70578cb261ab1ee94857882ba467c5dd5f12e42a5c0cb887122cb053590fa0b4

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Size

344KB
MD5

c381919089b09d3856deff334a108775
SHA1

cc4e59cbc90ac0fffdd77c9e5bd1328ae55720b3
SHA256

70578cb261ab1ee94857882ba467c5dd5f12e42a5c0cb887122cb053590fa0b4
SHA512

c98ec89bb2833c7c5b355436600f9f069698d97b6e39cf8cb1f0770bc82c767f30895ef5fc58bdff63ee71d75ef81695de13bd41c87da4eb95d2cb1de3ca1d96
SSDEEP

3072:mEGh0oVlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGDlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122c4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001d000000015cac-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EB9F0C-525C-4a31-8DE0-C4658628960C}	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}\stubpath = "C:\\Windows\\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe"	{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}	{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}\stubpath = "C:\\Windows\\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe"	{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08DDD299-7738-4c30-B23A-083DD276B7CB}\stubpath = "C:\\Windows\\{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe"	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{901C9F0F-2FEC-439e-83EE-658667B30FDA}	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08DDD299-7738-4c30-B23A-083DD276B7CB}	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B49A574-E154-4cff-8303-CFE1AC0FD208}	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B49A574-E154-4cff-8303-CFE1AC0FD208}\stubpath = "C:\\Windows\\{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe"	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38436E92-130C-45c9-BF4B-1F79219C16E0}	{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38436E92-130C-45c9-BF4B-1F79219C16E0}\stubpath = "C:\\Windows\\{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe"	{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}	{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}\stubpath = "C:\\Windows\\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe"	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EB9F0C-525C-4a31-8DE0-C4658628960C}\stubpath = "C:\\Windows\\{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe"	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF253F-89C5-43b5-9293-A21DC70776AE}	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF253F-89C5-43b5-9293-A21DC70776AE}\stubpath = "C:\\Windows\\{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe"	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}\stubpath = "C:\\Windows\\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe"	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}\stubpath = "C:\\Windows\\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe"	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{901C9F0F-2FEC-439e-83EE-658667B30FDA}\stubpath = "C:\\Windows\\{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe"	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
2964	{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
2232	{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
2060	{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
996	{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
File created	C:\Windows\{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
File created	C:\Windows\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe	{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
File created	C:\Windows\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe	{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
File created	C:\Windows\{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
File created	C:\Windows\{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
File created	C:\Windows\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
File created	C:\Windows\{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
File created	C:\Windows\{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe	{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
File created	C:\Windows\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
File created	C:\Windows\{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
Token: SeIncBasePriorityPrivilege	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
Token: SeIncBasePriorityPrivilege	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
Token: SeIncBasePriorityPrivilege	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
Token: SeIncBasePriorityPrivilege	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
Token: SeIncBasePriorityPrivilege	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
Token: SeIncBasePriorityPrivilege	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
Token: SeIncBasePriorityPrivilege	2964	{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
Token: SeIncBasePriorityPrivilege	2232	{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
Token: SeIncBasePriorityPrivilege	2060	{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2184	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	28
PID 2288 wrote to memory of 2184	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	28
PID 2288 wrote to memory of 2184	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	28
PID 2288 wrote to memory of 2184	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	28
PID 2288 wrote to memory of 2108	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	29
PID 2288 wrote to memory of 2108	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	29
PID 2288 wrote to memory of 2108	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	29
PID 2288 wrote to memory of 2108	2288	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	29
PID 2184 wrote to memory of 2756	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	31
PID 2184 wrote to memory of 2756	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	31
PID 2184 wrote to memory of 2756	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	31
PID 2184 wrote to memory of 2756	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	31
PID 2184 wrote to memory of 2788	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	30
PID 2184 wrote to memory of 2788	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	30
PID 2184 wrote to memory of 2788	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	30
PID 2184 wrote to memory of 2788	2184	{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe	30
PID 2756 wrote to memory of 2856	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	33
PID 2756 wrote to memory of 2856	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	33
PID 2756 wrote to memory of 2856	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	33
PID 2756 wrote to memory of 2856	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	33
PID 2756 wrote to memory of 2096	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	32
PID 2756 wrote to memory of 2096	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	32
PID 2756 wrote to memory of 2096	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	32
PID 2756 wrote to memory of 2096	2756	{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe	32
PID 2856 wrote to memory of 2624	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	37
PID 2856 wrote to memory of 2624	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	37
PID 2856 wrote to memory of 2624	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	37
PID 2856 wrote to memory of 2624	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	37
PID 2856 wrote to memory of 1980	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	36
PID 2856 wrote to memory of 1980	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	36
PID 2856 wrote to memory of 1980	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	36
PID 2856 wrote to memory of 1980	2856	{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe	36
PID 2624 wrote to memory of 2632	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	39
PID 2624 wrote to memory of 2632	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	39
PID 2624 wrote to memory of 2632	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	39
PID 2624 wrote to memory of 2632	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	39
PID 2624 wrote to memory of 2984	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	38
PID 2624 wrote to memory of 2984	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	38
PID 2624 wrote to memory of 2984	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	38
PID 2624 wrote to memory of 2984	2624	{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe	38
PID 2632 wrote to memory of 2380	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	41
PID 2632 wrote to memory of 2380	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	41
PID 2632 wrote to memory of 2380	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	41
PID 2632 wrote to memory of 2380	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	41
PID 2632 wrote to memory of 384	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	40
PID 2632 wrote to memory of 384	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	40
PID 2632 wrote to memory of 384	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	40
PID 2632 wrote to memory of 384	2632	{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe	40
PID 2380 wrote to memory of 1096	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	43
PID 2380 wrote to memory of 1096	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	43
PID 2380 wrote to memory of 1096	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	43
PID 2380 wrote to memory of 1096	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	43
PID 2380 wrote to memory of 320	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	42
PID 2380 wrote to memory of 320	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	42
PID 2380 wrote to memory of 320	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	42
PID 2380 wrote to memory of 320	2380	{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe	42
PID 1096 wrote to memory of 2964	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	44
PID 1096 wrote to memory of 2964	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	44
PID 1096 wrote to memory of 2964	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	44
PID 1096 wrote to memory of 2964	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	44
PID 1096 wrote to memory of 2040	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	45
PID 1096 wrote to memory of 2040	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	45
PID 1096 wrote to memory of 2040	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	45
PID 1096 wrote to memory of 2040	1096	{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
  C:\Windows\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96A7C~1.EXE > nul
    3⤵
    PID:2788
- - C:\Windows\{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
    C:\Windows\{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08DDD~1.EXE > nul
      4⤵
      PID:2096
  - - C:\Windows\{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
      C:\Windows\{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{901C9~1.EXE > nul
        5⤵
        
        PID:1980
    - - C:\Windows\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
        
        C:\Windows\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0505~1.EXE > nul
        6⤵
        
        PID:2984
      - C:\Windows\{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
        
        C:\Windows\{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAF2~1.EXE > nul
        7⤵
        
        PID:384
        
        C:\Windows\{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
        
        C:\Windows\{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B49A~1.EXE > nul
        8⤵
        
        PID:320
        
        C:\Windows\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
        
        C:\Windows\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
        
        C:\Windows\{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38EB9~1.EXE > nul
        10⤵
        
        PID:2012
        
        C:\Windows\{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
        
        C:\Windows\{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38436~1.EXE > nul
        11⤵
        
        PID:1704
        
        C:\Windows\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
        
        C:\Windows\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B32AB~1.EXE > nul
        12⤵
        
        PID:592
        
        C:\Windows\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe
        
        C:\Windows\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe
        12⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A95A2~1.EXE > nul
        9⤵
        
        PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08DDD299-7738-4c30-B23A-083DD276B7CB}.exe

Filesize
344KB

MD5
346f7227c42d0265197939b8b134ab30

SHA1
af647b814c5768430d752e0014eaeca8bd358508

SHA256
b8f170f7b21280c19601227c89d9a9fc38f1685a3271950968c971eb47b54d8b

SHA512
022b003b126571718300193e5a09242830933cc1f6d3d57e8c2d7d740c01dd49c67de9fa3072a9198b17f17a9778cbf3408c4126bca65ece92b9091c6264cfef

Download Submit
C:\Windows\{1B49A574-E154-4cff-8303-CFE1AC0FD208}.exe

Filesize
344KB

MD5
cb2a6960c1f802becd76cd3d21c91bb8

SHA1
3666947da73d15be0920dacd78d7b1e1b43426d7

SHA256
92222700d743e3a3d0eb07c7d82c2e451c3ad2ac2dd0d8e1c740c798394ceab4

SHA512
2bc4b77a702c94a0512f2724279c53c1be8f879ae91b2099cbc78c970cedc1c338933250e8bbf58fce19a00d730b4cca049eacc6bdbb107e0fcbd3afdf3c23f3

Download Submit
C:\Windows\{2BAF253F-89C5-43b5-9293-A21DC70776AE}.exe

Filesize
344KB

MD5
8eb073bcc9a15e4cb6f2d371176cf32e

SHA1
7a0f20842c130e3cc1c8a6c196492d3b8351533e

SHA256
af6f4da8e058a6835aa02cf8b94ed8e6a9b271845b7e7918d3bd63a71425e573

SHA512
ec848bcee7aecbda3b0ef0b4d5d42dd98a80df770e395fe412c58c069091631c7f7740d0903818217eef6f8d51cd2d88ef7dd53300b28eccde4f398d3776109e

Download Submit
C:\Windows\{2F5DB7E3-709B-447b-BED5-ECF1522DB172}.exe

Filesize
344KB

MD5
85247370165fb044a90564bb00a31d23

SHA1
a5150df652be0767453fa9fc97c99944f5fe25b3

SHA256
078e3a2c34b4c9bd77d9fcdecbe6f625845e6e28cbb353251fb8b558bcf3ff8b

SHA512
e1396970ea3f54131563ade1654bd650933f886e6cc5b5f033f59fd3b3ec7f5991e2eeddb311ccfb0814177b39b0de3f691b4f54d5652bc32535a32c89fc6f67

Download Submit
C:\Windows\{38436E92-130C-45c9-BF4B-1F79219C16E0}.exe

Filesize
344KB

MD5
52e4d2453f74d84ceaf149bf59e90ba1

SHA1
dac990c353149054abde82d668e0b504c5268020

SHA256
7e6b56df217c82f2c40bf7beb76f13a7100e3c501ee40d7b8afbf84aae2038d0

SHA512
c2adedff17a5a6fc262a1e9a35a895ba0569c92f9e57ff91ec37aaf86b0f69e5459199ed2c1faa2cecd5daa7bebdcdb5868f0603c2fa0d6fcabeb5cd814cd034

Download Submit
C:\Windows\{38EB9F0C-525C-4a31-8DE0-C4658628960C}.exe

Filesize
344KB

MD5
6fc2c55595434893a39e855d99331216

SHA1
f0b5dec435a05ea0dc429560e727201c9303f55c

SHA256
ea851571a7f2d0b0ad07c58d4595d32a798225b899e8503e01007d820d40379c

SHA512
5d1fd187db1f35609b340f9fac1193564bf9d9e83a9df7a8c864052b9a8cb92a62046835d6aa691e4d4d8532b92ec6778b7eb94cf6d90c0ba087f87e485f3797

Download Submit
C:\Windows\{901C9F0F-2FEC-439e-83EE-658667B30FDA}.exe

Filesize
344KB

MD5
4a131c0c7528eda616872746172201ff

SHA1
a058e9743c9b151f65a429cf933e6c6cb274e493

SHA256
cd4c120c0359762b0e3f40eeeb699823b26091e795681806614e68513b5cc91c

SHA512
a1a4ab48ee26881426800bea5a017beaf45e42c9c47846b759d7b6f43d461446cb39cd1d9f8bdb0e2cfa00373919a7338dc4d9b83f412448b8501fe2acd1f4c1

Download Submit
C:\Windows\{96A7C7D1-A70E-4936-B6AD-E91BF6189C96}.exe

Filesize
344KB

MD5
40e503c7fe6140be07063ac6ae19c49e

SHA1
09d46629eaa020c41e8a2be48ca968a2327c0f1b

SHA256
7aeddf067788b4a3dd542cbea187860b8fd90a81467fa794400e65cf7ad9b91b

SHA512
47ce6e22624cac48bf7b23714bb5932b9660195c9502d12d7349354b2bf43b95e2c2c125dc18573ce5f22b13edf658a31216d63bb2b73e12e0dd2f0139bd75e9

Download Submit
C:\Windows\{A05054E2-6F85-4989-8C1C-16D6707A4A3B}.exe

Filesize
344KB

MD5
2494ad312af6e4f897b2003a8e6934a8

SHA1
49c0505cb8a9c4408921d9a87689558d75797f5f

SHA256
2016e8c1d47e52666ef89b7ec38f81810f3fa7aad2fe7ce12f9827ac3dac49dd

SHA512
6158f042e12aafaa8ffed6f2945264f35c51bcd1fd8cbe34a8e1cb61f0069086451dab1d5d85a563cd16029465c558a09bfc728d888e0543dbe3df462e12bd7c

Download Submit
C:\Windows\{A95A2C6D-BD46-4544-BC3F-D7B1A15BBA91}.exe

Filesize
344KB

MD5
156df02c45915dac2f58c4b2e8eddedf

SHA1
1d9414be5cfa4ae8804ff38fc193bd4c8fce5068

SHA256
5ceed3b93dac75a22fc45d6fc880c9f69cb6515b75dd9f62f446851e95bfabb1

SHA512
5f3e6613bdbf9b5063a6345d12c0252c379e5a1fedf129cd8103e5eaa48fa8c6aa877581e44dc21ed8ada77573aa98071194c65cb468e7adc1d696e43c9806e0

Download Submit
C:\Windows\{B32AB2AE-E438-494d-81DB-C352D21DC7B6}.exe

Filesize
344KB

MD5
20aed37fea8fcf47772a437f12003a9e

SHA1
25625413611bf7375ea9f26d2e5d1666680fe9e0

SHA256
d673c33238236d43f358c05cacb25d4ac0066e68a589e98e2c888e1be6770db0

SHA512
cfdb044e2608bf656f6cb3c042d6462a6b50e3ca685d01499cfba7d282a7544f0ebbbe8527c89717def57428d137d8871d89280748e61f84a862d8906daac21b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads