12578c30957b7c8aafa19086d05ab94875eb937219b9702b938edf11a84b70a5

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
Size

408KB
MD5

bea06b806d2df322bbe61ea0b5124726
SHA1

432af0f0e61177c175117e2e41ead19568012aeb
SHA256

12578c30957b7c8aafa19086d05ab94875eb937219b9702b938edf11a84b70a5
SHA512

f27ca686af760c8bd5c2dd74f455597382b4332c2f0694ef932b9817f51752313cab541860b7afb9ac04cf4d16be9983b916a733b6e7223dbe957d3ad677d32f
SSDEEP

3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGPldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012272-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001643c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016584-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016584-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000167df-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000167df-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ace-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016b92-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D914EB-1258-42d8-8F55-3850F1A82E8C}\stubpath = "C:\\Windows\\{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe"	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}\stubpath = "C:\\Windows\\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe"	{C595E0BE-428A-4726-888C-965D21E213F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05EE454-AB40-479e-B409-099203EAEE44}\stubpath = "C:\\Windows\\{F05EE454-AB40-479e-B409-099203EAEE44}.exe"	{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}\stubpath = "C:\\Windows\\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe"	{F05EE454-AB40-479e-B409-099203EAEE44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D523096B-65C8-49f6-8567-CD34B6B68768}	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D523096B-65C8-49f6-8567-CD34B6B68768}\stubpath = "C:\\Windows\\{D523096B-65C8-49f6-8567-CD34B6B68768}.exe"	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{043E5F1C-B2EB-4b79-8229-27CBF0149971}	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{043E5F1C-B2EB-4b79-8229-27CBF0149971}\stubpath = "C:\\Windows\\{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe"	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}\stubpath = "C:\\Windows\\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe"	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C595E0BE-428A-4726-888C-965D21E213F6}\stubpath = "C:\\Windows\\{C595E0BE-428A-4726-888C-965D21E213F6}.exe"	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}	{C595E0BE-428A-4726-888C-965D21E213F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05EE454-AB40-479e-B409-099203EAEE44}	{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14132861-12DE-4992-8B16-BE5FEFBFD894}	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14132861-12DE-4992-8B16-BE5FEFBFD894}\stubpath = "C:\\Windows\\{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe"	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF11A785-24CD-4779-9334-3619AD692CD4}	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF11A785-24CD-4779-9334-3619AD692CD4}\stubpath = "C:\\Windows\\{DF11A785-24CD-4779-9334-3619AD692CD4}.exe"	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C595E0BE-428A-4726-888C-965D21E213F6}	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D914EB-1258-42d8-8F55-3850F1A82E8C}	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}\stubpath = "C:\\Windows\\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe"	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}	{F05EE454-AB40-479e-B409-099203EAEE44}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
564	{C595E0BE-428A-4726-888C-965D21E213F6}.exe
2704	{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
2408	{F05EE454-AB40-479e-B409-099203EAEE44}.exe
2224	{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe	{F05EE454-AB40-479e-B409-099203EAEE44}.exe
File created	C:\Windows\{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
File created	C:\Windows\{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
File created	C:\Windows\{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
File created	C:\Windows\{C595E0BE-428A-4726-888C-965D21E213F6}.exe	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
File created	C:\Windows\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe	{C595E0BE-428A-4726-888C-965D21E213F6}.exe
File created	C:\Windows\{F05EE454-AB40-479e-B409-099203EAEE44}.exe	{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
File created	C:\Windows\{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
File created	C:\Windows\{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
File created	C:\Windows\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
File created	C:\Windows\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
Token: SeIncBasePriorityPrivilege	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
Token: SeIncBasePriorityPrivilege	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
Token: SeIncBasePriorityPrivilege	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
Token: SeIncBasePriorityPrivilege	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
Token: SeIncBasePriorityPrivilege	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
Token: SeIncBasePriorityPrivilege	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
Token: SeIncBasePriorityPrivilege	564	{C595E0BE-428A-4726-888C-965D21E213F6}.exe
Token: SeIncBasePriorityPrivilege	2704	{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
Token: SeIncBasePriorityPrivilege	2408	{F05EE454-AB40-479e-B409-099203EAEE44}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2864	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	28
PID 2788 wrote to memory of 2864	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	28
PID 2788 wrote to memory of 2864	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	28
PID 2788 wrote to memory of 2864	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	28
PID 2788 wrote to memory of 2476	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	29
PID 2788 wrote to memory of 2476	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	29
PID 2788 wrote to memory of 2476	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	29
PID 2788 wrote to memory of 2476	2788	2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe	29
PID 2864 wrote to memory of 2512	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	30
PID 2864 wrote to memory of 2512	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	30
PID 2864 wrote to memory of 2512	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	30
PID 2864 wrote to memory of 2512	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	30
PID 2864 wrote to memory of 2872	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	31
PID 2864 wrote to memory of 2872	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	31
PID 2864 wrote to memory of 2872	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	31
PID 2864 wrote to memory of 2872	2864	{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe	31
PID 2512 wrote to memory of 2444	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	34
PID 2512 wrote to memory of 2444	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	34
PID 2512 wrote to memory of 2444	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	34
PID 2512 wrote to memory of 2444	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	34
PID 2512 wrote to memory of 2800	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	35
PID 2512 wrote to memory of 2800	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	35
PID 2512 wrote to memory of 2800	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	35
PID 2512 wrote to memory of 2800	2512	{D523096B-65C8-49f6-8567-CD34B6B68768}.exe	35
PID 2444 wrote to memory of 1036	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	36
PID 2444 wrote to memory of 1036	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	36
PID 2444 wrote to memory of 1036	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	36
PID 2444 wrote to memory of 1036	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	36
PID 2444 wrote to memory of 472	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	37
PID 2444 wrote to memory of 472	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	37
PID 2444 wrote to memory of 472	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	37
PID 2444 wrote to memory of 472	2444	{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe	37
PID 1036 wrote to memory of 944	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	38
PID 1036 wrote to memory of 944	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	38
PID 1036 wrote to memory of 944	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	38
PID 1036 wrote to memory of 944	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	38
PID 1036 wrote to memory of 2636	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	39
PID 1036 wrote to memory of 2636	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	39
PID 1036 wrote to memory of 2636	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	39
PID 1036 wrote to memory of 2636	1036	{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe	39
PID 944 wrote to memory of 1052	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	40
PID 944 wrote to memory of 1052	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	40
PID 944 wrote to memory of 1052	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	40
PID 944 wrote to memory of 1052	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	40
PID 944 wrote to memory of 1236	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	41
PID 944 wrote to memory of 1236	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	41
PID 944 wrote to memory of 1236	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	41
PID 944 wrote to memory of 1236	944	{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe	41
PID 1052 wrote to memory of 1264	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	42
PID 1052 wrote to memory of 1264	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	42
PID 1052 wrote to memory of 1264	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	42
PID 1052 wrote to memory of 1264	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	42
PID 1052 wrote to memory of 1964	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	43
PID 1052 wrote to memory of 1964	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	43
PID 1052 wrote to memory of 1964	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	43
PID 1052 wrote to memory of 1964	1052	{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe	43
PID 1264 wrote to memory of 564	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	44
PID 1264 wrote to memory of 564	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	44
PID 1264 wrote to memory of 564	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	44
PID 1264 wrote to memory of 564	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	44
PID 1264 wrote to memory of 2308	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	45
PID 1264 wrote to memory of 2308	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	45
PID 1264 wrote to memory of 2308	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	45
PID 1264 wrote to memory of 2308	1264	{DF11A785-24CD-4779-9334-3619AD692CD4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_bea06b806d2df322bbe61ea0b5124726_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
  C:\Windows\{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
    C:\Windows\{D523096B-65C8-49f6-8567-CD34B6B68768}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
      C:\Windows\{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
        
        C:\Windows\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
        
        C:\Windows\{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
        
        C:\Windows\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
        
        C:\Windows\{DF11A785-24CD-4779-9334-3619AD692CD4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{C595E0BE-428A-4726-888C-965D21E213F6}.exe
        
        C:\Windows\{C595E0BE-428A-4726-888C-965D21E213F6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
        
        C:\Windows\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{F05EE454-AB40-479e-B409-099203EAEE44}.exe
        
        C:\Windows\{F05EE454-AB40-479e-B409-099203EAEE44}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe
        
        C:\Windows\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F05EE~1.EXE > nul
        12⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63A03~1.EXE > nul
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C595E~1.EXE > nul
        10⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF11A~1.EXE > nul
        9⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0718~1.EXE > nul
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{043E5~1.EXE > nul
        7⤵
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E29D~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83D91~1.EXE > nul
        5⤵
        
        PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D5230~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14132~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{043E5F1C-B2EB-4b79-8229-27CBF0149971}.exe

Filesize
408KB

MD5
04873f8b8acd84c0d4e7ffc2fb933375

SHA1
a50478e8c53e4e2e1afd8deb0b77e90e47ad5bfb

SHA256
0474d9af7c5153723f9670f66a61c3f98cd8a3f07cd235c9ff3897e0b36f148b

SHA512
3ecf5219764cd34e1171fd700920f7bb9b4dd618a877097666b4cc77f136db626c1448d0337ab6acfe99737974aeb1030a12ebf2a9f4ee0e2cdbb5a56501b142

Download Submit
C:\Windows\{14132861-12DE-4992-8B16-BE5FEFBFD894}.exe

Filesize
408KB

MD5
cf02f45e114f70f2d5e2fcc11620cffe

SHA1
1d582b96aeef2a854a03425abd437442c5a9fc0f

SHA256
b8a1e436197a783c8c5663c981f37531109d3c59dc3afbc3ec02da1530a89686

SHA512
d8dfdebb6ce0b22e8b6e8ca35a1fd009aabbb063e3796f85d5b8888c988906478f0c7d8c51389babf3cf59ed9b63ddb5dde20397d0f765ce9f732b1e9e9666aa

Download Submit
C:\Windows\{5E29DD3F-96D4-41e6-89F5-4B8A85EA0ECB}.exe

Filesize
408KB

MD5
9cc2582656a999f30ec06dab14671222

SHA1
38eae5809004b1fab50823dcdd6ce122c90de1fe

SHA256
c38e744cde8163d5ea5d4c9073cf06930fb9130d635f731d08785456a9c91d97

SHA512
41e6a32666c6b78a37349aec6e8f9de24536aef3585cee70aa575daf1048636fea23bf9ace6e7eaa7c3abb6944a4f6442df29a2779c8e771886403e6fa7aabef

Download Submit
C:\Windows\{63A03DEF-012D-4cf5-83FB-067E62A9EC02}.exe

Filesize
408KB

MD5
8aaa707cec719d62b0b5d563e5cc4cfd

SHA1
d078c4a150aa6653d5c6829b2564bf5e8a579326

SHA256
1ba5a7536855e888c80c010dcd619a74fe7d610132817dc1ba80bf834297d32c

SHA512
29a942c77a37707d12849ddbee64e85e252c74d7e6eacd96b5ddb84a9fe19d2264f807458ec78e45a52e0ac1c12ad9e77a1531a3ba9afe4963ebbf1d5530231e

Download Submit
C:\Windows\{83D914EB-1258-42d8-8F55-3850F1A82E8C}.exe

Filesize
408KB

MD5
467bd040ce7bb17aaffd3b67455cb608

SHA1
8adb62d2ab054fc48de75034c94087dca016381c

SHA256
f6bcccaaaca306600ed7398fb59a5f20f8a575b44215ea5422d9e657de8be3bf

SHA512
77e6babb899d17fa2d664395605881997eb912c70b0b7994b9b93897c78f63bc0d71c0627e5ac27d557a69e805121b986e9ffc3453a5fe7ce4333fc384523a9f

Download Submit
C:\Windows\{ADD4E37E-EE9F-4f9e-901A-B82C37E7579B}.exe

Filesize
408KB

MD5
a0b9e1426a1abdf472ac0a20b6f46e09

SHA1
166b019b15094f6f127084ba4130f564e0f23b09

SHA256
4f8bd0164d8b8082d1040f2eb689f10c722b65fe41ee16716e95af06fb0c26a9

SHA512
d031a35c736245cbfbeb5327e61c0b6f12a04eb422ee8293205b00fe42490eacab03c62b70260f556530e1d289b989bf4f9fefe19aa08d30aff148efae0351d0

Download Submit
C:\Windows\{C07184B9-88E5-4f23-9485-A6E3E3ADE88A}.exe

Filesize
408KB

MD5
6d77de94f9e26821f9079017ab38b93c

SHA1
a58461d2b9e164f63d051db63ed19c1b15fe8fc7

SHA256
695162a62d28fa560974c0f049b41563d1f2c35d6f4e87ecc46513ce6dfcb214

SHA512
611da8170ad832c7693d0200e82d1721cde818338f829673c983a25cec11b442a2ba084866153492ad54fae2ede444e7976ff855bd9c3cde4da446f869902969

Download Submit
C:\Windows\{C595E0BE-428A-4726-888C-965D21E213F6}.exe

Filesize
408KB

MD5
2d0f6c8832c4073669a6e7868c00f769

SHA1
2eb5f0798b0a22f0be2e03a46019e103adc35b3d

SHA256
2f012dd00d7c42f06813742368108e638b90df91976edbe66d14e57f835743ce

SHA512
f67b077ace883dc6aa58f3dac48930971dd78c522dadf67fa9c4f9a8157f3ae8ab5c37d0e34d662e88ba5984a532801243e6c0329c374a700c4a5a24b237db8a

Download Submit
C:\Windows\{D523096B-65C8-49f6-8567-CD34B6B68768}.exe

Filesize
408KB

MD5
b8bd7c8c152d63a4605b48389e3a79dc

SHA1
b0e5ed523b120df9a58754123a375a7014273c9f

SHA256
6de6f433a1741635eec555dbd3d1c09aa69c5d93343b059d87b2bc8ef7f1cf49

SHA512
2dd51d816f4d69d4c053447be75d678faf0235f6da2eee3104384b9874864df0db353c4ff6a50dd6691fa4071d383c42c8e965939de0a6dfc7d14688d4eeff57

Download Submit
C:\Windows\{DF11A785-24CD-4779-9334-3619AD692CD4}.exe

Filesize
408KB

MD5
2521fa86f4aa27c4117286096b50271c

SHA1
ab6ec020fa75e78e49dc7a963dc14d47846bea28

SHA256
7e57de9f93eb054196cea6646b53ed4f63a2216404abec0914f16f1339e298c4

SHA512
aa89658d2fe980a851a59a830ede4a048a89ccec7401bc3c339b177d8c525da59fb195468a485ee7bed1ed766f44be46747646cc90ef0d0a271cb506240a6757

Download Submit
C:\Windows\{F05EE454-AB40-479e-B409-099203EAEE44}.exe

Filesize
408KB

MD5
fc892d39b77988b38d5673d86f0fd8f7

SHA1
e1a62ed0a73746e8d876d2457bf6e02b207ea5e4

SHA256
17afbe8770d55e9e777cbf08cee2c7fd5f83d98c37c0db100d39c78ef4d52b91

SHA512
30472349229af86cbd38a053d67ab32f635056b29d023c324262b7c425374e7ef8e0df5c82cf3a07c38c6c856424768a91e9de945bb0ccbecb4d06e47066242d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads