acf41f54055a08ad200b2f420fad05e89cca2e8946097dbd7649eb843d763fb3

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Size

344KB
MD5

3e86c949a48276e86bd116095e504d21
SHA1

ef5927059b67bf43fb82a2b752c6462e47966cb0
SHA256

acf41f54055a08ad200b2f420fad05e89cca2e8946097dbd7649eb843d763fb3
SHA512

e6c1961406427fca00cbff664b870beb3519529d4a92241af097142e3eb764093dd49ca3e2bd164ad1e5c87c733d4bae8d9865ee39f86183a68c12952070cc9d
SSDEEP

3072:mEGh0o2lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000155ed-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155f7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000155ed-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c6b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000155ed-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155ed-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000155ed-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C3259D-D892-4dc2-B38C-447F30156C9B}\stubpath = "C:\\Windows\\{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe"	{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}\stubpath = "C:\\Windows\\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe"	{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75D9828-0C7F-4cf7-A49C-43A42754355A}\stubpath = "C:\\Windows\\{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe"	{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855B22D3-573D-4a33-80BC-950092B1F907}	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}	{855B22D3-573D-4a33-80BC-950092B1F907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB216FCE-0B28-4515-83D0-1E8C98462402}\stubpath = "C:\\Windows\\{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe"	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FC30799-D805-49d1-BFFA-995982747BB2}	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FC30799-D805-49d1-BFFA-995982747BB2}\stubpath = "C:\\Windows\\{1FC30799-D805-49d1-BFFA-995982747BB2}.exe"	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}\stubpath = "C:\\Windows\\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe"	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C3259D-D892-4dc2-B38C-447F30156C9B}	{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}\stubpath = "C:\\Windows\\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe"	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7231F160-A304-4a35-9D1D-786925CB4E63}\stubpath = "C:\\Windows\\{7231F160-A304-4a35-9D1D-786925CB4E63}.exe"	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}\stubpath = "C:\\Windows\\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe"	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75D9828-0C7F-4cf7-A49C-43A42754355A}	{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855B22D3-573D-4a33-80BC-950092B1F907}\stubpath = "C:\\Windows\\{855B22D3-573D-4a33-80BC-950092B1F907}.exe"	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}\stubpath = "C:\\Windows\\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe"	{855B22D3-573D-4a33-80BC-950092B1F907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB216FCE-0B28-4515-83D0-1E8C98462402}	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7231F160-A304-4a35-9D1D-786925CB4E63}	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}	{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe
2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
1784	{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
2052	{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
268	{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
568	{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	{855B22D3-573D-4a33-80BC-950092B1F907}.exe
File created	C:\Windows\{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
File created	C:\Windows\{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
File created	C:\Windows\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
File created	C:\Windows\{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe	{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
File created	C:\Windows\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe	{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
File created	C:\Windows\{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe	{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
File created	C:\Windows\{855B22D3-573D-4a33-80BC-950092B1F907}.exe	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
File created	C:\Windows\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
File created	C:\Windows\{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
File created	C:\Windows\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe
Token: SeIncBasePriorityPrivilege	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
Token: SeIncBasePriorityPrivilege	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
Token: SeIncBasePriorityPrivilege	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
Token: SeIncBasePriorityPrivilege	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
Token: SeIncBasePriorityPrivilege	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
Token: SeIncBasePriorityPrivilege	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
Token: SeIncBasePriorityPrivilege	1784	{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
Token: SeIncBasePriorityPrivilege	2052	{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
Token: SeIncBasePriorityPrivilege	268	{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2408	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	28
PID 2240 wrote to memory of 2408	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	28
PID 2240 wrote to memory of 2408	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	28
PID 2240 wrote to memory of 2408	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	28
PID 2240 wrote to memory of 2564	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	29
PID 2240 wrote to memory of 2564	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	29
PID 2240 wrote to memory of 2564	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	29
PID 2240 wrote to memory of 2564	2240	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	29
PID 2408 wrote to memory of 2676	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	30
PID 2408 wrote to memory of 2676	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	30
PID 2408 wrote to memory of 2676	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	30
PID 2408 wrote to memory of 2676	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	30
PID 2408 wrote to memory of 2604	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	31
PID 2408 wrote to memory of 2604	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	31
PID 2408 wrote to memory of 2604	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	31
PID 2408 wrote to memory of 2604	2408	{855B22D3-573D-4a33-80BC-950092B1F907}.exe	31
PID 2676 wrote to memory of 2748	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	32
PID 2676 wrote to memory of 2748	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	32
PID 2676 wrote to memory of 2748	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	32
PID 2676 wrote to memory of 2748	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	32
PID 2676 wrote to memory of 2608	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	33
PID 2676 wrote to memory of 2608	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	33
PID 2676 wrote to memory of 2608	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	33
PID 2676 wrote to memory of 2608	2676	{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe	33
PID 2748 wrote to memory of 2212	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	36
PID 2748 wrote to memory of 2212	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	36
PID 2748 wrote to memory of 2212	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	36
PID 2748 wrote to memory of 2212	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	36
PID 2748 wrote to memory of 1956	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	37
PID 2748 wrote to memory of 1956	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	37
PID 2748 wrote to memory of 1956	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	37
PID 2748 wrote to memory of 1956	2748	{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe	37
PID 2212 wrote to memory of 1768	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	38
PID 2212 wrote to memory of 1768	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	38
PID 2212 wrote to memory of 1768	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	38
PID 2212 wrote to memory of 1768	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	38
PID 2212 wrote to memory of 808	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	39
PID 2212 wrote to memory of 808	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	39
PID 2212 wrote to memory of 808	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	39
PID 2212 wrote to memory of 808	2212	{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe	39
PID 1768 wrote to memory of 2532	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	40
PID 1768 wrote to memory of 2532	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	40
PID 1768 wrote to memory of 2532	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	40
PID 1768 wrote to memory of 2532	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	40
PID 1768 wrote to memory of 1668	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	41
PID 1768 wrote to memory of 1668	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	41
PID 1768 wrote to memory of 1668	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	41
PID 1768 wrote to memory of 1668	1768	{1FC30799-D805-49d1-BFFA-995982747BB2}.exe	41
PID 2532 wrote to memory of 2560	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	42
PID 2532 wrote to memory of 2560	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	42
PID 2532 wrote to memory of 2560	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	42
PID 2532 wrote to memory of 2560	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	42
PID 2532 wrote to memory of 1932	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	43
PID 2532 wrote to memory of 1932	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	43
PID 2532 wrote to memory of 1932	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	43
PID 2532 wrote to memory of 1932	2532	{7231F160-A304-4a35-9D1D-786925CB4E63}.exe	43
PID 2560 wrote to memory of 1784	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	44
PID 2560 wrote to memory of 1784	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	44
PID 2560 wrote to memory of 1784	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	44
PID 2560 wrote to memory of 1784	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	44
PID 2560 wrote to memory of 2796	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	45
PID 2560 wrote to memory of 2796	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	45
PID 2560 wrote to memory of 2796	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	45
PID 2560 wrote to memory of 2796	2560	{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{855B22D3-573D-4a33-80BC-950092B1F907}.exe
  C:\Windows\{855B22D3-573D-4a33-80BC-950092B1F907}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
    C:\Windows\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
      C:\Windows\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
        
        C:\Windows\{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
        
        C:\Windows\{1FC30799-D805-49d1-BFFA-995982747BB2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
        
        C:\Windows\{7231F160-A304-4a35-9D1D-786925CB4E63}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
        
        C:\Windows\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
        
        C:\Windows\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
        
        C:\Windows\{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
        
        C:\Windows\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe
        
        C:\Windows\{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe
        12⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F383~1.EXE > nul
        12⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40C32~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24EF5~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7494~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7231F~1.EXE > nul
        8⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC30~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB216~1.EXE > nul
        6⤵
        
        PID:808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C2D9~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11C95~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{855B2~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11C95B3F-1F47-4e86-9659-2AFB1600BEB2}.exe

Filesize
344KB

MD5
355104ef37872d4419faae6edc9aaa18

SHA1
069d63059bede998f5a72e369acbd3abab9226e8

SHA256
540a50f1be3a0997f2334139b41872fda18364f5f9f54c111a807fee08986d14

SHA512
80b44c9bf7dc58b04756b58ed40fada36ff7f49003e60242d87fb8655e7c3f5183cde016162b3b349b5937b4185928821348970bbf9d6127bc94a5c4f7310913

Download Submit
C:\Windows\{1FC30799-D805-49d1-BFFA-995982747BB2}.exe

Filesize
344KB

MD5
acbd215d997667bc4dcb9bb2feacf4ba

SHA1
d62d9014f994aa1e31b73de5b2956dffa3ad1a72

SHA256
34453d54fcad75d7835bf33d0950e8473a307fe249e79631bdf610102150d5f6

SHA512
7b8a2bc259e20374467ba0a90b36a24079e82d7ab693f4e3c053a4325f96b56c82dff16b473c810e3e781e08b529587c7d3b45d3766ec79c348cbf0f0322822a

Download Submit
C:\Windows\{24EF5446-48FE-4978-AE96-9D7F5C1F5758}.exe

Filesize
344KB

MD5
2780638876e9c53382e12e685bc36729

SHA1
715749c0a1db41dbfe8a88dd07873a37c281456f

SHA256
ac95d29ccb5433774747cd8f91843fe152a1a69b8835188ad9a5c08a59d65b65

SHA512
7a4743b56f0b52ffc76cc384b484e3803707b00741b667717ea2bb2896c8e790acd2e10d3a4dc664a3237b6a6ba788c6ccfe602e35b7dc67bcfffe8a5440f9c4

Download Submit
C:\Windows\{2C2D9072-EE1C-4d3d-B8C6-DB8E38895AEC}.exe

Filesize
344KB

MD5
49fef0d8855654dc8630e4109f879153

SHA1
8ed85a899f9ce7149e7b3e9fbb339a87e6bdb197

SHA256
5ce174ed60d7f079e3ef54d6b3aa6b7e744998c217cda708f44d18eb6630f84a

SHA512
eb6e14b2dff4182c3176810674eba2f616f1d50fc017e83932e9103bc5a85a8271424cb8ad9fee9c039b0e91a82c4fddfe64993749f93e82aa31c332e3d5e3c8

Download Submit
C:\Windows\{2F38309F-B982-4246-BDE4-3B1503FA0CAC}.exe

Filesize
344KB

MD5
195d3b1989dffcec1d8f6a24a5b478b5

SHA1
9f2850933894190f69e0f42dfe916ec9595eac3d

SHA256
9c27bb17cbee4968c3cc526108b85951f8f8be21e54aebb013a0aeb08f1a79b3

SHA512
93c36ba8beaa448175a881b25738d2d34411f31d26b51952230d14c16c374b21954a4f122bc4bff27a5e4a04752a9cfd1d577058e04f48f97f61a9db907fd38a

Download Submit
C:\Windows\{40C3259D-D892-4dc2-B38C-447F30156C9B}.exe

Filesize
344KB

MD5
faae420c20bb7ae64a751f21c803d0df

SHA1
ca35d6cdc104a0c4411aff6c70c4a41573b5bd25

SHA256
805696271203e281d03cb7fead61772ebe5efa80532e69d8fc8ae766ff79e8ca

SHA512
28f7d85d345d6e4683c5eaef1ee8bbe1ee068db8ff354912d002f0d7f3cf10a55248a9c03f82af990ddff1e54cf1940b852af1bb69a404cd4f1d01e6e90c11ef

Download Submit
C:\Windows\{7231F160-A304-4a35-9D1D-786925CB4E63}.exe

Filesize
344KB

MD5
9a17c45fa83cbcd288ef648f9900312d

SHA1
dcd30305ea4c77b5cfa7207de3a58f09ad3c84b9

SHA256
3eb7000ba0c7a628b649b29195d170d69b42450a658f74dcd3635047a8bf0532

SHA512
bc001c6d572fe61de9cafd467c869787ea0a4251012e9d277640b31c53cc08fa6c305bea98917629e065abd0abc69e71d3ab2068c3c5c69cd2b1ca67886f45f5

Download Submit
C:\Windows\{855B22D3-573D-4a33-80BC-950092B1F907}.exe

Filesize
344KB

MD5
84e4e6f450866d4d0709eb38088a3efa

SHA1
653161f61b9bd50c0d069a6fa6cf4a7877f54fa6

SHA256
6ec6260f019a15577a580dabad818185567d29a241ef0aee1e78ecf85d04442a

SHA512
cc3f6e072ddc8384e8a70d95ae8069b82b7a0c07ca318718cb57abba3301e822211cb2f047b448ceb84e41fc45c7bfb350bfacf6397f245971273f80c2df3bf1

Download Submit
C:\Windows\{C749493C-85F8-44e1-9ABE-BEECE8AD274A}.exe

Filesize
344KB

MD5
872207eb1cb600702a28a689a9e680fc

SHA1
9fb247608f8691778220edcc1f99faa588eb468d

SHA256
20e895cbf5f3fe98596ee5e2522f63fa7696e800efae00f4b55c45bcb708950b

SHA512
27a2984821f6868b60a057ff87de911744e83c9ace121dca866c1b3dd80e0fb095a14eb4c8ea24fd951eb8e38dafd9331ebfacffcc2160de81b124d2474b31a3

Download Submit
C:\Windows\{CB216FCE-0B28-4515-83D0-1E8C98462402}.exe

Filesize
344KB

MD5
805a38fcae90642a0576442d34c6df48

SHA1
5214d397f4943d2fbe9d538c16dcf748cff6352d

SHA256
db1f070586075cfe03d85c197e9e5636021731b18dcb5b69a6cebdb5b068741f

SHA512
8552fa35d10dd6bb60759a2d4fb8a65c8e408cda45660475a8febb8932aa8637203787480af63e30c9de5917558a753960d17684728bf1f3129b721947e75376

Download Submit
C:\Windows\{E75D9828-0C7F-4cf7-A49C-43A42754355A}.exe

Filesize
344KB

MD5
27eb36302fad4747a9ca5e432e7ae5fb

SHA1
51a7b6e06189768c05e4fa3f4bec2bdb3ab2a202

SHA256
a6b58d03aee3fa1fc05e3a42dee899d907d12f106267cc527e266380ecdd91ed

SHA512
1ac6af716154ab99dcf4e74842dab9b5e5890e7a8835592754026c4adc761c22355e5c55ded46d7c0c9b7aac12ea54c4b211fa00fcbec648242ddc45c59613b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads