a7afc3c61c8e6cb4d72840aaa0798de80df154713ff365ce9be6e9fdacf5002f

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe
Size

192KB
MD5

3733e770c4d470a7fe4400202d44fd18
SHA1

5867c71323d615bff97a877b3cb4a749803d74c9
SHA256

a7afc3c61c8e6cb4d72840aaa0798de80df154713ff365ce9be6e9fdacf5002f
SHA512

dd6dc6f8106b54c0a5061b27d4174567ddb4d6218b55d1abd43b70bb81e60108947ac80ae06fa4b48e294329256255b666b0f12ecb795d074fd9ec96c288270c
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0osl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001444f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014665-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001470b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014665-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014b12-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014b12-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240A439B-E552-4a3e-AAF5-58B2560815F1}\stubpath = "C:\\Windows\\{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe"	{F32A3447-E675-4203-93E2-2C390FB02390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32A3447-E675-4203-93E2-2C390FB02390}\stubpath = "C:\\Windows\\{F32A3447-E675-4203-93E2-2C390FB02390}.exe"	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67D3419-5743-4022-BA80-3C164EFC150E}\stubpath = "C:\\Windows\\{E67D3419-5743-4022-BA80-3C164EFC150E}.exe"	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}\stubpath = "C:\\Windows\\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe"	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240A439B-E552-4a3e-AAF5-58B2560815F1}	{F32A3447-E675-4203-93E2-2C390FB02390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}	{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280C739B-B862-41dd-A0F8-35A4A924C4E0}	{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280C739B-B862-41dd-A0F8-35A4A924C4E0}\stubpath = "C:\\Windows\\{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe"	{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}\stubpath = "C:\\Windows\\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe"	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C238B4-513F-41a6-92C9-AA34C846294E}	{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C238B4-513F-41a6-92C9-AA34C846294E}\stubpath = "C:\\Windows\\{52C238B4-513F-41a6-92C9-AA34C846294E}.exe"	{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32A3447-E675-4203-93E2-2C390FB02390}	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}\stubpath = "C:\\Windows\\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe"	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}\stubpath = "C:\\Windows\\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe"	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}\stubpath = "C:\\Windows\\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe"	{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67D3419-5743-4022-BA80-3C164EFC150E}	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}\stubpath = "C:\\Windows\\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe"	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe
1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
2860	{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
2868	{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
2288	{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
1592	{52C238B4-513F-41a6-92C9-AA34C846294E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
File created	C:\Windows\{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe	{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
File created	C:\Windows\{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	{F32A3447-E675-4203-93E2-2C390FB02390}.exe
File created	C:\Windows\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
File created	C:\Windows\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
File created	C:\Windows\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
File created	C:\Windows\{F32A3447-E675-4203-93E2-2C390FB02390}.exe	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
File created	C:\Windows\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
File created	C:\Windows\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe	{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
File created	C:\Windows\{52C238B4-513F-41a6-92C9-AA34C846294E}.exe	{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
File created	C:\Windows\{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
Token: SeIncBasePriorityPrivilege	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
Token: SeIncBasePriorityPrivilege	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
Token: SeIncBasePriorityPrivilege	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
Token: SeIncBasePriorityPrivilege	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe
Token: SeIncBasePriorityPrivilege	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
Token: SeIncBasePriorityPrivilege	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
Token: SeIncBasePriorityPrivilege	2860	{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
Token: SeIncBasePriorityPrivilege	2868	{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
Token: SeIncBasePriorityPrivilege	2288	{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2872	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	28
PID 2080 wrote to memory of 2872	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	28
PID 2080 wrote to memory of 2872	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	28
PID 2080 wrote to memory of 2872	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	28
PID 2080 wrote to memory of 2592	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	29
PID 2080 wrote to memory of 2592	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	29
PID 2080 wrote to memory of 2592	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	29
PID 2080 wrote to memory of 2592	2080	2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe	29
PID 2872 wrote to memory of 2600	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	30
PID 2872 wrote to memory of 2600	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	30
PID 2872 wrote to memory of 2600	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	30
PID 2872 wrote to memory of 2600	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	30
PID 2872 wrote to memory of 2072	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	31
PID 2872 wrote to memory of 2072	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	31
PID 2872 wrote to memory of 2072	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	31
PID 2872 wrote to memory of 2072	2872	{E67D3419-5743-4022-BA80-3C164EFC150E}.exe	31
PID 2600 wrote to memory of 2852	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	32
PID 2600 wrote to memory of 2852	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	32
PID 2600 wrote to memory of 2852	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	32
PID 2600 wrote to memory of 2852	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	32
PID 2600 wrote to memory of 2616	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	33
PID 2600 wrote to memory of 2616	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	33
PID 2600 wrote to memory of 2616	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	33
PID 2600 wrote to memory of 2616	2600	{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe	33
PID 2852 wrote to memory of 1688	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	36
PID 2852 wrote to memory of 1688	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	36
PID 2852 wrote to memory of 1688	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	36
PID 2852 wrote to memory of 1688	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	36
PID 2852 wrote to memory of 2696	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	37
PID 2852 wrote to memory of 2696	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	37
PID 2852 wrote to memory of 2696	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	37
PID 2852 wrote to memory of 2696	2852	{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe	37
PID 1688 wrote to memory of 2800	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	38
PID 1688 wrote to memory of 2800	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	38
PID 1688 wrote to memory of 2800	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	38
PID 1688 wrote to memory of 2800	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	38
PID 1688 wrote to memory of 2824	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	39
PID 1688 wrote to memory of 2824	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	39
PID 1688 wrote to memory of 2824	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	39
PID 1688 wrote to memory of 2824	1688	{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe	39
PID 2800 wrote to memory of 1884	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	40
PID 2800 wrote to memory of 1884	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	40
PID 2800 wrote to memory of 1884	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	40
PID 2800 wrote to memory of 1884	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	40
PID 2800 wrote to memory of 1620	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	41
PID 2800 wrote to memory of 1620	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	41
PID 2800 wrote to memory of 1620	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	41
PID 2800 wrote to memory of 1620	2800	{F32A3447-E675-4203-93E2-2C390FB02390}.exe	41
PID 1884 wrote to memory of 2336	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	42
PID 1884 wrote to memory of 2336	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	42
PID 1884 wrote to memory of 2336	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	42
PID 1884 wrote to memory of 2336	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	42
PID 1884 wrote to memory of 1572	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	43
PID 1884 wrote to memory of 1572	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	43
PID 1884 wrote to memory of 1572	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	43
PID 1884 wrote to memory of 1572	1884	{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe	43
PID 2336 wrote to memory of 2860	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	44
PID 2336 wrote to memory of 2860	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	44
PID 2336 wrote to memory of 2860	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	44
PID 2336 wrote to memory of 2860	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	44
PID 2336 wrote to memory of 648	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	45
PID 2336 wrote to memory of 648	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	45
PID 2336 wrote to memory of 648	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	45
PID 2336 wrote to memory of 648	2336	{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_3733e770c4d470a7fe4400202d44fd18_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
  C:\Windows\{E67D3419-5743-4022-BA80-3C164EFC150E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
    C:\Windows\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
      C:\Windows\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
        
        C:\Windows\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\{F32A3447-E675-4203-93E2-2C390FB02390}.exe
        
        C:\Windows\{F32A3447-E675-4203-93E2-2C390FB02390}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
        
        C:\Windows\{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
        
        C:\Windows\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
        
        C:\Windows\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
        
        C:\Windows\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
        
        C:\Windows\{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{52C238B4-513F-41a6-92C9-AA34C846294E}.exe
        
        C:\Windows\{52C238B4-513F-41a6-92C9-AA34C846294E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{280C7~1.EXE > nul
        12⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A62~1.EXE > nul
        11⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8718~1.EXE > nul
        10⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5715E~1.EXE > nul
        9⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240A4~1.EXE > nul
        8⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F32A3~1.EXE > nul
        7⤵
        
        PID:1620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C410~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5838~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0AC~1.EXE > nul
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E67D3~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A62B95-9E33-4fd8-97B7-94D3E053CFDA}.exe

Filesize
192KB

MD5
942858368b724e69581ffcc570acffa6

SHA1
ba24ef39acf8c5629bb7f66be025ca0452bd62e0

SHA256
c542a3a4d8a5e26c21e394fb1f19d80978303b1527fe22d39c49d4f17027d295

SHA512
f507e02703972f2b02f6a550cbfb5d81b8826bec25de261ab2968900a4868e3231b74f7d2f15fa115ed4ed2f62e6b7af12aea5067594e8ab7bb9d7689ebaefa8

Download Submit
C:\Windows\{240A439B-E552-4a3e-AAF5-58B2560815F1}.exe

Filesize
192KB

MD5
657e23189d58ef54ac84e53fcb64434a

SHA1
583eba94c701e71dd0a3f33c558ad170ea0ce09e

SHA256
cf9faa1417bc7b73e8b4228f55af8d730e6a0badaade25b9fab3376d6bedbdc5

SHA512
8fdd0c77e8c2af305707839baef9e95b129f13881c2dcda19e00ca8f052203b879db2d773f4ba17038ba652168182b0623b7487ad3cca6ee887b875df5aa10b4

Download Submit
C:\Windows\{280C739B-B862-41dd-A0F8-35A4A924C4E0}.exe

Filesize
192KB

MD5
d8875d4ddf1849fcbc7c42c819ab2a6d

SHA1
89fdf05cdb4094f31328161d31977475b5e095a3

SHA256
961cfd754e9cfa11068ba5af6487a460da4f44880bd3fbe764095c124b3dd4f8

SHA512
ca52d8b45b37413ef649a540e7a5297f7b99450d690d3fa704b41bbb6333049dd100deaecfd18149a2ec517a636f268ed0ace285dc4b5051c9f59058c80594b7

Download Submit
C:\Windows\{3C4105D3-5CDF-40e6-93D9-01161DA21D37}.exe

Filesize
192KB

MD5
68cdd2e0d26248b71bbfcb46f6088b46

SHA1
bc07f3ab92465bd226ae63fcdc341f1397cd60e6

SHA256
02de109dbdb2bde856657559503eab88542f5c3910d001a408a54b87eb96e88c

SHA512
c2e19852d845fc1d81f4a236255f4d892e74019824e31d25b359a4549cbfa0a4750fc36ba080643bbc00872e0319780363076885f34e886d0ca32b2ace9c1a3e

Download Submit
C:\Windows\{52C238B4-513F-41a6-92C9-AA34C846294E}.exe

Filesize
192KB

MD5
f19840066bfe9761c99e331ddeb2549c

SHA1
e084f8d4b4052f37e6f7b5cc4c829a2abb5475d4

SHA256
b384804339afe0bbd9a1eab10a7f97f0950a980be3527d6f13fdbf0acd585a5b

SHA512
d16553ed471a65e967a658dde9f74ce4c021f485411d8068b0d4685883cff45653347158b62bc9250757acdb53f2de8a500b20ebdc0af76822d34d74ee65dc50

Download Submit
C:\Windows\{5715EE5C-1D7D-455a-AE50-451EC0F8C27F}.exe

Filesize
192KB

MD5
ba5be7b67f56311a9c65be848858a9e9

SHA1
9023253b498f4717eea647e0448d07e22da8c831

SHA256
2909dd7dd51d4f91ac8bb9b38081efa902dfe30d583a278c1365834fea274c7e

SHA512
2e61252ec370d83ea2d5aab42123269c0773a44929e8740f1d4c9e5539e24b3dc444008e466a7bab2a6fc89afacde0dc6f0b8dc42207892c05651d1c90256f4b

Download Submit
C:\Windows\{5A0ACB20-933D-4e08-BF00-B49296CB24B9}.exe

Filesize
192KB

MD5
12a33948079ebb4e700529cf6d68dd33

SHA1
72cd09998418526ea37b0146b32430fb03d90232

SHA256
2ff5f091b93a8d75eacf59ad15b91557baf18b8e038ac41cf85e266cbe5c130a

SHA512
73ffaeec961589f26dc605080c8f958b1bdccaa58fcdb0b20bd0a2622400b22ce92bd45629df931ef5a997cc48506ed4d4952862764c814ce7f16cdbfc84f2ad

Download Submit
C:\Windows\{E583831A-1F00-4c01-9A43-ECA4FD58CC51}.exe

Filesize
192KB

MD5
53f74bb5742624776b812618241b2a9e

SHA1
6a68fc65c672e9d2b590bb48dcaea4cd8f32aacb

SHA256
131bb5dabd6bb6455bb49a3f2f22c3bc08720d80e58d6c364bd6d228282a2b09

SHA512
d6dec9a76ae98a9fe4df60132c736dacab100df2f452a32fddccb6c00e71dae0537713e38f7bdfc40fc6b85c69bc4dbb1b3e5217ec114158cd185de6828d9659

Download Submit
C:\Windows\{E67D3419-5743-4022-BA80-3C164EFC150E}.exe

Filesize
192KB

MD5
72fb1212678b2ebff1048c16917e168a

SHA1
44ef8d45fbddb04dc21dde8b59b0ce3617587492

SHA256
33982b30d4af7b14059f31b82108de09d69ba055b9685bc9df2a21a8f36550b5

SHA512
e22a8e1765564542addced420afe21172e2049818b3b1ca465a16e29d5307ca20a4e6757a618fe3f670011376f56514a98228c1601540d1f8b6f2c110b04cd2f

Download Submit
C:\Windows\{E8718366-D543-48f5-8F6A-5ECC6D8F533B}.exe

Filesize
192KB

MD5
56f8ce57b347f7d4b55af03631e948b5

SHA1
b70205cc009cf0edb957e7db2ada0efc384d7a59

SHA256
1d755b06c3d9292242fc30261745ab84eab559fc23b9065a4b8b563fdcaf902b

SHA512
9c5489e1d687744d5c18cea87f2cac85b42ec25c230319b2a3fb62944f5a64846e383cf0284799c2ae8a330b3003ec47b0468deab7a9ff36dfb375ec07125b27

Download Submit
C:\Windows\{F32A3447-E675-4203-93E2-2C390FB02390}.exe

Filesize
192KB

MD5
01cc7a0e141e5c2dc7587e4cee0db74d

SHA1
a99225577b384e44197e33062d62b5d5aa9e2792

SHA256
7e156dc6241aed67adaec0dc908eb7afd40db3e16311ca1024841b1658bc8802

SHA512
e5ca8ef16bc9d862088eca79f7218c439571384d09e18c4ce048cecdc415c700f45745d9ec178f31d0ab5115e4c4e2d3d0adfac64de07d35fbc7b89f85ee93e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads