6c14b9755b06164e53a423efc5b8b32cfada1fb551766b5ee75b972d34f6c069

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
Size

408KB
MD5

2df8121c536b4717a47d01a993065428
SHA1

3224f54a4c4a5b069083f8d8dc55ce87d405394a
SHA256

6c14b9755b06164e53a423efc5b8b32cfada1fb551766b5ee75b972d34f6c069
SHA512

4f5213f673948fe5a2b94279c4ed637549df84acf118c4f735012c221b9bc49719afa3458efe9b690644df0ba99fd32810073527c123e9d12500e6bcf68436bd
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012252-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001231c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012252-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012252-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B586F20-9284-4421-ADED-D38ADE560CFF}\stubpath = "C:\\Windows\\{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe"	{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}\stubpath = "C:\\Windows\\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe"	{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C008437-90FC-4866-9CF9-B221363A1006}	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}\stubpath = "C:\\Windows\\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe"	{0C008437-90FC-4866-9CF9-B221363A1006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5197359A-7182-4ebf-A6AC-4751580B169C}\stubpath = "C:\\Windows\\{5197359A-7182-4ebf-A6AC-4751580B169C}.exe"	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B3261C-FE80-4636-81E2-6C67849CBADF}	{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}	{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50C366B-A4E5-44cf-8557-B28BCCC41711}	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C008437-90FC-4866-9CF9-B221363A1006}\stubpath = "C:\\Windows\\{0C008437-90FC-4866-9CF9-B221363A1006}.exe"	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}\stubpath = "C:\\Windows\\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe"	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5197359A-7182-4ebf-A6AC-4751580B169C}	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}\stubpath = "C:\\Windows\\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe"	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B3261C-FE80-4636-81E2-6C67849CBADF}\stubpath = "C:\\Windows\\{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe"	{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50C366B-A4E5-44cf-8557-B28BCCC41711}\stubpath = "C:\\Windows\\{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe"	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}	{0C008437-90FC-4866-9CF9-B221363A1006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CF882D-D11D-4716-A9F8-D7720EED503C}	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CF882D-D11D-4716-A9F8-D7720EED503C}\stubpath = "C:\\Windows\\{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe"	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}\stubpath = "C:\\Windows\\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe"	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B586F20-9284-4421-ADED-D38ADE560CFF}	{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe
2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
1128	{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
2040	{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
692	{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
1356	{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	{0C008437-90FC-4866-9CF9-B221363A1006}.exe
File created	C:\Windows\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
File created	C:\Windows\{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe	{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
File created	C:\Windows\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe	{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
File created	C:\Windows\{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
File created	C:\Windows\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
File created	C:\Windows\{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe	{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
File created	C:\Windows\{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
File created	C:\Windows\{0C008437-90FC-4866-9CF9-B221363A1006}.exe	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
File created	C:\Windows\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
File created	C:\Windows\{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
Token: SeIncBasePriorityPrivilege	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe
Token: SeIncBasePriorityPrivilege	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
Token: SeIncBasePriorityPrivilege	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
Token: SeIncBasePriorityPrivilege	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
Token: SeIncBasePriorityPrivilege	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
Token: SeIncBasePriorityPrivilege	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
Token: SeIncBasePriorityPrivilege	1128	{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
Token: SeIncBasePriorityPrivilege	2040	{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
Token: SeIncBasePriorityPrivilege	692	{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2968	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	28
PID 2700 wrote to memory of 2968	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	28
PID 2700 wrote to memory of 2968	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	28
PID 2700 wrote to memory of 2968	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	28
PID 2700 wrote to memory of 2632	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	29
PID 2700 wrote to memory of 2632	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	29
PID 2700 wrote to memory of 2632	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	29
PID 2700 wrote to memory of 2632	2700	2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe	29
PID 2968 wrote to memory of 2120	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	30
PID 2968 wrote to memory of 2120	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	30
PID 2968 wrote to memory of 2120	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	30
PID 2968 wrote to memory of 2120	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	30
PID 2968 wrote to memory of 2708	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	31
PID 2968 wrote to memory of 2708	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	31
PID 2968 wrote to memory of 2708	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	31
PID 2968 wrote to memory of 2708	2968	{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe	31
PID 2120 wrote to memory of 2604	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	32
PID 2120 wrote to memory of 2604	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	32
PID 2120 wrote to memory of 2604	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	32
PID 2120 wrote to memory of 2604	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	32
PID 2120 wrote to memory of 2484	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	33
PID 2120 wrote to memory of 2484	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	33
PID 2120 wrote to memory of 2484	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	33
PID 2120 wrote to memory of 2484	2120	{0C008437-90FC-4866-9CF9-B221363A1006}.exe	33
PID 2604 wrote to memory of 2132	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	36
PID 2604 wrote to memory of 2132	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	36
PID 2604 wrote to memory of 2132	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	36
PID 2604 wrote to memory of 2132	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	36
PID 2604 wrote to memory of 2308	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	37
PID 2604 wrote to memory of 2308	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	37
PID 2604 wrote to memory of 2308	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	37
PID 2604 wrote to memory of 2308	2604	{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe	37
PID 2132 wrote to memory of 2328	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	38
PID 2132 wrote to memory of 2328	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	38
PID 2132 wrote to memory of 2328	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	38
PID 2132 wrote to memory of 2328	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	38
PID 2132 wrote to memory of 800	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	39
PID 2132 wrote to memory of 800	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	39
PID 2132 wrote to memory of 800	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	39
PID 2132 wrote to memory of 800	2132	{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe	39
PID 2328 wrote to memory of 1792	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	40
PID 2328 wrote to memory of 1792	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	40
PID 2328 wrote to memory of 1792	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	40
PID 2328 wrote to memory of 1792	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	40
PID 2328 wrote to memory of 2388	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	41
PID 2328 wrote to memory of 2388	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	41
PID 2328 wrote to memory of 2388	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	41
PID 2328 wrote to memory of 2388	2328	{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe	41
PID 1792 wrote to memory of 1588	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	42
PID 1792 wrote to memory of 1588	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	42
PID 1792 wrote to memory of 1588	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	42
PID 1792 wrote to memory of 1588	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	42
PID 1792 wrote to memory of 1972	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	43
PID 1792 wrote to memory of 1972	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	43
PID 1792 wrote to memory of 1972	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	43
PID 1792 wrote to memory of 1972	1792	{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe	43
PID 1588 wrote to memory of 1128	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	44
PID 1588 wrote to memory of 1128	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	44
PID 1588 wrote to memory of 1128	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	44
PID 1588 wrote to memory of 1128	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	44
PID 1588 wrote to memory of 2824	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	45
PID 1588 wrote to memory of 2824	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	45
PID 1588 wrote to memory of 2824	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	45
PID 1588 wrote to memory of 2824	1588	{5197359A-7182-4ebf-A6AC-4751580B169C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_2df8121c536b4717a47d01a993065428_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
  C:\Windows\{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{0C008437-90FC-4866-9CF9-B221363A1006}.exe
    C:\Windows\{0C008437-90FC-4866-9CF9-B221363A1006}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
      C:\Windows\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
        
        C:\Windows\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
        
        C:\Windows\{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
        
        C:\Windows\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
        
        C:\Windows\{5197359A-7182-4ebf-A6AC-4751580B169C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
        
        C:\Windows\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
        
        C:\Windows\{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
        
        C:\Windows\{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe
        
        C:\Windows\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe
        12⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B586~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57B32~1.EXE > nul
        11⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5C20~1.EXE > nul
        10⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51973~1.EXE > nul
        9⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE72C~1.EXE > nul
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CF8~1.EXE > nul
        7⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D69B~1.EXE > nul
        6⤵
        
        PID:800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2E80~1.EXE > nul
        5⤵
        
        PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0C008~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C50C3~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C008437-90FC-4866-9CF9-B221363A1006}.exe

Filesize
408KB

MD5
2b1ec44a68e54c630fed958d0b9272f0

SHA1
d5ef4157f55bdc1073dab9c04b74df1050543fff

SHA256
bb4ea496a91351e6ca6269440fee3f98b6d530a38d6133a85a9bf8eee444d092

SHA512
3337e1e1814a3ded20fca06d731a413579996798fbea5b91fe3949bee0dde034a02aa51296ae2ca033e3278d5bd80f6ea42b5890694d17643a245fc77bb66641

Download Submit
C:\Windows\{3B586F20-9284-4421-ADED-D38ADE560CFF}.exe

Filesize
408KB

MD5
01fc85f15587400005281096a523c43f

SHA1
128617d3572ac2bde1c4122f063e51b325618b25

SHA256
7f3b769aed1e1f26fbd3c2e8e0f9ca7d1882cc00e4160a915beb4c059f5f9daa

SHA512
b4e3a3ece8ce9f40ac0b1371541045ecec2a9134481ba04bbbba1f4191c1e55b1b1d2a049abce8384cc7ea170b26f69ba163a0e921c21e9e12c5fab093d02a14

Download Submit
C:\Windows\{5197359A-7182-4ebf-A6AC-4751580B169C}.exe

Filesize
408KB

MD5
9816487def5f436006186264c93f167e

SHA1
6e8ffc5511f82fa3e6b48b7a75fc9c7118366173

SHA256
b8a3511ddf2ce9574ee70e518476078b24547a2a0bba74c8ecaa8325adfbbdfe

SHA512
cd77d369da14bbb2c56e6db08c6d9036bb7bbe9930d2a0399aba899235a293dd703e4bcfd0e102b73a425ce4f884a94a9d2e2ab3f57a25ad7cdbc3dc1d7ffc86

Download Submit
C:\Windows\{57B3261C-FE80-4636-81E2-6C67849CBADF}.exe

Filesize
408KB

MD5
2ad07f7d075a8735c6ad57e46c0a40dc

SHA1
87abc8f82388f67afafb2bd24cd209631e15e0e9

SHA256
7214433fd2f4630c1bfca92ec6c9bc35ac41776bdc221d12bc621dad52dc3b78

SHA512
ac82ff6ecb42282a061612c16133ba95c9e4dbfe5c5453926ce98ecc750b096b987ea8c0fe8f7a8d4aa169529887cdd2a01adb7ae5fd3f3ab4dc13f5b82de855

Download Submit
C:\Windows\{9D69BDA6-EAA0-4f35-8C6A-B208D1F938C3}.exe

Filesize
408KB

MD5
d1a3be63d8d6e9b9c4b9f618a7e1fe1a

SHA1
8401294953923ae651b0428d4cbce84a78f13575

SHA256
16a2c9a7d6c656fc7d3318f8bfa3d2a80e0723e3dd57b2f160112f5646d45c05

SHA512
42b7eedf8d250fb2a45a450916b2f48373b591b80a98b1baba7a102c1df02ac47268e4f394159c46effd933c545c08c7f26d7cbb0be5dbcb4f04bac8a82880b7

Download Submit
C:\Windows\{9D907FB8-1CBA-455d-8A72-3113CD4BF399}.exe

Filesize
408KB

MD5
6be5003b759e74da6b9007797e873569

SHA1
bbe78614c0ab5200a0d1077e34b9af9db424f6b1

SHA256
ecbe7cfc67d070f6273da5dc235ff1a8fea4beb67fcf25f7a365670b9506f347

SHA512
23787ac9f54baf99859d37d5c0a0bf145c350d9aa8db07fb19a306ab7af41977bfe77d07e6955b8d980fb8d02f169b13ce8513d7dfd27c0a0f0860328c8f813d

Download Submit
C:\Windows\{A2E80C3B-0812-4a7c-9281-63AE7FD33D96}.exe

Filesize
408KB

MD5
ccce4bdd0b9275f3a54d446b01caacdd

SHA1
81033fd159c3292563d315b2a8694e62e22d99a0

SHA256
1a2f8c5491b7faf8e0b24e9911b0d05f1b5cf2cc28b8bb0aef933d53cb6a59e7

SHA512
519767ce25698535981ebeeed2ede0cbc31cf146887ae6c24f9ac8214330ad3763c5b2fbe84a0fd9ef3272249fc518042c9f2133a1c47a5c5d0d88d4a2909b8f

Download Submit
C:\Windows\{B9CF882D-D11D-4716-A9F8-D7720EED503C}.exe

Filesize
408KB

MD5
3dfe590dd3b004265ac65f80daeffa5e

SHA1
ea556c097f485d142c212ee982195ee5ac66460e

SHA256
fdac2cb4180c8f83c070be8d8588e233f2985cc18513e4c45e13171fdb5bdd15

SHA512
403306f4d5ae32dfee04e5081afe15b85a7ec7ddc986b45fac361ceb4e33b3bb4234b8c0f3211bbfc47cbf99f07ccd895da0a69d17e0332f635c0f1fce3cebbe

Download Submit
C:\Windows\{C50C366B-A4E5-44cf-8557-B28BCCC41711}.exe

Filesize
408KB

MD5
f24733924abf8c75309bf8550f4d85a6

SHA1
9f6bb893026b10c9bfa5567ebcfae5d2ab1dc367

SHA256
6e8323bab51deebbdc46580fc18c21783ae776f62b38626dffd853726dd1f4be

SHA512
c58c176ef734b312a339abb22153fc32083b64f88dd2cc427fad259e79029a6cd04263c4be0934693ca2e1d7419755cc85c4b19354b4716fb4e584760d13c5fd

Download Submit
C:\Windows\{D5C20FBF-B5EC-4f61-84F7-377567BDA6DD}.exe

Filesize
408KB

MD5
93937a415dd07fdb2f3881336b01ae67

SHA1
e7667344304c26de1dcbe20034773675d09c09f4

SHA256
4d351106793280b53c37e2f9aa703f1ed40ac6c6dd32427d3fa45182b347e5ca

SHA512
8f899876f3376e4794dc13ef449703ac3e91985d4ea067b91567fd5c8b9af7b4a37d55c7f07826cb496de5b0b13eca716e4abff45a233194be0b5240c438150a

Download Submit
C:\Windows\{EE72CBC7-C718-4c89-BB0F-1AC725A846EE}.exe

Filesize
408KB

MD5
2de6315cfadd75b54c0bce50f6f676da

SHA1
82445b877cc7d9458c23bab56a43e907eeeddeae

SHA256
3150a051cc66262f83b56f9e6556118b4cbc75072ef015177aab03f88b22bece

SHA512
a627e6fd2076d4de61fece3b8827cec5de5d375b15852b31a5abc9c174c0dddc02254dd9916def41b989064424fb273ee4410b0ec698a8e717163b9d19a4332e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads