a480fe4497f84dee8ad98b03b9c08797e602033b51305de1d580385ef96dd0aa

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Size

168KB
MD5

c7866b37d5713a574f64fcba06163cd1
SHA1

78e61ab87c64ab6ab040a3e07af7be3de7991a15
SHA256

a480fe4497f84dee8ad98b03b9c08797e602033b51305de1d580385ef96dd0aa
SHA512

3711756914dd54cabd29c7f718782960017c2cdb797c3d6eb64be96df3389fbb75bb3bb968e5e3cc6814144bc3555075636f42562273279dfa0c4190810c1b4b
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012326-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001480e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012326-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014eb9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012326-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012326-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012326-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56297B7-4BFF-4012-9392-047147FD2621}\stubpath = "C:\\Windows\\{A56297B7-4BFF-4012-9392-047147FD2621}.exe"	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F32353-1937-459f-9FCD-8326448D1157}	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AAF009-D795-44e4-939C-2676FB587BC7}	{6680E596-5099-4759-B590-3A10D3238814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87E0238-54E1-42f0-81C7-DD5460E4C031}\stubpath = "C:\\Windows\\{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe"	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}\stubpath = "C:\\Windows\\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe"	{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B3128D-80C3-49f5-89FE-C37F239FE078}\stubpath = "C:\\Windows\\{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe"	{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}\stubpath = "C:\\Windows\\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe"	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F32353-1937-459f-9FCD-8326448D1157}\stubpath = "C:\\Windows\\{57F32353-1937-459f-9FCD-8326448D1157}.exe"	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6680E596-5099-4759-B590-3A10D3238814}	{57F32353-1937-459f-9FCD-8326448D1157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6680E596-5099-4759-B590-3A10D3238814}\stubpath = "C:\\Windows\\{6680E596-5099-4759-B590-3A10D3238814}.exe"	{57F32353-1937-459f-9FCD-8326448D1157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AAF009-D795-44e4-939C-2676FB587BC7}\stubpath = "C:\\Windows\\{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe"	{6680E596-5099-4759-B590-3A10D3238814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2196DD5-D970-437c-8DC6-67738F04EFA1}	{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56297B7-4BFF-4012-9392-047147FD2621}	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16AF550-C305-49b5-8231-E598AD98F12E}\stubpath = "C:\\Windows\\{B16AF550-C305-49b5-8231-E598AD98F12E}.exe"	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC23F974-840E-4628-B927-CB1FFB745CBA}	{A56297B7-4BFF-4012-9392-047147FD2621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC23F974-840E-4628-B927-CB1FFB745CBA}\stubpath = "C:\\Windows\\{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe"	{A56297B7-4BFF-4012-9392-047147FD2621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16AF550-C305-49b5-8231-E598AD98F12E}	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87E0238-54E1-42f0-81C7-DD5460E4C031}	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}	{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B3128D-80C3-49f5-89FE-C37F239FE078}	{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2196DD5-D970-437c-8DC6-67738F04EFA1}\stubpath = "C:\\Windows\\{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe"	{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe
2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe
2740	{6680E596-5099-4759-B590-3A10D3238814}.exe
1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
2024	{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
2908	{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
1992	{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe
2372	{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
File created	C:\Windows\{6680E596-5099-4759-B590-3A10D3238814}.exe	{57F32353-1937-459f-9FCD-8326448D1157}.exe
File created	C:\Windows\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe	{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
File created	C:\Windows\{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe	{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
File created	C:\Windows\{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe	{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe
File created	C:\Windows\{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	{A56297B7-4BFF-4012-9392-047147FD2621}.exe
File created	C:\Windows\{57F32353-1937-459f-9FCD-8326448D1157}.exe	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
File created	C:\Windows\{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	{6680E596-5099-4759-B590-3A10D3238814}.exe
File created	C:\Windows\{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
File created	C:\Windows\{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
File created	C:\Windows\{A56297B7-4BFF-4012-9392-047147FD2621}.exe	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe
Token: SeIncBasePriorityPrivilege	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
Token: SeIncBasePriorityPrivilege	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
Token: SeIncBasePriorityPrivilege	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe
Token: SeIncBasePriorityPrivilege	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe
Token: SeIncBasePriorityPrivilege	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
Token: SeIncBasePriorityPrivilege	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
Token: SeIncBasePriorityPrivilege	2024	{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
Token: SeIncBasePriorityPrivilege	2908	{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
Token: SeIncBasePriorityPrivilege	1992	{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2716	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	28
PID 1844 wrote to memory of 2716	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	28
PID 1844 wrote to memory of 2716	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	28
PID 1844 wrote to memory of 2716	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	28
PID 1844 wrote to memory of 2192	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	29
PID 1844 wrote to memory of 2192	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	29
PID 1844 wrote to memory of 2192	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	29
PID 1844 wrote to memory of 2192	1844	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	29
PID 2716 wrote to memory of 2772	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	30
PID 2716 wrote to memory of 2772	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	30
PID 2716 wrote to memory of 2772	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	30
PID 2716 wrote to memory of 2772	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	30
PID 2716 wrote to memory of 2992	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	31
PID 2716 wrote to memory of 2992	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	31
PID 2716 wrote to memory of 2992	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	31
PID 2716 wrote to memory of 2992	2716	{A56297B7-4BFF-4012-9392-047147FD2621}.exe	31
PID 2772 wrote to memory of 2692	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	32
PID 2772 wrote to memory of 2692	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	32
PID 2772 wrote to memory of 2692	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	32
PID 2772 wrote to memory of 2692	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	32
PID 2772 wrote to memory of 2700	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	33
PID 2772 wrote to memory of 2700	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	33
PID 2772 wrote to memory of 2700	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	33
PID 2772 wrote to memory of 2700	2772	{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe	33
PID 2692 wrote to memory of 1480	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	36
PID 2692 wrote to memory of 1480	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	36
PID 2692 wrote to memory of 1480	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	36
PID 2692 wrote to memory of 1480	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	36
PID 2692 wrote to memory of 2580	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	37
PID 2692 wrote to memory of 2580	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	37
PID 2692 wrote to memory of 2580	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	37
PID 2692 wrote to memory of 2580	2692	{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe	37
PID 1480 wrote to memory of 2740	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	38
PID 1480 wrote to memory of 2740	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	38
PID 1480 wrote to memory of 2740	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	38
PID 1480 wrote to memory of 2740	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	38
PID 1480 wrote to memory of 2860	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	39
PID 1480 wrote to memory of 2860	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	39
PID 1480 wrote to memory of 2860	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	39
PID 1480 wrote to memory of 2860	1480	{57F32353-1937-459f-9FCD-8326448D1157}.exe	39
PID 2740 wrote to memory of 1556	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	40
PID 2740 wrote to memory of 1556	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	40
PID 2740 wrote to memory of 1556	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	40
PID 2740 wrote to memory of 1556	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	40
PID 2740 wrote to memory of 1532	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	41
PID 2740 wrote to memory of 1532	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	41
PID 2740 wrote to memory of 1532	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	41
PID 2740 wrote to memory of 1532	2740	{6680E596-5099-4759-B590-3A10D3238814}.exe	41
PID 1556 wrote to memory of 1560	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	42
PID 1556 wrote to memory of 1560	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	42
PID 1556 wrote to memory of 1560	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	42
PID 1556 wrote to memory of 1560	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	42
PID 1556 wrote to memory of 1184	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	43
PID 1556 wrote to memory of 1184	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	43
PID 1556 wrote to memory of 1184	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	43
PID 1556 wrote to memory of 1184	1556	{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe	43
PID 1560 wrote to memory of 2024	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	44
PID 1560 wrote to memory of 2024	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	44
PID 1560 wrote to memory of 2024	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	44
PID 1560 wrote to memory of 2024	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	44
PID 1560 wrote to memory of 2032	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	45
PID 1560 wrote to memory of 2032	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	45
PID 1560 wrote to memory of 2032	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	45
PID 1560 wrote to memory of 2032	1560	{B16AF550-C305-49b5-8231-E598AD98F12E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\{A56297B7-4BFF-4012-9392-047147FD2621}.exe
  C:\Windows\{A56297B7-4BFF-4012-9392-047147FD2621}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
    C:\Windows\{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
      C:\Windows\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{57F32353-1937-459f-9FCD-8326448D1157}.exe
        
        C:\Windows\{57F32353-1937-459f-9FCD-8326448D1157}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\{6680E596-5099-4759-B590-3A10D3238814}.exe
        
        C:\Windows\{6680E596-5099-4759-B590-3A10D3238814}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
        
        C:\Windows\{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
        
        C:\Windows\{B16AF550-C305-49b5-8231-E598AD98F12E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
        
        C:\Windows\{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
        
        C:\Windows\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe
        
        C:\Windows\{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe
        
        C:\Windows\{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B31~1.EXE > nul
        12⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D536D~1.EXE > nul
        11⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F87E0~1.EXE > nul
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16AF~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5AAF~1.EXE > nul
        8⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6680E~1.EXE > nul
        7⤵
        
        PID:1532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57F32~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDAFB~1.EXE > nul
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC23F~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A5629~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{57F32353-1937-459f-9FCD-8326448D1157}.exe

Filesize
168KB

MD5
55566a5fa62f961ea6e9cbf9ba944a30

SHA1
165aa2dc1c9d25c866195c056d44d25c3c3d41f0

SHA256
1fb86c22e69b2aebe9557153e65df443b22cc7a60fa87cec2aec229c3548bd6e

SHA512
1117a2a0f813cdcd48bf777fa1749bb66de71c3dda61236dc9dfc7051749e5565359dafe28f4a91481364fc7be059faf1c3d24bed6662e6e90ae99a78a248e03

Download Submit
C:\Windows\{6680E596-5099-4759-B590-3A10D3238814}.exe

Filesize
168KB

MD5
541a1b5582ca4207fe37a9170578f0f4

SHA1
38b76f626f7e6c5242ad046b34ec0b6326f23411

SHA256
3adfd9c0a37baa6aeea4ab6dd31478d0a0abcfa885f7f2986127ba826993f6b4

SHA512
ff31a7c6ff8c0fbdec0589f5c49bc45028dd6ba88caf8ee70c78b87d4ffe75d23a6bb08440ca84989e0f82aec64581bf88a13c04ab46339bf1399a77e9655973

Download Submit
C:\Windows\{A56297B7-4BFF-4012-9392-047147FD2621}.exe

Filesize
168KB

MD5
63a1ab6f583ac983c30e811c0ceeb8f3

SHA1
5c9070ea71d129b5fef593b5d2ab768a55cb7258

SHA256
1f83632229c224665cc340436f36697ad11692560b1aa8a11dbfd4040cf377f2

SHA512
f7fe133af2bb7f95094b324f99f5999ae259289a99d7f28cd2d80d302411562f9c55be9a0593e38e689d5260807d6a4ace85952faa710698e349568c99d8c72a

Download Submit
C:\Windows\{B16AF550-C305-49b5-8231-E598AD98F12E}.exe

Filesize
168KB

MD5
98411000bbcd04d2f5ef85d592295e54

SHA1
075ac9997630c33e677aa7964aab5f478c827719

SHA256
b460f06bbb67fc756c574e2cbdb968507a296a2af11d7fd3f5ff17403c05c863

SHA512
86bd0d15bd04534ce0f1593b1479d5ec4f4f1698503ba6febe8aca041d125b8c537f13170a979aa3cc3c5c2c5a41dfd3c8ae0693335e71e36b4d473839d6569a

Download Submit
C:\Windows\{D536DEA4-E020-41f0-A8FA-DE1DB125291E}.exe

Filesize
168KB

MD5
5bcf89d70a04bf70c0a860ac1c6a0d81

SHA1
20454225fca418a0750b40011b585fbef9c9a8cf

SHA256
49fa19a958cd1b0c7e57d940618442bb6f199d77dd06016034f813e08bb90324

SHA512
49a2fb57950db866c4bb55e08a650abb01ea8af917361d9dd5283cd896bf096f6eaddba798f4c6443ed5448bca5ab93a900ed195c6258823613874afcbeafca4

Download Submit
C:\Windows\{D5AAF009-D795-44e4-939C-2676FB587BC7}.exe

Filesize
168KB

MD5
31e5214196ae8d01e4cd14bbf8dc270f

SHA1
16e748340e3aaa69cd291f598c167f468c3cba23

SHA256
ce85717e924232fd4aabbda5c0a03f885be6f96eef9a1b1ad3ccad1d3ded7eb4

SHA512
a90ddfe1185b12d1aae180cc6a191120912b1ef79fba9c02e054811300749d7f1ad1d6a685f97faf66aefa57e0435eca7d845a99c6fe353dbc165bc83f482ece

Download Submit
C:\Windows\{DDAFBB08-FCC3-4a2b-80A5-495815D9A69A}.exe

Filesize
168KB

MD5
da2a45b872d986fb58e46c55ae59294a

SHA1
167ce6fce453b0f3326148d0d398732c440955d0

SHA256
e33acc76e1ad3d68e180de0d5c34407fbcaff91a774582254f7e4580163fe091

SHA512
1b8073113430635f8e099bcec7ac8871c7786f6d0be31bfdede5209ab6f8bd59f9783a0f0facf9a0df3e4677e36a21a52ae1ab510104cdc861ace0b909ccf7a7

Download Submit
C:\Windows\{EC23F974-840E-4628-B927-CB1FFB745CBA}.exe

Filesize
168KB

MD5
38860e3ac9392db60024743d88e7c1e2

SHA1
b03b42bbcf789dd0e422452413107c2e8da88d18

SHA256
bc138aa6585d090e111a446ad8d23fb66c00a4154d82d0a2faa19d6b5fbdd2e7

SHA512
7310b2ac9ccb4c09963fcd95c2ef00ba983a05927840434c3fee60def70cec67d123050962ae7e0d0c8a31aa75863f9c600d6ecab12ff744ce4fc9afab3bc4a9

Download Submit
C:\Windows\{F2196DD5-D970-437c-8DC6-67738F04EFA1}.exe

Filesize
168KB

MD5
e6242358a6aaf6c424e0e148d6a7f4d3

SHA1
607014f77382aa56a435820509acfeae86c1f2b8

SHA256
782922bf9e825bd156c0937de975b0341a5cecf830c92c026f0e0774a99798c0

SHA512
af33460469725577c19c6369153dfb4afe41aa33153becb1439c04ec3d8565a650cdef32349a381cf160330ba1935b10a842a172e299275bf3e5119e7ab1abc5

Download Submit
C:\Windows\{F5B3128D-80C3-49f5-89FE-C37F239FE078}.exe

Filesize
168KB

MD5
46b6163cb20107ef7598b74cc3e9d05d

SHA1
246b97f3315f8ffdad76e7c1f3c63299066977f5

SHA256
c8697790c30cbfc6bbf01292fcb91cf5017205aa92e6113dbb8170cce9062fc8

SHA512
1789fd009f2d067669907a7f773989e285e605148d088e23182bdc1d3c323c0a68238bd24316b37f9069d47c54600bba2cecae960d0e6adb74c4190db0fdb403

Download Submit
C:\Windows\{F87E0238-54E1-42f0-81C7-DD5460E4C031}.exe

Filesize
168KB

MD5
992a07e45aa20285c30397571c9ba6e0

SHA1
0d906c0a7756b042fdaf39a7387034ee8423b4cc

SHA256
2ec1a728e4c25d964aef9f21b83f3069c57a1c3c384e90a9e00d7621aaa4ac74

SHA512
3ad26afd76f69f79f942f46264f1b057fd129a3969963caaa044e257ce4792d30bb10d1186a9aaeb0e340b6de78080681c6df0983c670c93d148d4314a07f39f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads