916dc0627aa66dd412406916060575bbb6edd10d6bf591ac2974372b2620dfae

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
Size

180KB
MD5

5882a0b3a771c5512778086a71308eef
SHA1

30f3fa1293c814fed5ec7ea37deb47382aed5aa2
SHA256

916dc0627aa66dd412406916060575bbb6edd10d6bf591ac2974372b2620dfae
SHA512

83f1933ceb0c46c3dcfde88e698ce138fba0205f8c8dfc7d05bd383b688cc8812ec025a1cf8bca24fb6e0d995a725fd080781007c0bd57ee15fd5ffbdb781f71
SSDEEP

3072:jEGh0ovlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012346-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b63-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}\stubpath = "C:\\Windows\\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe"	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}\stubpath = "C:\\Windows\\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe"	{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92986510-0583-47b0-BA18-C006532C509F}	{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92986510-0583-47b0-BA18-C006532C509F}\stubpath = "C:\\Windows\\{92986510-0583-47b0-BA18-C006532C509F}.exe"	{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C3D38E-849C-48aa-9343-A660CE3847A3}	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}\stubpath = "C:\\Windows\\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe"	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F75605C-5A6C-48f1-A096-76FE3091F60A}	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD7B5516-5F53-4144-A411-7224D7F396C4}	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}\stubpath = "C:\\Windows\\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe"	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C3D38E-849C-48aa-9343-A660CE3847A3}\stubpath = "C:\\Windows\\{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe"	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD7B5516-5F53-4144-A411-7224D7F396C4}\stubpath = "C:\\Windows\\{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe"	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}\stubpath = "C:\\Windows\\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe"	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0C009D-8031-409c-818C-9F3026B293AA}	{92986510-0583-47b0-BA18-C006532C509F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0C009D-8031-409c-818C-9F3026B293AA}\stubpath = "C:\\Windows\\{1C0C009D-8031-409c-818C-9F3026B293AA}.exe"	{92986510-0583-47b0-BA18-C006532C509F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F75605C-5A6C-48f1-A096-76FE3091F60A}\stubpath = "C:\\Windows\\{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe"	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}\stubpath = "C:\\Windows\\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe"	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}	{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
296	{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
2976	{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
1356	{92986510-0583-47b0-BA18-C006532C509F}.exe
1444	{1C0C009D-8031-409c-818C-9F3026B293AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{92986510-0583-47b0-BA18-C006532C509F}.exe	{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
File created	C:\Windows\{1C0C009D-8031-409c-818C-9F3026B293AA}.exe	{92986510-0583-47b0-BA18-C006532C509F}.exe
File created	C:\Windows\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
File created	C:\Windows\{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
File created	C:\Windows\{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
File created	C:\Windows\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
File created	C:\Windows\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe	{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
File created	C:\Windows\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
File created	C:\Windows\{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
File created	C:\Windows\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
File created	C:\Windows\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
Token: SeIncBasePriorityPrivilege	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
Token: SeIncBasePriorityPrivilege	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
Token: SeIncBasePriorityPrivilege	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
Token: SeIncBasePriorityPrivilege	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
Token: SeIncBasePriorityPrivilege	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
Token: SeIncBasePriorityPrivilege	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
Token: SeIncBasePriorityPrivilege	296	{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
Token: SeIncBasePriorityPrivilege	2976	{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
Token: SeIncBasePriorityPrivilege	1356	{92986510-0583-47b0-BA18-C006532C509F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2668	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	28
PID 2012 wrote to memory of 2668	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	28
PID 2012 wrote to memory of 2668	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	28
PID 2012 wrote to memory of 2668	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	28
PID 2012 wrote to memory of 2148	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	29
PID 2012 wrote to memory of 2148	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	29
PID 2012 wrote to memory of 2148	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	29
PID 2012 wrote to memory of 2148	2012	2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe	29
PID 2668 wrote to memory of 2536	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	30
PID 2668 wrote to memory of 2536	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	30
PID 2668 wrote to memory of 2536	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	30
PID 2668 wrote to memory of 2536	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	30
PID 2668 wrote to memory of 2392	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	31
PID 2668 wrote to memory of 2392	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	31
PID 2668 wrote to memory of 2392	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	31
PID 2668 wrote to memory of 2392	2668	{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe	31
PID 2536 wrote to memory of 2412	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	32
PID 2536 wrote to memory of 2412	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	32
PID 2536 wrote to memory of 2412	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	32
PID 2536 wrote to memory of 2412	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	32
PID 2536 wrote to memory of 2316	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	33
PID 2536 wrote to memory of 2316	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	33
PID 2536 wrote to memory of 2316	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	33
PID 2536 wrote to memory of 2316	2536	{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe	33
PID 2412 wrote to memory of 848	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	36
PID 2412 wrote to memory of 848	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	36
PID 2412 wrote to memory of 848	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	36
PID 2412 wrote to memory of 848	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	36
PID 2412 wrote to memory of 2272	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	37
PID 2412 wrote to memory of 2272	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	37
PID 2412 wrote to memory of 2272	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	37
PID 2412 wrote to memory of 2272	2412	{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe	37
PID 848 wrote to memory of 2744	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	38
PID 848 wrote to memory of 2744	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	38
PID 848 wrote to memory of 2744	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	38
PID 848 wrote to memory of 2744	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	38
PID 848 wrote to memory of 2872	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	39
PID 848 wrote to memory of 2872	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	39
PID 848 wrote to memory of 2872	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	39
PID 848 wrote to memory of 2872	848	{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe	39
PID 2744 wrote to memory of 1976	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	40
PID 2744 wrote to memory of 1976	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	40
PID 2744 wrote to memory of 1976	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	40
PID 2744 wrote to memory of 1976	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	40
PID 2744 wrote to memory of 1712	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	41
PID 2744 wrote to memory of 1712	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	41
PID 2744 wrote to memory of 1712	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	41
PID 2744 wrote to memory of 1712	2744	{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe	41
PID 1976 wrote to memory of 2372	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	42
PID 1976 wrote to memory of 2372	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	42
PID 1976 wrote to memory of 2372	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	42
PID 1976 wrote to memory of 2372	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	42
PID 1976 wrote to memory of 1896	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	43
PID 1976 wrote to memory of 1896	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	43
PID 1976 wrote to memory of 1896	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	43
PID 1976 wrote to memory of 1896	1976	{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe	43
PID 2372 wrote to memory of 296	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	44
PID 2372 wrote to memory of 296	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	44
PID 2372 wrote to memory of 296	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	44
PID 2372 wrote to memory of 296	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	44
PID 2372 wrote to memory of 1004	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	45
PID 2372 wrote to memory of 1004	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	45
PID 2372 wrote to memory of 1004	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	45
PID 2372 wrote to memory of 1004	2372	{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
  C:\Windows\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
    C:\Windows\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
      C:\Windows\{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
        
        C:\Windows\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
        
        C:\Windows\{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
        
        C:\Windows\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
        
        C:\Windows\{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
        
        C:\Windows\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
        
        C:\Windows\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{92986510-0583-47b0-BA18-C006532C509F}.exe
        
        C:\Windows\{92986510-0583-47b0-BA18-C006532C509F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\{1C0C009D-8031-409c-818C-9F3026B293AA}.exe
        
        C:\Windows\{1C0C009D-8031-409c-818C-9F3026B293AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92986~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92D61~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C76E1~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD7B5~1.EXE > nul
        9⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E40~1.EXE > nul
        8⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F756~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2210F~1.EXE > nul
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45C3D~1.EXE > nul
        5⤵
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAF58~1.EXE > nul
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1934~1.EXE > nul
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C0C009D-8031-409c-818C-9F3026B293AA}.exe

Filesize
180KB

MD5
94ffd000d7a501d9922cb8387629991e

SHA1
08a32a1d7cfb85b751542f397e49e55e27e5577b

SHA256
e08a4d67681bfb1be6169e2b964a4ed99f521d07fa2f3a7e3564e2bba8b3b1bc

SHA512
d6a73698633171cbcd774d1a9e2838531cf051308eb0ceee85de904ccbd1a2e378fb8aa53d0f97bbbb9e7077658b41171b060744fe9ebf0a665e29a7618f9bbd

Download Submit
C:\Windows\{2210FCA3-52C6-45b9-91C0-4E4C8D32BC70}.exe

Filesize
180KB

MD5
060c5c5427e4af3d7403e30775916890

SHA1
1df1895b01af07ad1356798b6b8d17b08510a5f9

SHA256
fec64959c52e69820ae5de143aca8a7c26862438d1f1ca8471fb0bde1f9ca442

SHA512
a7706f9b69c2609f85479753a392072e034b7bea902298304e627de9d9d44383da2097d62966d62f91c71e20505fa860a3eb616947ec74745a89ef2a0c5d86c4

Download Submit
C:\Windows\{3F75605C-5A6C-48f1-A096-76FE3091F60A}.exe

Filesize
180KB

MD5
308c013db637a63e9d0e9737a70c2460

SHA1
474b0551373db3016d43085d1fc674ad65b202d6

SHA256
e048f6855946f1bea0a78edc500722a8f3ddb159ed260fd897de70751d219fe8

SHA512
cb4217a4b06e096dacce26f83b6673907d351da0ad1f1c9faf39887608897b1ecde837673a91ab2ff1f46eeaad42acfe4aea92f0131cf98d9e3e734cc00897f8

Download Submit
C:\Windows\{45C3D38E-849C-48aa-9343-A660CE3847A3}.exe

Filesize
180KB

MD5
153af5980d574537e7570cea26b5af0d

SHA1
1c392d3629ebc0257beba2b910de437f70bafcf4

SHA256
63105c1a54685ad2c59703a324fcf71166eb72c66217a62f0cc77b314ac7d22b

SHA512
5c3c74235478a41921d682486b7054ac56e7243aa525293e9b48906a1e9427fcf470dbb181d8d71392185984125c6c2466015cce5bde3b43b19d10bb9b6534b5

Download Submit
C:\Windows\{92986510-0583-47b0-BA18-C006532C509F}.exe

Filesize
180KB

MD5
2167433c5aa0aaa20dbd4c673d717d4b

SHA1
acc84099a689d33c9f45686233686d86135127ec

SHA256
ee10354e4da609cc524f7614531bada0280b22442bfa033a07aa5d3ed2020d75

SHA512
94b62384d93129fb0785d4112dc1bc54f64d624c39e74cd48bd21ea45064aa79c092bb17602f68c7ee2eef45e61c756a89bf7a9eabc212530e21d2fb252c4038

Download Submit
C:\Windows\{92D61B44-93A6-44bd-B719-A5F3D173B4C0}.exe

Filesize
180KB

MD5
b8203e7a6f5292e27cadc0414ddbebf5

SHA1
ce32936f5b5c22d971f25f0ec925475ae2664a64

SHA256
6d798d519ae0831fc0545a71154a907db2e78803917d03e6cda09916fc8dbfbd

SHA512
3ccd1777ebb9acdf6a3a59be8b42a49b147d6c7fded16d0c99a698575d49d4edbf4f72a41de1b035c3b83da5c6193ac32db1aeff42ca8c51325aa8de65220eae

Download Submit
C:\Windows\{97E40C63-E7DC-46c4-94CA-DB3BC40C06E2}.exe

Filesize
180KB

MD5
ca9ac465e4734d16c48eaea080a4a7b9

SHA1
b2191061894ceee248a7caa8eec510a8a8bc794c

SHA256
82981e35f56d07640316facb24f0f43521aaeadabb34a4b363ca87763357fceb

SHA512
1bff267aeef05195491fd92162698017ee35b7d0b8d59b0d76f1572f5d6cc8f552cfdc343f42cdf122523a6e8d7378246693903f286879e2af5b6ef15e68d962

Download Submit
C:\Windows\{BAF58892-E79F-43c7-9822-9675ACCEF1CA}.exe

Filesize
180KB

MD5
97ab97072736888d3a0b18aef9dbeed5

SHA1
d909cba5c72bfee9496f23ff91a86abbedb09b33

SHA256
3e5c71b0cc6d136cbfc47d34b5d56d8f91780aa51e8b68d9a2deda98c6eda50e

SHA512
4c9059419ecdd4a7289038962a7ef6dd4ca1abd4a9f854dc0c8208fc602cba6fb808f29a06bdd6bb8cbd2bfb50bf0211c96b08b8a74049ac476a92245481a1b2

Download Submit
C:\Windows\{C76E18C5-03AB-48e3-B0E3-78EEC3DC6ADC}.exe

Filesize
180KB

MD5
1b18eed3915b2c38ca54b6dcc3e19eca

SHA1
9c9d41b342a36b03fb5d04314cfac828dda3c724

SHA256
ecf148ce23cf1396f82447ef313886388f1a6806aae4213a64eaf1f442f2b8a0

SHA512
212494c2a68a6f2725360e39aeb7b44ad7ab4e21a7d72299a3430eb05c284639f57724317d6870d0f0e385e458d483564e2184c69c927956859e2a5e2580c6a0

Download Submit
C:\Windows\{CD7B5516-5F53-4144-A411-7224D7F396C4}.exe

Filesize
180KB

MD5
db36e19110bb5cc92c4ec6bd81b4509a

SHA1
cf7006a9a096ed9f9451689828eff6e42f3ea7e1

SHA256
0976e5d77000bd9bebfec721d8dd2ccab5e7470514bb0685c1c5f58e6fb22b80

SHA512
7fd3ac70fd739c650a7090669a41112d42a3dd99bc35be08e070bfddf12f98995989ccdce70417e224ec8c2e63044e313697ea2ef3edb023ecf0615b3b32ee69

Download Submit
C:\Windows\{D19340A1-FBA8-4d81-90A8-0A7833BD048E}.exe

Filesize
180KB

MD5
c278f56b5ac00ff4aaea998641d6d57a

SHA1
7c1378356a1f1836c632fc702580bf0cde96c50c

SHA256
c03b051936e8e7b9480a4a8f7531f3859985b108deacf53509d4f5360764585e

SHA512
790bdefc07fb4ba745d2c33f8c720a662b5ebccc8a79b14e6c444bf88bbf13fed96ada4f4870e842b4930a177ee047efcec9c20c8fc7e68453b22d2b93b2ea86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads