59c6f9237974330c5d78fb64fdf26d2a2b801f84fafd949695fbfb6cd75e981c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 11:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
Size

168KB
MD5

e461a27046df3b00d7bf44cb7a094218
SHA1

a9c382eec066b6ca12ddd07c3d27242924991415
SHA256

59c6f9237974330c5d78fb64fdf26d2a2b801f84fafd949695fbfb6cd75e981c
SHA512

0098536cdae73b66836db70763e2f7f33cbaa97c574c38310e22d355b696c6377b22c160bcaab121137ce65ddb1e5752f6ea9d830fd9d62abff3673df7501944
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c9a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015cb1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c9a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d0a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c9a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c9a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c9a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C04C6624-0919-494d-84A6-997A87C72263}	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}\stubpath = "C:\\Windows\\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe"	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C04C6624-0919-494d-84A6-997A87C72263}\stubpath = "C:\\Windows\\{C04C6624-0919-494d-84A6-997A87C72263}.exe"	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0212C50-8629-4ebd-861F-25488AF0B695}	{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}	{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECD00A4-5BCD-459e-A109-484246212FE9}\stubpath = "C:\\Windows\\{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe"	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}\stubpath = "C:\\Windows\\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe"	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A75987-1106-4d4e-B9DA-D30031150281}\stubpath = "C:\\Windows\\{17A75987-1106-4d4e-B9DA-D30031150281}.exe"	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FF3E985-70A5-4310-8D39-3E127133F551}\stubpath = "C:\\Windows\\{9FF3E985-70A5-4310-8D39-3E127133F551}.exe"	{17A75987-1106-4d4e-B9DA-D30031150281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}\stubpath = "C:\\Windows\\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe"	{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FF3E985-70A5-4310-8D39-3E127133F551}	{17A75987-1106-4d4e-B9DA-D30031150281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763DE01C-D66E-4145-93C4-7DBB783FC013}	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763DE01C-D66E-4145-93C4-7DBB783FC013}\stubpath = "C:\\Windows\\{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe"	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECD00A4-5BCD-459e-A109-484246212FE9}	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}	{C04C6624-0919-494d-84A6-997A87C72263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}\stubpath = "C:\\Windows\\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe"	{C04C6624-0919-494d-84A6-997A87C72263}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A75987-1106-4d4e-B9DA-D30031150281}	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0212C50-8629-4ebd-861F-25488AF0B695}\stubpath = "C:\\Windows\\{D0212C50-8629-4ebd-861F-25488AF0B695}.exe"	{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}	{D0212C50-8629-4ebd-861F-25488AF0B695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}\stubpath = "C:\\Windows\\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe"	{D0212C50-8629-4ebd-861F-25488AF0B695}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe
2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe
1332	{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
2344	{D0212C50-8629-4ebd-861F-25488AF0B695}.exe
608	{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
2384	{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
File created	C:\Windows\{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
File created	C:\Windows\{9FF3E985-70A5-4310-8D39-3E127133F551}.exe	{17A75987-1106-4d4e-B9DA-D30031150281}.exe
File created	C:\Windows\{D0212C50-8629-4ebd-861F-25488AF0B695}.exe	{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
File created	C:\Windows\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe	{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
File created	C:\Windows\{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
File created	C:\Windows\{C04C6624-0919-494d-84A6-997A87C72263}.exe	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
File created	C:\Windows\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	{C04C6624-0919-494d-84A6-997A87C72263}.exe
File created	C:\Windows\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
File created	C:\Windows\{17A75987-1106-4d4e-B9DA-D30031150281}.exe	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
File created	C:\Windows\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe	{D0212C50-8629-4ebd-861F-25488AF0B695}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
Token: SeIncBasePriorityPrivilege	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
Token: SeIncBasePriorityPrivilege	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
Token: SeIncBasePriorityPrivilege	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe
Token: SeIncBasePriorityPrivilege	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
Token: SeIncBasePriorityPrivilege	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
Token: SeIncBasePriorityPrivilege	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe
Token: SeIncBasePriorityPrivilege	1332	{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
Token: SeIncBasePriorityPrivilege	2344	{D0212C50-8629-4ebd-861F-25488AF0B695}.exe
Token: SeIncBasePriorityPrivilege	608	{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2504	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	28
PID 1992 wrote to memory of 2612	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe	29
PID 2504 wrote to memory of 2648	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	30
PID 2504 wrote to memory of 2648	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	30
PID 2504 wrote to memory of 2648	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	30
PID 2504 wrote to memory of 2648	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	30
PID 2504 wrote to memory of 1960	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	31
PID 2504 wrote to memory of 1960	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	31
PID 2504 wrote to memory of 1960	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	31
PID 2504 wrote to memory of 1960	2504	{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe	31
PID 2648 wrote to memory of 2564	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	32
PID 2648 wrote to memory of 2564	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	32
PID 2648 wrote to memory of 2564	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	32
PID 2648 wrote to memory of 2564	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	32
PID 2648 wrote to memory of 2460	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	33
PID 2648 wrote to memory of 2460	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	33
PID 2648 wrote to memory of 2460	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	33
PID 2648 wrote to memory of 2460	2648	{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe	33
PID 2564 wrote to memory of 1864	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	36
PID 2564 wrote to memory of 1864	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	36
PID 2564 wrote to memory of 1864	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	36
PID 2564 wrote to memory of 1864	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	36
PID 2564 wrote to memory of 1860	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	37
PID 2564 wrote to memory of 1860	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	37
PID 2564 wrote to memory of 1860	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	37
PID 2564 wrote to memory of 1860	2564	{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe	37
PID 1864 wrote to memory of 2372	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	38
PID 1864 wrote to memory of 2372	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	38
PID 1864 wrote to memory of 2372	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	38
PID 1864 wrote to memory of 2372	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	38
PID 1864 wrote to memory of 2324	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	39
PID 1864 wrote to memory of 2324	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	39
PID 1864 wrote to memory of 2324	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	39
PID 1864 wrote to memory of 2324	1864	{C04C6624-0919-494d-84A6-997A87C72263}.exe	39
PID 2372 wrote to memory of 2300	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	40
PID 2372 wrote to memory of 2300	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	40
PID 2372 wrote to memory of 2300	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	40
PID 2372 wrote to memory of 2300	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	40
PID 2372 wrote to memory of 2316	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	41
PID 2372 wrote to memory of 2316	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	41
PID 2372 wrote to memory of 2316	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	41
PID 2372 wrote to memory of 2316	2372	{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe	41
PID 2300 wrote to memory of 876	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	42
PID 2300 wrote to memory of 876	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	42
PID 2300 wrote to memory of 876	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	42
PID 2300 wrote to memory of 876	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	42
PID 2300 wrote to memory of 860	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	43
PID 2300 wrote to memory of 860	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	43
PID 2300 wrote to memory of 860	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	43
PID 2300 wrote to memory of 860	2300	{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe	43
PID 876 wrote to memory of 1332	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	44
PID 876 wrote to memory of 1332	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	44
PID 876 wrote to memory of 1332	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	44
PID 876 wrote to memory of 1332	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	44
PID 876 wrote to memory of 1700	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	45
PID 876 wrote to memory of 1700	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	45
PID 876 wrote to memory of 1700	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	45
PID 876 wrote to memory of 1700	876	{17A75987-1106-4d4e-B9DA-D30031150281}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_e461a27046df3b00d7bf44cb7a094218_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
  C:\Windows\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
    C:\Windows\{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
      C:\Windows\{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{C04C6624-0919-494d-84A6-997A87C72263}.exe
        
        C:\Windows\{C04C6624-0919-494d-84A6-997A87C72263}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
        
        C:\Windows\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
        
        C:\Windows\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{17A75987-1106-4d4e-B9DA-D30031150281}.exe
        
        C:\Windows\{17A75987-1106-4d4e-B9DA-D30031150281}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
        
        C:\Windows\{9FF3E985-70A5-4310-8D39-3E127133F551}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\{D0212C50-8629-4ebd-861F-25488AF0B695}.exe
        
        C:\Windows\{D0212C50-8629-4ebd-861F-25488AF0B695}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
        
        C:\Windows\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe
        
        C:\Windows\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E90F0~1.EXE > nul
        12⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0212~1.EXE > nul
        11⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FF3E~1.EXE > nul
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A75~1.EXE > nul
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC0B~1.EXE > nul
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FED4A~1.EXE > nul
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C04C6~1.EXE > nul
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ECD0~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{763DE~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B536~1.EXE > nul
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17A75987-1106-4d4e-B9DA-D30031150281}.exe

Filesize
168KB

MD5
2dd90922118d8dbd3d2b41ebc07dc188

SHA1
15eef00d9e0c203dd369b195db0f3693eb1a83d9

SHA256
95ba4f2cc0d13297b770294918d64c01b9897e86a4570078e58742fb694fc501

SHA512
45edc054c72df6ae054be5740962af4f180a3cedceeed56fdb7e42e6ea18109224df4373aadc7f1f7b7e39915a64e97c33543d2a87e836586a7baded4cd29483

Download Submit
C:\Windows\{2B536EB5-B6B4-415c-99A1-A4BB0C9E05E8}.exe

Filesize
168KB

MD5
9bdd0c3fbeb5d75cfe3da371d937075e

SHA1
a32ecadb6c680734daa66f6fca180a1a7fd2c880

SHA256
33c71b9af02fff0d95e838962db2f7dbe882098680062ed7310d5d4b94921ceb

SHA512
69562c2b92d6986c7018c9aa3a0c217caac679b719b0add4a072e5cc52f56032dc8e249875951c487fe09b7d07540b08294a37ff06278a571a2968abb6cd94a3

Download Submit
C:\Windows\{41BE209D-19D6-4f43-B2D5-53028D3EB5FA}.exe

Filesize
168KB

MD5
8a0bf8ec1762cb09e0e16c176b5b98fe

SHA1
d135eb4b6b825349c47e266d8b1b58c124b65c57

SHA256
c2f21d6b790e1a8d80cb1767ce54837fc6d7a2f0d0ff7d699ead6318a7402e2f

SHA512
dbb5a87af5fca0ad7cacb58ee14798e9eb0a539f1ad969c9aec5ab55813f97ce825047f2f304d3e7d2a610abef6f00fa46ec766d78d8e168562728e8ff8fac11

Download Submit
C:\Windows\{6ECD00A4-5BCD-459e-A109-484246212FE9}.exe

Filesize
168KB

MD5
c0a71d07bf292c03a8ae70c3fabc35e0

SHA1
28740a47f75fd009ec97ffaea125bf539e67591f

SHA256
a20e1e0137ff14eec4a97ff3b676907cbb80533ca7244a3059e044409570dcda

SHA512
9df966976475c30b1daae524fa4dda2af36ffa222b5383680c23689db988f6ce22f2adfcce71e340189fc60a303aff75a1877f89a2e33dd9da8e8c67b190d9f7

Download Submit
C:\Windows\{763DE01C-D66E-4145-93C4-7DBB783FC013}.exe

Filesize
168KB

MD5
b2960996c87b7e146a9dc66116135328

SHA1
72d628baab216251ac18204c7ecc0b0491d442ba

SHA256
98b46bada1e5d1da3c29f543c893f28bcb2032325e1715649a0675b9995480df

SHA512
127ffb7c69a229eb5884e4eeb1b28e9358213f13904c6021c2a11b6a390c801d6b99e4ade32335422781d8fed968996314db5427765fe3d5366e2826144de8b6

Download Submit
C:\Windows\{9FF3E985-70A5-4310-8D39-3E127133F551}.exe

Filesize
168KB

MD5
40ae2d8a07771b1a07dcca5965f5821c

SHA1
624b669bbd5510a90d8c498c60b752111c1a73c0

SHA256
3d988e1278f5637e86f80a154488f6ebd5db8356299d41c5ee2d182f9ce29f30

SHA512
ff0c41cb15a261b3f0dd9627a5bebca6ec99e5fa610c231f4e3b1cbb4fb9586ee3b61b84fa5bfabb3bab22e9996482c8eff75f63aae3b8be8b840fcd464ecf69

Download Submit
C:\Windows\{C04C6624-0919-494d-84A6-997A87C72263}.exe

Filesize
168KB

MD5
ff26bd33a742e0f1edee435c574419ac

SHA1
bdf3b799c6773ed3ce0008f51eb2a4e349c51074

SHA256
041cbaea3c90babd53f3fe18d051ac81979888dfa755f5886c80dedb83ed1ff6

SHA512
f363609ad6de253ae715d9fffece1cf5e34db8a2995225d60c7f7f43f3bbc8f83a3df0f7cbbd1a1aea26ffce2bbbd3566ef0c5806546bbe7ea6777bd6b9bc46f

Download Submit
C:\Windows\{CBC0B5A0-3623-4ebf-931E-83606D9BDD58}.exe

Filesize
168KB

MD5
29de0bf0f4f1dbbadd188fa1252e9186

SHA1
0741dee08d2c5effe0a4bc0f0d1c512c9840294c

SHA256
27317ea27bf3549adce46d2ce65eb89c89323c42bc020c12fd8e8ba21f515730

SHA512
933bf83ee76a600dbcc745bfd7cb9fe3022052fbfaf25746c37a990136e38b1e0ea1ad74b71e24e3acde2f6b0866bb18f81f92f9d8ed7b9fcbfbe75473babc34

Download Submit
C:\Windows\{D0212C50-8629-4ebd-861F-25488AF0B695}.exe

Filesize
168KB

MD5
e608aa4d3c3159bfa4818f5009847a15

SHA1
297f0e53450986feb69c87bac0960b1decc320bc

SHA256
de8d6651aec2aebe2319c1a1e3618a76a95a38c497203ced5e883ac194cd4fe3

SHA512
34c5c1d6e79c9caf16de7642038b1c25463b76623bc95b7b878741005362c8b1c58b665f9c0085eeb4e977aef83b252af24328b7c8774c3604766f0d52eefd89

Download Submit
C:\Windows\{E90F0775-A983-4f5e-B8C0-943EB6838AE6}.exe

Filesize
168KB

MD5
57d9f9f345420d861ab0a1f693b677c9

SHA1
fd31dff867a3fa417881515830a9918a5cc9cb81

SHA256
c68c3cc152ec44be3dd6a71a7c5d49a0c2b173d04c841e294dfeba30d5ac4fda

SHA512
87aa951077d917d5f27884b1210deb8d4f77f7da04c79501f5936737f3228a25f2b39733c94a5fc00f57d8dbcf025c2febbf2ab3b71fd99c1564de74e2edd41d

Download Submit
C:\Windows\{FED4A356-F97D-4451-BC91-BFD4A254BDCE}.exe

Filesize
168KB

MD5
8f967061e7b94fb08ba1a289aac8da30

SHA1
75df908b58c77ef39515ee2068c952b0d4f03e7c

SHA256
e1b5ae3750824f84d8d6f2eaadedce982323b959b4acc0360d9a2ca5d3673ef3

SHA512
533e2d5f6a1cc42aaae8af0a880b2f46d21898168685e2fdfa415623cba463d0eb5f37f08f679b94846b86568a9c460fef754b0797e18aac6748dbafb5c6b1da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads