a608d40cd08a97bfac2f

SHA1
6d9b8595005d38d9839811b9c21871e604169f9f

SHA256
24bf11d68a49dc08bc8b1bf73082599374c96424d7fac10056d67578886fcfdb

SHA512
cf94f9c2cca27442ad72f42e4fd771af9c74a66b1228481198101a1962b3edfee2e3f74ef49ead52d3e018a408320464d27877892dcd6d57f1c1c558d2934f99

Download Submit
C:\Windows\{CE5235EF-FEC8-47bb-A431-8D9898E972D7}.exe

Filesize
197KB

MD5
655b346d613f458cea7d840d0ff8b152

SHA1
d74f5f52420f90a1b71a989614b4abaca9a7a28d

SHA256
1bf2a4512475967caa2c66a290a7b9210b9957d6ae4e33a1bead03061f60dc96

SHA512
950b6fddafe7f5f6d18908c963aeb227c8548cf3e16a84b1c81875036c87debe1874ce02a51fb7aed00ae5b09d362f273283dec2d5b04881d2e26a786c54ba85

Download Submit
C:\Windows\{DF8204FB-020C-421f-B77F-233AE100B34E}.exe

Filesize
197KB

MD5
c39249597f52dadf877ff22ddbd06eed

SHA1
154fe1cc62a7dc12f25e559ea02d66bd42d55abb

SHA256
a076a179023085bac594dfa026ef2b0bfe453c7ac11b4303d548632dd2e57aa4

SHA512
615bb66c07f6465eb69978cbda4cacc1974814732b9d3130ff5147d745a2969e96da10b88e77ba6d98ca08f6bce524cda16d1bc5d60ae20e07aa6d646704e80c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads