d165ca4119d7774a14974c96dafc968bc058fcec19666fd9a4b4a707689f7231

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
Size

180KB
MD5

a57731c57c52b48100eb28cf5e1050a8
SHA1

c4564c8239d0bc95593b5f023ad060c380263286
SHA256

d165ca4119d7774a14974c96dafc968bc058fcec19666fd9a4b4a707689f7231
SHA512

41b1b479391e6fb7ad62d87fa5625a2c35091a891dc44a4253bee62422a3259e40e2c38f265b52f2d15e46dab3de4b55698c3b9649a4bc8d5dca41eeb51f7015
SSDEEP

3072:jEGh0oflfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGBl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001444f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001444f-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014665-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012255-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012255-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014665-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B8C654-6B6E-430b-97A2-1009C529C494}	{CB377894-622F-4aa5-BD62-10B99160D131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE75B13-1844-432b-8B63-1CE199927C13}	{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}\stubpath = "C:\\Windows\\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe"	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B145DF-20A6-43e8-ADCA-E92EFC816552}\stubpath = "C:\\Windows\\{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe"	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}\stubpath = "C:\\Windows\\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe"	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FF1720-9A4B-4edb-864C-E52812C083B4}\stubpath = "C:\\Windows\\{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe"	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}\stubpath = "C:\\Windows\\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe"	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}\stubpath = "C:\\Windows\\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe"	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB377894-622F-4aa5-BD62-10B99160D131}\stubpath = "C:\\Windows\\{CB377894-622F-4aa5-BD62-10B99160D131}.exe"	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B8C654-6B6E-430b-97A2-1009C529C494}\stubpath = "C:\\Windows\\{94B8C654-6B6E-430b-97A2-1009C529C494}.exe"	{CB377894-622F-4aa5-BD62-10B99160D131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}\stubpath = "C:\\Windows\\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe"	{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}	{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B145DF-20A6-43e8-ADCA-E92EFC816552}	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FF1720-9A4B-4edb-864C-E52812C083B4}	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}	{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE75B13-1844-432b-8B63-1CE199927C13}\stubpath = "C:\\Windows\\{7AE75B13-1844-432b-8B63-1CE199927C13}.exe"	{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}\stubpath = "C:\\Windows\\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe"	{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB377894-622F-4aa5-BD62-10B99160D131}	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe
2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
2864	{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
2028	{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
268	{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
1792	{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CB377894-622F-4aa5-BD62-10B99160D131}.exe	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
File created	C:\Windows\{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	{CB377894-622F-4aa5-BD62-10B99160D131}.exe
File created	C:\Windows\{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
File created	C:\Windows\{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
File created	C:\Windows\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe	{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
File created	C:\Windows\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
File created	C:\Windows\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
File created	C:\Windows\{7AE75B13-1844-432b-8B63-1CE199927C13}.exe	{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
File created	C:\Windows\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe	{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
File created	C:\Windows\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
File created	C:\Windows\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
Token: SeIncBasePriorityPrivilege	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
Token: SeIncBasePriorityPrivilege	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
Token: SeIncBasePriorityPrivilege	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe
Token: SeIncBasePriorityPrivilege	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
Token: SeIncBasePriorityPrivilege	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
Token: SeIncBasePriorityPrivilege	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
Token: SeIncBasePriorityPrivilege	2864	{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
Token: SeIncBasePriorityPrivilege	2028	{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
Token: SeIncBasePriorityPrivilege	268	{7AE75B13-1844-432b-8B63-1CE199927C13}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2544	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	28
PID 1724 wrote to memory of 2544	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	28
PID 1724 wrote to memory of 2544	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	28
PID 1724 wrote to memory of 2544	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	28
PID 1724 wrote to memory of 3040	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	29
PID 1724 wrote to memory of 3040	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	29
PID 1724 wrote to memory of 3040	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	29
PID 1724 wrote to memory of 3040	1724	2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe	29
PID 2544 wrote to memory of 2584	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	30
PID 2544 wrote to memory of 2584	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	30
PID 2544 wrote to memory of 2584	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	30
PID 2544 wrote to memory of 2584	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	30
PID 2544 wrote to memory of 2612	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	31
PID 2544 wrote to memory of 2612	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	31
PID 2544 wrote to memory of 2612	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	31
PID 2544 wrote to memory of 2612	2544	{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe	31
PID 2584 wrote to memory of 1624	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	32
PID 2584 wrote to memory of 1624	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	32
PID 2584 wrote to memory of 1624	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	32
PID 2584 wrote to memory of 1624	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	32
PID 2584 wrote to memory of 2504	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	33
PID 2584 wrote to memory of 2504	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	33
PID 2584 wrote to memory of 2504	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	33
PID 2584 wrote to memory of 2504	2584	{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe	33
PID 1624 wrote to memory of 1228	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	36
PID 1624 wrote to memory of 1228	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	36
PID 1624 wrote to memory of 1228	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	36
PID 1624 wrote to memory of 1228	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	36
PID 1624 wrote to memory of 2720	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	37
PID 1624 wrote to memory of 2720	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	37
PID 1624 wrote to memory of 2720	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	37
PID 1624 wrote to memory of 2720	1624	{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe	37
PID 1228 wrote to memory of 2820	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	38
PID 1228 wrote to memory of 2820	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	38
PID 1228 wrote to memory of 2820	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	38
PID 1228 wrote to memory of 2820	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	38
PID 1228 wrote to memory of 1800	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	39
PID 1228 wrote to memory of 1800	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	39
PID 1228 wrote to memory of 1800	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	39
PID 1228 wrote to memory of 1800	1228	{CB377894-622F-4aa5-BD62-10B99160D131}.exe	39
PID 2820 wrote to memory of 1564	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	40
PID 2820 wrote to memory of 1564	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	40
PID 2820 wrote to memory of 1564	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	40
PID 2820 wrote to memory of 1564	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	40
PID 2820 wrote to memory of 1604	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	41
PID 2820 wrote to memory of 1604	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	41
PID 2820 wrote to memory of 1604	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	41
PID 2820 wrote to memory of 1604	2820	{94B8C654-6B6E-430b-97A2-1009C529C494}.exe	41
PID 1564 wrote to memory of 2184	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	42
PID 1564 wrote to memory of 2184	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	42
PID 1564 wrote to memory of 2184	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	42
PID 1564 wrote to memory of 2184	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	42
PID 1564 wrote to memory of 2424	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	43
PID 1564 wrote to memory of 2424	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	43
PID 1564 wrote to memory of 2424	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	43
PID 1564 wrote to memory of 2424	1564	{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe	43
PID 2184 wrote to memory of 2864	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	44
PID 2184 wrote to memory of 2864	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	44
PID 2184 wrote to memory of 2864	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	44
PID 2184 wrote to memory of 2864	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	44
PID 2184 wrote to memory of 1336	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	45
PID 2184 wrote to memory of 1336	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	45
PID 2184 wrote to memory of 1336	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	45
PID 2184 wrote to memory of 1336	2184	{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_a57731c57c52b48100eb28cf5e1050a8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
  C:\Windows\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
    C:\Windows\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
      C:\Windows\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\{CB377894-622F-4aa5-BD62-10B99160D131}.exe
        
        C:\Windows\{CB377894-622F-4aa5-BD62-10B99160D131}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
        
        C:\Windows\{94B8C654-6B6E-430b-97A2-1009C529C494}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
        
        C:\Windows\{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
        
        C:\Windows\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
        
        C:\Windows\{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
        
        C:\Windows\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
        
        C:\Windows\{7AE75B13-1844-432b-8B63-1CE199927C13}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe
        
        C:\Windows\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE75~1.EXE > nul
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F40~1.EXE > nul
        11⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77FF1~1.EXE > nul
        10⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F517~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64B14~1.EXE > nul
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B8C~1.EXE > nul
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB377~1.EXE > nul
        6⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F24D~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0FD2F~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C018F~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe

Filesize
155KB

MD5
0731e736c6c3f91f815eb4420321d84f

SHA1
b14012593786ce039bf5c1abcdb392b0acf5f518

SHA256
39f26517f73b071db3c7bb52ee19f7afa9fc29561c7a7ba8bffb3469a2ee777c

SHA512
8b2075947d5f1b1729989bd47f2c2b2b7cd69c11e545fc0e89bbd2a7e210fd4746df1ea73b412333b9b735269d8176e56f361a702be744f5b796abff9d5e3cab

Download Submit
C:\Windows\{0FD2FD9A-960F-4c04-B2C7-01B4C9A9577B}.exe

Filesize
180KB

MD5
3df4315e51ca50f59e37b10e2a1e7558

SHA1
d83023c91da8f036741d5fbe686fd98a6057cffe

SHA256
853038f837854b698b7920eb0d665688e88f4179202964047d822a946e9dd933

SHA512
51e9626f85e8bab2c4f51dddefe03000cdd05894d29628f0f67e65808a6a920a68041093f95a0d15be30d56b73b655b16a8031df719dfb030ea925e744631a83

Download Submit
C:\Windows\{29F865A4-F4B6-4d81-88EE-049DCF7CF9BC}.exe

Filesize
180KB

MD5
4db4eec52dc0826b5eac76069e85fb53

SHA1
3566aa2ee0027d300c6536d279e2f909a039174d

SHA256
38ee9a1fcf309c931f28bf05a7befa519c5b723ee5bc975f448f56b9b6411a71

SHA512
8af134302b29116c178d4c22a587bf632b824ba4aae4ab139d30993a3ce25d8fb433968301077adefa62a931851ba890f6e7bde5bcc3567aca18da9383cd8524

Download Submit
C:\Windows\{4F24D3AF-0CEE-42a4-8B69-CEC28476048C}.exe

Filesize
180KB

MD5
611694ef3201e9adb0c3f4f8beeee41a

SHA1
6a901719778aa9d6f72b72a62dc26556109c2a02

SHA256
bc2ff9feee5de7890dd0d0b9ba7fa842461e4d3c47a20d9bc70382db6cd6104d

SHA512
936526450ed47e21d0792b3dc088dd9506929d6f50e09c1b419e7d8c58842ec282caa12f996e16b2d1493c94a943c008700a0608cd0a06fddb560f88286d8110

Download Submit
C:\Windows\{64B145DF-20A6-43e8-ADCA-E92EFC816552}.exe

Filesize
180KB

MD5
dc8f388e52139cfea268ed934b80c4b6

SHA1
fcf02dfcee5f1e6f41b08ee2242b96688c4c3eb9

SHA256
b4a9f0fce2783f8f3c5412798f4e7891e103116923cf69baeee9db394da522eb

SHA512
d3844005a06bc1bb628f61ebce8c2d12077085252a41e628d78c1ea62f5bc94ae219a519d570584b239268852ccf5ac7af63a5045d1f95fddf4dd3e785f7db97

Download Submit
C:\Windows\{6F5178D5-414D-4c0e-97CC-70F7A5A4F1AD}.exe

Filesize
180KB

MD5
bca9cb557beac3ef6feaef2996ea73fb

SHA1
09fe5787a2fcfdb4c23cb8d651f546270af37bde

SHA256
7adc8fc4efe1774e85a6b3ffe899e3587d450ed78ab03a545826ccb9b001f8fb

SHA512
f2d1bcda7a63e25b8361252a955bb139bf0ad41c68ba4ada7af711cb0808113986a5978dd67985eb91a95a222bb4ec6d4281ebce95c2f5073e75d7b479dcbf57

Download Submit
C:\Windows\{77FF1720-9A4B-4edb-864C-E52812C083B4}.exe

Filesize
180KB

MD5
d908c623086cc59e587f6549ffaab148

SHA1
e76a6dd0878b7f4e32b240a200a5d2cc6c0953c4

SHA256
9f7d07d15dc43644d22e97e98ae351d6718803b5df823125f536663897ca9415

SHA512
3bb193c247d7d6ed8cf92f9ea7d539e78ad4ab1aa0c76cb524e5e61e9b3fe9563f7f5cf8d3838ddf3e9b5e99367c964c038f8aafc4bf0b8ea1517a5a96bbf5af

Download Submit
C:\Windows\{7AE75B13-1844-432b-8B63-1CE199927C13}.exe

Filesize
180KB

MD5
7808bf49b9b7a24bfda5ea7f5b3a6adf

SHA1
9e5500fbd94b0c2281a9fb0722faab892eb74b46

SHA256
344a7fddfa7b7b658f9b408dedf03c5ca76a1e9e9c77ddf3d03e41b6376c780b

SHA512
f1861d2189cc8ce1800568110006840395bba8f657dcd84ae042a3f193f713fef89982cd9ac259159cdd685163ecf393b26672530b48ade85a95510ca6cec8c5

Download Submit
C:\Windows\{94B8C654-6B6E-430b-97A2-1009C529C494}.exe

Filesize
180KB

MD5
e383d44e1740de2adf1722da76a55c76

SHA1
c949e83afce50bec027c12ec858617fecc04c38a

SHA256
6449b0d4c5f3bfaeb89241c312b27b97ed30a7c69d1b1af12c9b81f457f901f5

SHA512
7e8b1ad33cabd7133016b7b9a72401db2a9bc8b4d8448c4fca9bc2cebec6183f43a7b05cdab19ea01f7d154fa9131960cb139bf8c7210374a7c6ec96e2c508f4

Download Submit
C:\Windows\{A5F4006F-9B66-4308-A9FA-8457A27A8EC5}.exe

Filesize
180KB

MD5
deacaec65361341fb9fffe987b5b019a

SHA1
04ca72c52e755bc6c27a6fe8e771bfc83bec46d5

SHA256
cf222f5d9afe4e8bdfd831b12ea6c25012b31c877f5c6a64f51aeb329659e71b

SHA512
f1a09651bcedc4baf8f00d7c2927622f8564c2e61501e86efc40035193a22f28bb93f1ca4b532b33ad9b24b017cce257b17bf137a32f899ac732d65e9b303633

Download Submit
C:\Windows\{C018F60E-B0E8-47be-BED2-7DE3AC966D25}.exe

Filesize
180KB

MD5
9edc3cfa326b28ed43d54e821405c79e

SHA1
79801d9d8968ba326494014f067320fbb66c7d31

SHA256
20609e9fd8fecdfc361cdb1a3df67da5652a3c15fa53e74407b561d2e73f4f80

SHA512
18f2183955b9c42e4b02d7e63047c6681dfffcfc7cd0021d6816dd1b6f5671f456e87253e46b4b15a1e1e547a2a1794db5e267ee944b8efcb2ab1000b5953a14

Download Submit
C:\Windows\{CB377894-622F-4aa5-BD62-10B99160D131}.exe

Filesize
180KB

MD5
2786c45d953f9acdc1ec62f983dba114

SHA1
c3bbca9bf7c00f771126fb879b57d72f4e2c16b9

SHA256
61151552c4f0526ca0d18308dc1e96e0c26605dc5861fade71e00dba0039b256

SHA512
ef173e7003e0db414c002e9e0b8adc4c21772d84ada71bdbaf206de44f99bf351e0cef5a23fe72bfcc9a8ae7e9daa6953157a6b200598c052a6bfe1cbf31e08b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads