7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Size

192KB
MD5

6538f3adde737517d34a8746dadeaff7
SHA1

34795b3256e1c1cc3f214b77a65b97e259844822
SHA256

7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2
SHA512

0926e6dc2274144ca76f5e3e6c315ab24c50e9e52cfc8a1c14a7fd4dce551d0ef974713f19afc8f325a6db52c8209b311d13dbc4b526f5f28b4501887a1e9822
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012262-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0016000000015db4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012262-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012262-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012262-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0017000000015db4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012262-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012262-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0018000000015db4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CED27777-AF1D-463e-9417-ECC2D555F24E}	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9A7AD04-B219-4142-BB04-0BDEF5304755}	{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E966D8A-F924-4457-ACFA-CDD33788C515}\stubpath = "C:\\Windows\\{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe"	{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}\stubpath = "C:\\Windows\\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe"	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}\stubpath = "C:\\Windows\\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe"	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9A7AD04-B219-4142-BB04-0BDEF5304755}\stubpath = "C:\\Windows\\{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe"	{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}	{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}\stubpath = "C:\\Windows\\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe"	{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636F57BB-4C75-430b-978F-FE4FC569CE23}	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}\stubpath = "C:\\Windows\\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe"	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A05E0E70-5F14-4ae6-B512-3783E371231B}	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A05E0E70-5F14-4ae6-B512-3783E371231B}\stubpath = "C:\\Windows\\{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe"	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CED27777-AF1D-463e-9417-ECC2D555F24E}\stubpath = "C:\\Windows\\{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe"	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636F57BB-4C75-430b-978F-FE4FC569CE23}\stubpath = "C:\\Windows\\{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe"	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}\stubpath = "C:\\Windows\\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe"	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}\stubpath = "C:\\Windows\\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe"	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E966D8A-F924-4457-ACFA-CDD33788C515}	{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
2200	{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
1792	{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
2120	{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe
2932	{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
File created	C:\Windows\{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
File created	C:\Windows\{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
File created	C:\Windows\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
File created	C:\Windows\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
File created	C:\Windows\{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe	{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
File created	C:\Windows\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe	{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
File created	C:\Windows\{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe	{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe
File created	C:\Windows\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
File created	C:\Windows\{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
File created	C:\Windows\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
Token: SeIncBasePriorityPrivilege	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
Token: SeIncBasePriorityPrivilege	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
Token: SeIncBasePriorityPrivilege	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
Token: SeIncBasePriorityPrivilege	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
Token: SeIncBasePriorityPrivilege	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
Token: SeIncBasePriorityPrivilege	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
Token: SeIncBasePriorityPrivilege	2200	{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
Token: SeIncBasePriorityPrivilege	1792	{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
Token: SeIncBasePriorityPrivilege	2120	{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2588	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	28
PID 2240 wrote to memory of 2936	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	29
PID 2588 wrote to memory of 2684	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	32
PID 2588 wrote to memory of 2684	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	32
PID 2588 wrote to memory of 2684	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	32
PID 2588 wrote to memory of 2684	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	32
PID 2588 wrote to memory of 2644	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	33
PID 2588 wrote to memory of 2644	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	33
PID 2588 wrote to memory of 2644	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	33
PID 2588 wrote to memory of 2644	2588	{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe	33
PID 2684 wrote to memory of 2408	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	34
PID 2684 wrote to memory of 2408	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	34
PID 2684 wrote to memory of 2408	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	34
PID 2684 wrote to memory of 2408	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	34
PID 2684 wrote to memory of 2472	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	35
PID 2684 wrote to memory of 2472	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	35
PID 2684 wrote to memory of 2472	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	35
PID 2684 wrote to memory of 2472	2684	{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe	35
PID 2408 wrote to memory of 760	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	36
PID 2408 wrote to memory of 760	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	36
PID 2408 wrote to memory of 760	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	36
PID 2408 wrote to memory of 760	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	36
PID 2408 wrote to memory of 1532	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	37
PID 2408 wrote to memory of 1532	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	37
PID 2408 wrote to memory of 1532	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	37
PID 2408 wrote to memory of 1532	2408	{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe	37
PID 760 wrote to memory of 2316	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	38
PID 760 wrote to memory of 2316	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	38
PID 760 wrote to memory of 2316	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	38
PID 760 wrote to memory of 2316	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	38
PID 760 wrote to memory of 836	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	39
PID 760 wrote to memory of 836	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	39
PID 760 wrote to memory of 836	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	39
PID 760 wrote to memory of 836	760	{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe	39
PID 2316 wrote to memory of 1844	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	40
PID 2316 wrote to memory of 1844	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	40
PID 2316 wrote to memory of 1844	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	40
PID 2316 wrote to memory of 1844	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	40
PID 2316 wrote to memory of 2648	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	41
PID 2316 wrote to memory of 2648	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	41
PID 2316 wrote to memory of 2648	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	41
PID 2316 wrote to memory of 2648	2316	{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe	41
PID 1844 wrote to memory of 1240	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	42
PID 1844 wrote to memory of 1240	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	42
PID 1844 wrote to memory of 1240	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	42
PID 1844 wrote to memory of 1240	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	42
PID 1844 wrote to memory of 1988	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	43
PID 1844 wrote to memory of 1988	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	43
PID 1844 wrote to memory of 1988	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	43
PID 1844 wrote to memory of 1988	1844	{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe	43
PID 1240 wrote to memory of 2200	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	44
PID 1240 wrote to memory of 2200	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	44
PID 1240 wrote to memory of 2200	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	44
PID 1240 wrote to memory of 2200	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	44
PID 1240 wrote to memory of 2004	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	45
PID 1240 wrote to memory of 2004	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	45
PID 1240 wrote to memory of 2004	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	45
PID 1240 wrote to memory of 2004	1240	{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
  C:\Windows\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
    C:\Windows\{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
      C:\Windows\{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
        
        C:\Windows\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
        
        C:\Windows\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
        
        C:\Windows\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
        
        C:\Windows\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
        
        C:\Windows\{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
        
        C:\Windows\{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe
        
        C:\Windows\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe
        
        C:\Windows\{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe
        12⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C2E0~1.EXE > nul
        12⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A7A~1.EXE > nul
        11⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A05E0~1.EXE > nul
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E037~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BC7~1.EXE > nul
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2388D~1.EXE > nul
        7⤵
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E45D~1.EXE > nul
        6⤵
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{636F5~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CED27~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{37B59~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2388D9DE-195D-4134-B1E8-9ABE3ECC72C0}.exe

Filesize
192KB

MD5
c8c2fadc4f5ec96cd4a28081c3ce2210

SHA1
bc3e495560f7e8c7a9836fd9409489c558e86be8

SHA256
8a77888cb4f2664c3fde2faa697437eda78fb3ab9496d256ec0e10bb10e034b5

SHA512
b4139c12147cce34c5dd23e9477323fc40501f209acde143a8e7c7d17aae22f0e90d985f56a3c8097e947a59e88acf77de5b8d13e185500beed52bba454420bd

Download Submit
C:\Windows\{37B5902D-CFDD-4553-A449-6EDBE7F73BEE}.exe

Filesize
192KB

MD5
c1eed02340dc660fdd6d454b6d2b3974

SHA1
2b463212f058f076f956b01a1d6531dfd47fd5e4

SHA256
4215deed01fbb7aed82e3cd9afa0037de8e78cbf6beecddc0662ab20074efd47

SHA512
105dfb8b195dd8e94655f978fdc9029ad5edfa4cc625cb05ff39913ed92f2f96f64d9bc90cc49d17e36c254e099c2a30abf4b6968208020ed97e34fd15a423bc

Download Submit
C:\Windows\{3E45DB6D-99F6-4744-B37E-5FDC61A10605}.exe

Filesize
192KB

MD5
82bdc4bdf999502793110531a385a895

SHA1
0a0efdfed21087bf891f610afacbf02c1c381384

SHA256
708b29151dab91fd6ac9f1a2810fe94ed3251432361946ffeafa2e33d9fb1f34

SHA512
e60a0eb0f4823e78dd326f8abf1d374ede995bd0c0c895124a9d3a28c0710211add0e04400d345683bff8f795cca9219afd7be95d281908447d897799ace9311

Download Submit
C:\Windows\{5E037D4E-CD94-47de-88E5-70FCA74ADC19}.exe

Filesize
192KB

MD5
de934440be74d3480891c35041eb7f10

SHA1
c7be2cad322b03c6ca2ac8dac23e3a4d720d84b0

SHA256
6cc355aa434e6d7e6524563e4a2bed655b016a6dfe4c8a8627cd8cf73dc5cd6d

SHA512
91051eda4be7467cf19e0828ce09e8dd7611e63abd8fc91b0591c94fb4837db6d181a39fc59d6bd2a1c5a60b00f0871706d5d87c92bf326833559375a1486b9e

Download Submit
C:\Windows\{636F57BB-4C75-430b-978F-FE4FC569CE23}.exe

Filesize
192KB

MD5
4c3c19bd13decde1549c57ddd2b96f2b

SHA1
9c2c4ae6fde0418a8252a7d8a0f1ff004aab8408

SHA256
a1b0d1d3c7fcee4e6f5cbc0ed17c0187d7060c50e5a6db8cca947e45e1c08094

SHA512
1af4c6a7c7bec9a4eacdf624a0de82a3624406c29e36223b593624717e24c255a3ad7158b839321aaee7217ec857044f15303a306aa20b00ac743befdc460633

Download Submit
C:\Windows\{6E966D8A-F924-4457-ACFA-CDD33788C515}.exe

Filesize
192KB

MD5
59a727a79e8996ee839f55336f69fd06

SHA1
4370be93e3c35434355973b4b3486d57f8b2fe8a

SHA256
f7d1fc20678ba211de69a3d9dbffe8c7a56a0a3e4d591305fbe3e1808beb0319

SHA512
d2196b7d46ce93729b57c3a2a4d4478699bbdc2a6d44e78914d8ed818aa2cf64605a5deb99b2c59e2cf470a69418c05904274aa652d82cf2fc2f8f47e197eae9

Download Submit
C:\Windows\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe

Filesize
192KB

MD5
df1739310cab003a6c31b807be822176

SHA1
972d541c3d9477de117b96b7413e85b562d91e7c

SHA256
677967b3c995bfe5b6d1f7ecc4a4369ce4b55f2a02dac9bc8272965379440016

SHA512
0987c924397a24fd9708b7e95fe431e4d119896085ae9200f535e46beea248c9e402ad3c5fb4bd1cd8ea7b6fb4324c254272953b5ff71b634936271c467adeb4

Download Submit
C:\Windows\{7C2E0E2A-B5E9-45f5-BD18-84F12E3363AB}.exe

Filesize
5KB

MD5
9ad3c42083302cd4245f13d0f6bcaeae

SHA1
f04d5401cd232e0a8c481120c047d0d70cb4553e

SHA256
e3aea080d5a0a926dbbee2cf2a776ab7680e8d0f86849378f16806c54e33be76

SHA512
ff64a2bfa99fa51b64ee7b62525fcd1e650dd65df7bb065bbf33f260e282b6c5d966b240f41611246e84f48a5414ee7e4931b8f681da5e49d2fc6aedea9920de

Download Submit
C:\Windows\{A05E0E70-5F14-4ae6-B512-3783E371231B}.exe

Filesize
192KB

MD5
d0fd0d6e7deccd9f6e0ce32e7478905e

SHA1
a76748e3e13627260424c65bfdf6ade16b924f26

SHA256
ec3453139e110644f777d9a63c057ccd60dfb185bff56df4a3e6bf10fa05bca3

SHA512
9a622ae5032280d93074251c477b78ca2f3cbc0dc8091abf37535e0d5cc73010723beddb2e4afbf2999c0e5c61ebfccee5723b435a9d9799194b2a913c852178

Download Submit
C:\Windows\{CED27777-AF1D-463e-9417-ECC2D555F24E}.exe

Filesize
192KB

MD5
45cb11bf92daf2bf6ee63dcad50e59ec

SHA1
19cddb275448e0ecc3167c0f5f9983bcfbfa370f

SHA256
2c593ecf7f7ff77224ed589d40fe607b1905e31314fcf26f1a4f75d85faa5072

SHA512
2720dedc2e447ec65882b861cd03dfd6e4a64aa3c5fcc082f639214f94fb650ce69cb6e523a13345190a8244351c200a8d86956123d765ee308beffc3289fdd7

Download Submit
C:\Windows\{E8BC7EEB-F490-4a79-818E-2D350A1D5739}.exe

Filesize
192KB

MD5
1306ddabc7a54ac775570837c9a67142

SHA1
c197bff5b7de27ddea15b91a2fb014fc026efe70

SHA256
45eaf4d4b57b932cbe986ceba87e9ec47d4c7ad024653a76474822b50e2f037f

SHA512
df45acca0ce0eb0acbf8253eb3233b7a9a560cfd101ecbfe595ad3c1ce2d7971b2903f27dbaa1259f352e4cac601bdb0df540dcc936d44bf3fc95c2512109fc0

Download Submit
C:\Windows\{F9A7AD04-B219-4142-BB04-0BDEF5304755}.exe

Filesize
192KB

MD5
da0fc69f814415e5ea0a728e09555475

SHA1
3c9bbc0d131385d9aa3727e5e8a1660adfad6b77

SHA256
f0cf69ba0ca9d74f1f9646177817f60fc7211f4787d8c711d482cf935c279bca

SHA512
23904a2f496590c254f5815f07803d7e8f72b36a122e83a9fb7532ff6320b375b9e1370c4b89ff770ca81209a666125545d25a77fba1e4f4c0204cc2a4958b49

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads