b49270472718d7ad5fe63af1877b0582fcc49b3da81035c54551fdf4f4f42110

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
Size

372KB
MD5

81b7348e9b5a5ffff8c801b57edb438f
SHA1

6e638fbfc401b18adda7e814ac561eb9972b0a73
SHA256

b49270472718d7ad5fe63af1877b0582fcc49b3da81035c54551fdf4f4f42110
SHA512

1c8069cdabd9c3fded148f0c41f50a0e3ba033ea5449a4cc849e842e9075440c7fd76c5e6ab47c04ba29ffb700fc482cd585c42bb0db1c5725d1715c9e0e6368
SSDEEP

3072:CEGh0oIlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGSlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000135c2-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016af5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000135c2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000135c2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000135c2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016bf4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016c0e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016bf4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000016c0e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C13BC9-5EA8-402d-BEA7-824C68432F17}	{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C13BC9-5EA8-402d-BEA7-824C68432F17}\stubpath = "C:\\Windows\\{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe"	{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF55312-603C-4df3-B242-8FB2B817E1DB}\stubpath = "C:\\Windows\\{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe"	{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{656E33B8-D881-4a62-AE2C-F44E168E35BC}\stubpath = "C:\\Windows\\{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe"	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}\stubpath = "C:\\Windows\\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe"	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8AA64D-80FD-4a20-A420-227BECD5F352}	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FE5D2A-BF77-4364-A186-5643DCF2B370}	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FE5D2A-BF77-4364-A186-5643DCF2B370}\stubpath = "C:\\Windows\\{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe"	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}\stubpath = "C:\\Windows\\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe"	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF55312-603C-4df3-B242-8FB2B817E1DB}	{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{656E33B8-D881-4a62-AE2C-F44E168E35BC}	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DEC6FA-3416-41d5-8DDE-741724791A2D}	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}\stubpath = "C:\\Windows\\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe"	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}\stubpath = "C:\\Windows\\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe"	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A62FE1D-11DF-40b8-A020-C045375D63BA}	{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A62FE1D-11DF-40b8-A020-C045375D63BA}\stubpath = "C:\\Windows\\{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe"	{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DEC6FA-3416-41d5-8DDE-741724791A2D}\stubpath = "C:\\Windows\\{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe"	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8AA64D-80FD-4a20-A420-227BECD5F352}\stubpath = "C:\\Windows\\{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe"	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe

Deletes itself 1 IoCs

pid	Process
1916	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
300	{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
1484	{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
2308	{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
1044	{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
File created	C:\Windows\{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe	{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
File created	C:\Windows\{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
File created	C:\Windows\{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
File created	C:\Windows\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
File created	C:\Windows\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
File created	C:\Windows\{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe	{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
File created	C:\Windows\{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
File created	C:\Windows\{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
File created	C:\Windows\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
File created	C:\Windows\{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe	{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
Token: SeIncBasePriorityPrivilege	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
Token: SeIncBasePriorityPrivilege	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
Token: SeIncBasePriorityPrivilege	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
Token: SeIncBasePriorityPrivilege	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
Token: SeIncBasePriorityPrivilege	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
Token: SeIncBasePriorityPrivilege	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
Token: SeIncBasePriorityPrivilege	300	{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
Token: SeIncBasePriorityPrivilege	1484	{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
Token: SeIncBasePriorityPrivilege	2308	{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2760	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	28
PID 2476 wrote to memory of 2760	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	28
PID 2476 wrote to memory of 2760	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	28
PID 2476 wrote to memory of 2760	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	28
PID 2476 wrote to memory of 1916	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	29
PID 2476 wrote to memory of 1916	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	29
PID 2476 wrote to memory of 1916	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	29
PID 2476 wrote to memory of 1916	2476	2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe	29
PID 2760 wrote to memory of 2712	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	30
PID 2760 wrote to memory of 2712	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	30
PID 2760 wrote to memory of 2712	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	30
PID 2760 wrote to memory of 2712	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	30
PID 2760 wrote to memory of 2812	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	31
PID 2760 wrote to memory of 2812	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	31
PID 2760 wrote to memory of 2812	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	31
PID 2760 wrote to memory of 2812	2760	{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe	31
PID 2712 wrote to memory of 2616	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	34
PID 2712 wrote to memory of 2616	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	34
PID 2712 wrote to memory of 2616	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	34
PID 2712 wrote to memory of 2616	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	34
PID 2712 wrote to memory of 2508	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	35
PID 2712 wrote to memory of 2508	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	35
PID 2712 wrote to memory of 2508	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	35
PID 2712 wrote to memory of 2508	2712	{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe	35
PID 2616 wrote to memory of 1268	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	36
PID 2616 wrote to memory of 1268	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	36
PID 2616 wrote to memory of 1268	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	36
PID 2616 wrote to memory of 1268	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	36
PID 2616 wrote to memory of 1612	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	37
PID 2616 wrote to memory of 1612	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	37
PID 2616 wrote to memory of 1612	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	37
PID 2616 wrote to memory of 1612	2616	{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe	37
PID 1268 wrote to memory of 2748	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	38
PID 1268 wrote to memory of 2748	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	38
PID 1268 wrote to memory of 2748	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	38
PID 1268 wrote to memory of 2748	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	38
PID 1268 wrote to memory of 1628	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	39
PID 1268 wrote to memory of 1628	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	39
PID 1268 wrote to memory of 1628	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	39
PID 1268 wrote to memory of 1628	1268	{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe	39
PID 2748 wrote to memory of 1976	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	41
PID 2748 wrote to memory of 1976	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	41
PID 2748 wrote to memory of 1976	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	41
PID 2748 wrote to memory of 1976	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	41
PID 2748 wrote to memory of 2168	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	40
PID 2748 wrote to memory of 2168	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	40
PID 2748 wrote to memory of 2168	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	40
PID 2748 wrote to memory of 2168	2748	{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe	40
PID 1976 wrote to memory of 1972	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	42
PID 1976 wrote to memory of 1972	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	42
PID 1976 wrote to memory of 1972	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	42
PID 1976 wrote to memory of 1972	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	42
PID 1976 wrote to memory of 584	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	43
PID 1976 wrote to memory of 584	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	43
PID 1976 wrote to memory of 584	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	43
PID 1976 wrote to memory of 584	1976	{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe	43
PID 1972 wrote to memory of 300	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	44
PID 1972 wrote to memory of 300	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	44
PID 1972 wrote to memory of 300	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	44
PID 1972 wrote to memory of 300	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	44
PID 1972 wrote to memory of 2472	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	45
PID 1972 wrote to memory of 2472	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	45
PID 1972 wrote to memory of 2472	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	45
PID 1972 wrote to memory of 2472	1972	{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_81b7348e9b5a5ffff8c801b57edb438f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
  C:\Windows\{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
    C:\Windows\{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
      C:\Windows\{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
        
        C:\Windows\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
        
        C:\Windows\{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15FE5~1.EXE > nul
        7⤵
        
        PID:2168
        
        C:\Windows\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
        
        C:\Windows\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
        
        C:\Windows\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
        
        C:\Windows\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
        
        C:\Windows\{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
        
        C:\Windows\{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe
        
        C:\Windows\{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe
        12⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A62F~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C13~1.EXE > nul
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EC2~1.EXE > nul
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C42DC~1.EXE > nul
        9⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{599A1~1.EXE > nul
        8⤵
        
        PID:584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EB5~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8AA~1.EXE > nul
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22DEC~1.EXE > nul
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{656E3~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15FE5D2A-BF77-4364-A186-5643DCF2B370}.exe

Filesize
372KB

MD5
e69437641ee62f2f8fb8776c94319e36

SHA1
8e3647ff37a0babfda97aba6baece6c7c6248ef8

SHA256
b60d3e65fb02ce05a85ec5728d4d8dc8f43246b6ae6dd099cd26618cacfb45dc

SHA512
a4f6351e0e4628f0bf683a0faa0d47dc7f6ae7afc382d8371ae442d47879af54eafc22cea22178eda9669402185c1787aca4282231fea46765ebb90b5aaca1f8

Download Submit
C:\Windows\{22DEC6FA-3416-41d5-8DDE-741724791A2D}.exe

Filesize
372KB

MD5
6cc41bc65f9f34d0de126b67d6226e64

SHA1
8fdc19515a05fa1d48e14bbe44db9f98d3553431

SHA256
6d631c021eb852a81159cc2b224cf0dbdecb5a594b3a52737e544bad4c4ee2bc

SHA512
cf6ca3a0e890c4c251ca1add69a220f29014531c13805cad2a3adc25fcf06a2e22e974ff6dfa2445fb1b87344c1ad40b8f7c951a53ee0fdba4293773cb0adf1d

Download Submit
C:\Windows\{2F8AA64D-80FD-4a20-A420-227BECD5F352}.exe

Filesize
372KB

MD5
638ba30a232a68d7813ffaad39bf5a4d

SHA1
6ff9dfd6187f38f07d8902b6f998084db373c3ee

SHA256
b9e6090ecce8dd0fbbe50d0c76817dffe8a3a1769ad6f7f8e9cca55b0c6c3a8f

SHA512
df53d98eb941612997d798a1d714c20db0ad96ac4bc3a104066826516755282bcf787a6fd294e70b77fa860a3a62fd0db976db4a61eea57413c9a5b2f27628e2

Download Submit
C:\Windows\{599A1B92-97A7-4d41-BACD-C6A78E7D9746}.exe

Filesize
372KB

MD5
c519d421c8091a2f5af9f38d310eb905

SHA1
f8f46af8548da7c72b3533a66b522f720b939d2f

SHA256
e0b20e0b89492e1d3ebf2ce12f1016e260e58d8e90128315f8f10f91e3a1fb20

SHA512
9c9ffa1ee1dc3306ac82395c1096bde75e9696079661465ae9a7b93bd12f2f3ef0199962c5f93b89a8996103e72af0977802ad08d3c34c78e8e7e7f79f640b12

Download Submit
C:\Windows\{656E33B8-D881-4a62-AE2C-F44E168E35BC}.exe

Filesize
372KB

MD5
e7530017f94fa28f696e31932191898f

SHA1
b125a2ba35384b752abe817309aec77093a3531c

SHA256
f44b215789be3860651a403c28042dbfd1bd308e4b20a05473d1f52747f08b10

SHA512
78fbdb1153b914581253c83d5c26e1461602e37f8ef894c1eeb44de7cc2e03407cb7ce73b14d3b23ed5348bc43881f9737fd20ffde4053b1ef77815840f5a8ec

Download Submit
C:\Windows\{7EF55312-603C-4df3-B242-8FB2B817E1DB}.exe

Filesize
372KB

MD5
41745c5411d786a8b0295199f90f4887

SHA1
c8a1ab296b450c2ab9b45e2932ffad764a7f1729

SHA256
067127126cd7ff97017bff33e85e699c9aff3023aa5503f049977c9146d188cf

SHA512
66ee745df0a1b4bf3927e3e786ba8dae213544ed7c1014797dafcbde44eb621320c97f4b6c19b3ca39f2fdd1abb7fe6da6bda7c809c4487e80fa111fd5d5ffb7

Download Submit
C:\Windows\{8A62FE1D-11DF-40b8-A020-C045375D63BA}.exe

Filesize
372KB

MD5
a9c4dff928581384ea37659822b2ed3c

SHA1
aa20103c595958159012ccdb24183bfab9710837

SHA256
48fb985567280b60240998d09ab2e01c058b2eafc6c36abe2d28bd7ec0b9577a

SHA512
8c32ab89d0301cb17d4748b49fc2fc476bdd6f3db280fb08a020b3af582cfcaefc0305b47fbd303f556619a7c3da0654597a896f653d9c7422e662819d62b271

Download Submit
C:\Windows\{98C13BC9-5EA8-402d-BEA7-824C68432F17}.exe

Filesize
372KB

MD5
c737258a9189387c9e969a0a9b6dfd4c

SHA1
c9b5a598dbe4516c8ce218b99bd3d3974a8d0b91

SHA256
8516cb938311c5d761714ef11503e975bfc2e02a1dcdbc4bba00d4ad5b966ae1

SHA512
9db1480406daec222cb3add4e90eb335819451a3c1fb1692befe1a69f60f874301ad9260fafcfbdd44048dffc8fd675c218fe46580513de1fd89238574653d17

Download Submit
C:\Windows\{C42DCEA7-5667-4bf7-AA56-EC4DEA8680AD}.exe

Filesize
372KB

MD5
96f834cec13979d06d1f47f38f92dd6c

SHA1
379d75c53d9e74bb11d416447ab9bf5c3cb89e0b

SHA256
0a8976a406af2b807a9eab02b22141790fa6c751248cdbe6c083dcd538d89548

SHA512
654b6a23b7acfa103a576312da836c4f16948a90126f097b914c0135ff44270bfef929e0df55ab65f39124b35f0db74cbbb4e0b1aef40c0cb5bb765783206a2d

Download Submit
C:\Windows\{C4EC27D2-8F0A-4071-86A0-8EBA52D944A4}.exe

Filesize
372KB

MD5
b125ef4644f0d161cb31497217c5887b

SHA1
aa8607f7a517f76b31c2ade41a3ff2f5002aeb3f

SHA256
dc6674e4653cf2f1595e508f07ecb429018de78eff0358d1c77f1e04aa99b6fb

SHA512
99b6b22a78d38427a986c518ef7da200afe1b0d2d001325f3ba639dace66a860d7c6d6b514c938bf9c7ec7d181fd0187b6e3f4cebf190121886079dbbb9099c8

Download Submit
C:\Windows\{C7EB54C2-96C2-4041-8B32-E7C9F859A696}.exe

Filesize
372KB

MD5
41f038380642f241247891d5338d3229

SHA1
6d911fb878d75524ab12a766b3df0c86458961b7

SHA256
7169377ae225a96378b0a0a151c9556c8882c8b663535f02c3725c77e5da47fd

SHA512
74165cf17815e27748e5a1b3983eb7c5f1c45aa0e58eab74347967c0eba9acf2242fc820f1117447b1cbdfc7ea72c87de3b4f85f3af2a5900842c147b6959a46

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads