5e988e168f6a77b994b2f070474889b39f2e86da9fe1fb20607801273f1b3b8c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 16:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Size

204KB
MD5

cdfe91bc8302b86c7898cd3f685c830e
SHA1

f7407b0f30ad88e5911859ebbf8d5eeb68d170ce
SHA256

5e988e168f6a77b994b2f070474889b39f2e86da9fe1fb20607801273f1b3b8c
SHA512

3ff97be8853eb3a0426d6b5b981241dc2d453979dd6c2cb0b617028ac422f3e9fe1ddbe689932ae66f26a3898b3687b1e164ec0340bb24aa4808bf70785ca87a
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000174fc-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001220a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001220a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001220a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}\stubpath = "C:\\Windows\\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe"	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA78287B-DF7A-4339-9903-AB627F4713A2}	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{138E069C-0023-4305-A37B-3732D0DC5B15}\stubpath = "C:\\Windows\\{138E069C-0023-4305-A37B-3732D0DC5B15}.exe"	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1405B4E1-B4F4-476e-9845-2E747053DE84}	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}\stubpath = "C:\\Windows\\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe"	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}	{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}\stubpath = "C:\\Windows\\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe"	{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524D180E-267E-44da-99DD-ED0A77DC6FDF}\stubpath = "C:\\Windows\\{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe"	{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B39E8B7C-D989-4757-ACE5-52938ACFA831}	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}\stubpath = "C:\\Windows\\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe"	{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}	{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{138E069C-0023-4305-A37B-3732D0DC5B15}	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}\stubpath = "C:\\Windows\\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe"	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA78287B-DF7A-4339-9903-AB627F4713A2}\stubpath = "C:\\Windows\\{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe"	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524D180E-267E-44da-99DD-ED0A77DC6FDF}	{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B39E8B7C-D989-4757-ACE5-52938ACFA831}\stubpath = "C:\\Windows\\{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe"	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}\stubpath = "C:\\Windows\\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe"	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1405B4E1-B4F4-476e-9845-2E747053DE84}\stubpath = "C:\\Windows\\{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe"	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
1924	{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
1676	{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
2632	{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
2044	{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
File created	C:\Windows\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
File created	C:\Windows\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
File created	C:\Windows\{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
File created	C:\Windows\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
File created	C:\Windows\{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe	{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
File created	C:\Windows\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe	{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
File created	C:\Windows\{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
File created	C:\Windows\{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
File created	C:\Windows\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
File created	C:\Windows\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe	{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
Token: SeIncBasePriorityPrivilege	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
Token: SeIncBasePriorityPrivilege	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
Token: SeIncBasePriorityPrivilege	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
Token: SeIncBasePriorityPrivilege	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
Token: SeIncBasePriorityPrivilege	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
Token: SeIncBasePriorityPrivilege	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
Token: SeIncBasePriorityPrivilege	1924	{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
Token: SeIncBasePriorityPrivilege	1676	{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
Token: SeIncBasePriorityPrivilege	2632	{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2512	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	28
PID 1404 wrote to memory of 2512	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	28
PID 1404 wrote to memory of 2512	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	28
PID 1404 wrote to memory of 2512	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	28
PID 1404 wrote to memory of 3068	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	29
PID 1404 wrote to memory of 3068	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	29
PID 1404 wrote to memory of 3068	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	29
PID 1404 wrote to memory of 3068	1404	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	29
PID 2512 wrote to memory of 2996	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	30
PID 2512 wrote to memory of 2996	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	30
PID 2512 wrote to memory of 2996	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	30
PID 2512 wrote to memory of 2996	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	30
PID 2512 wrote to memory of 3052	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	31
PID 2512 wrote to memory of 3052	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	31
PID 2512 wrote to memory of 3052	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	31
PID 2512 wrote to memory of 3052	2512	{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe	31
PID 2996 wrote to memory of 2588	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	34
PID 2996 wrote to memory of 2588	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	34
PID 2996 wrote to memory of 2588	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	34
PID 2996 wrote to memory of 2588	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	34
PID 2996 wrote to memory of 2640	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	35
PID 2996 wrote to memory of 2640	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	35
PID 2996 wrote to memory of 2640	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	35
PID 2996 wrote to memory of 2640	2996	{138E069C-0023-4305-A37B-3732D0DC5B15}.exe	35
PID 2588 wrote to memory of 1660	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	36
PID 2588 wrote to memory of 1660	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	36
PID 2588 wrote to memory of 1660	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	36
PID 2588 wrote to memory of 1660	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	36
PID 2588 wrote to memory of 2440	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	37
PID 2588 wrote to memory of 2440	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	37
PID 2588 wrote to memory of 2440	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	37
PID 2588 wrote to memory of 2440	2588	{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe	37
PID 1660 wrote to memory of 2988	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	38
PID 1660 wrote to memory of 2988	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	38
PID 1660 wrote to memory of 2988	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	38
PID 1660 wrote to memory of 2988	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	38
PID 1660 wrote to memory of 2184	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	39
PID 1660 wrote to memory of 2184	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	39
PID 1660 wrote to memory of 2184	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	39
PID 1660 wrote to memory of 2184	1660	{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe	39
PID 2988 wrote to memory of 1164	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	40
PID 2988 wrote to memory of 1164	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	40
PID 2988 wrote to memory of 1164	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	40
PID 2988 wrote to memory of 1164	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	40
PID 2988 wrote to memory of 1100	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	41
PID 2988 wrote to memory of 1100	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	41
PID 2988 wrote to memory of 1100	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	41
PID 2988 wrote to memory of 1100	2988	{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe	41
PID 1164 wrote to memory of 1744	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	42
PID 1164 wrote to memory of 1744	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	42
PID 1164 wrote to memory of 1744	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	42
PID 1164 wrote to memory of 1744	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	42
PID 1164 wrote to memory of 2656	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	43
PID 1164 wrote to memory of 2656	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	43
PID 1164 wrote to memory of 2656	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	43
PID 1164 wrote to memory of 2656	1164	{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe	43
PID 1744 wrote to memory of 1924	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	44
PID 1744 wrote to memory of 1924	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	44
PID 1744 wrote to memory of 1924	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	44
PID 1744 wrote to memory of 1924	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	44
PID 1744 wrote to memory of 548	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	45
PID 1744 wrote to memory of 548	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	45
PID 1744 wrote to memory of 548	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	45
PID 1744 wrote to memory of 548	1744	{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
  C:\Windows\{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
    C:\Windows\{138E069C-0023-4305-A37B-3732D0DC5B15}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
      C:\Windows\{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
        
        C:\Windows\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
        
        C:\Windows\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
        
        C:\Windows\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
        
        C:\Windows\{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
        
        C:\Windows\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
        
        C:\Windows\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
        
        C:\Windows\{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe
        
        C:\Windows\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{524D1~1.EXE > nul
        12⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54BCE~1.EXE > nul
        11⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B47E0~1.EXE > nul
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA782~1.EXE > nul
        9⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A98A~1.EXE > nul
        8⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB45A~1.EXE > nul
        7⤵
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E5FE~1.EXE > nul
        6⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1405B~1.EXE > nul
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{138E0~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B39E8~1.EXE > nul
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{138E069C-0023-4305-A37B-3732D0DC5B15}.exe

Filesize
204KB

MD5
4baee74f262d5cd3f038732954d1a7c5

SHA1
ee1f6dfa114316a91b85629cbfc159ea821e29ba

SHA256
6132c49d3c71a72bb1119a98197f4c50190362e347e9d3fd5e8b76fbaadeff8a

SHA512
d0be60fd8a4958ad398698e20e818a8c4cafc9dd029838d1e9ca8eabbdc1b8a7cd2fa62b93a61ea904bff21fa68b457e5402a64f28ec9e6e4ba774012bc5a6a1

Download Submit
C:\Windows\{1405B4E1-B4F4-476e-9845-2E747053DE84}.exe

Filesize
204KB

MD5
2307a78087b51a9ac153624e7f1f9251

SHA1
223f8e9a189bb2d7d178106e050ec1a36c5f6ab9

SHA256
1e1fc9199c979e93786e1e62e71176a28ad56962126a1ec8942fe134a3537703

SHA512
0f5a8b9cbddabbe8a141fe012df21e7d80158eca99efabc4d3de4c1cb2d72987577cc136d5e55537a8a701100ada51b45b4015ce9439a9f3904ebd764c260785

Download Submit
C:\Windows\{2E5FEB71-6724-44d4-94D6-4AEB6656540D}.exe

Filesize
204KB

MD5
47bd6321f195fbd84f694e0d17c9a945

SHA1
d76bd4e491d42bc957b227db46e3408cd63b9dd2

SHA256
a492318d0606d218eacd1bd54fbb2e6ff6d813f0f863df1182e5f08f0bd48cc0

SHA512
7eb39a5fc54711aac9c6902c29b8f1cf2c6668241d874b914539149f6b36d09fae04935ed770c4912031ecf1876c1f7622858f69adf04a751605c35d66f00cc4

Download Submit
C:\Windows\{524D180E-267E-44da-99DD-ED0A77DC6FDF}.exe

Filesize
204KB

MD5
aa7b0f3171daffd5518c1be07221bbd4

SHA1
4666994afc4d0432789902cab83f559d41de6b04

SHA256
524704af649f239c4ac2ebab7d61d1477a3385556abdd30ead09fc9e82af7494

SHA512
d1da40bb2b8216e66085c459dcc287a9dffe79d42a483bd125430e65805df0e838cbd38e4f553dddab843b7b9907eccbea37836ced6f5b40d021341f0c19ddaa

Download Submit
C:\Windows\{54BCE1D6-F9BC-4e30-B90F-CD5FAD97D3C5}.exe

Filesize
204KB

MD5
d8cf2ec28885f16ce0117c00a6bd1931

SHA1
4559632683fa336297e6e9d8279ccae2eda89da6

SHA256
90f489f7992645f0d6ff1a106e0705774c354bc34b0709ccc130bdc321ef2ef3

SHA512
9742fbc57c17fee58afdc46e983751cfb9e6c929d7dbd8b3241fc5a54e1c6646a9bb0e61ba0ac4a2dcb72669d37f8333feb80589fb65d0679bb8a6d74dda68c1

Download Submit
C:\Windows\{9A98ABA2-97EA-4e52-8A73-425A3BF9196A}.exe

Filesize
204KB

MD5
874c724a06709040ff74ae4d8d43bf3c

SHA1
10dad7212b69133fdfda607827abc7139fa0cdc9

SHA256
d252eecbd0557de930f4378b019785ccb86b08a6dd2893bfcc2e4a4242a01557

SHA512
7a9b10b25252a7a1ab7d1227823106ab4d47ea77fcf25ce6f49edb8241aa758124a9d5a4f7e8af544e7d7cedfe2e72ccdfa0f40fb32c1ce90ebcfcf07562b691

Download Submit
C:\Windows\{B39E8B7C-D989-4757-ACE5-52938ACFA831}.exe

Filesize
204KB

MD5
f1c274886b90d89ddb922d43c3e8ca9f

SHA1
13d9779d70aef408905c4d0cadeb70ce625b6fe2

SHA256
36d834895a8dcc4276bb16175b5a05b208267bd8bfee5baaf7439a50877770eb

SHA512
562ffedd23b8dccbb023930634a87bf0a866590229dee30c76aa9c9fe51d7e28a9633f621dd9224e519ebaa028d882f8d89d79ab9ac74915b0eb213920e9298c

Download Submit
C:\Windows\{B47E0192-0E27-43cb-8CA8-CAA7E5EBA27A}.exe

Filesize
204KB

MD5
82844bb25e6199fbfad3b1033f7de8c6

SHA1
943613fe56e6b16b9a2275d94f47432d97e98f45

SHA256
123772aa4021951983112b5a1520301d36feafec7237ee3381ba6f8f146a3d2c

SHA512
0ee30724dd51cba382e15fc97efb38f77c6b4aa84089d2948d787508536cd76fcbff7b3978718f7a45a3e6c9e9e3bf1219f3bc15d09ac45e0a5555592dc901a4

Download Submit
C:\Windows\{CB45A986-DC87-4f57-BCCA-0E11F59481BE}.exe

Filesize
204KB

MD5
0d8af8c4741a6609116dc1204355b5b6

SHA1
eec54602601b4ceff37d918a2db25c45cc20e2b2

SHA256
e1359189e7be9cfb48747db6a62cc3578a434b1f5783aa4c0ab3307c4ef7d15c

SHA512
b73e27d147c1f636df9f168f593fdc0cbf194a00d4413dce652b1a021ff41fd833fce52b61e8e858ec3493523a115a07e95d275a5c6127e2026fc850bace00b8

Download Submit
C:\Windows\{DBC0FE1E-FFD3-4566-B24C-0F0C34473FCC}.exe

Filesize
204KB

MD5
a39815984e8c5f4fa96da450081c48e3

SHA1
54e1381d7d2e551080e043303338598c110a33c4

SHA256
e8eacbd6e6bdf0c835f2d0460be3e1bd7df11133c2a9f542aa10b343eea36f69

SHA512
cd250487ab95d4e3c06906a6dca5b91ce0a10a0b423957a4c2bc7e1feb515db3451c0a55f8342fad68d722e0c09ad256346102ffc2bfa07b3be69910c4f6c8d5

Download Submit
C:\Windows\{EA78287B-DF7A-4339-9903-AB627F4713A2}.exe

Filesize
204KB

MD5
611222d1b1b11a15b69c79411f42d137

SHA1
4cfac534e512f2dfc0a932836c59fd83f0ecd48e

SHA256
fe3f65bc11da4134bfe92f6e696a5eac79438db7f178debbceea9753f7dc6280

SHA512
5c5218e1d481ec3281a15426184f87803f9354ff2ca763f92db5d9d61fd63e251ab09f58570c4888a2411f6f1b636f2c5766ee16320846c84c292973a1b0e508

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads