287b9f8cc977be6aaa202f4ba0c64654fc1564658c0d16d01d8699b4ba415c8f

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Size

180KB
MD5

c7b901c333537732680213b79fd71b97
SHA1

3588897f5e01ea6e3589575d75784e578dcd1b49
SHA256

287b9f8cc977be6aaa202f4ba0c64654fc1564658c0d16d01d8699b4ba415c8f
SHA512

504c0890063c7f4e7b9d566c3db4ba63f533c980f33bdb04176449f1eec39c11917164932b865dd2ea32a9d3b6cdd6588124e21c8f807255c1635b1a8c09cd76
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015ca5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012255-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012255-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012255-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6ECA22-42D5-4b01-9A75-00C424A45518}	{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6ECA22-42D5-4b01-9A75-00C424A45518}\stubpath = "C:\\Windows\\{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe"	{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F7AD88-1FAE-4741-978C-132091F0D866}\stubpath = "C:\\Windows\\{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe"	{95720FA6-071D-4511-8636-5AC0E889A221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}\stubpath = "C:\\Windows\\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe"	{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F7AD88-1FAE-4741-978C-132091F0D866}	{95720FA6-071D-4511-8636-5AC0E889A221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3A9E00-518B-48bd-AF82-863FFE458E65}\stubpath = "C:\\Windows\\{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe"	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}	{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E062473-0950-4737-B33E-906DE6DBFBCB}\stubpath = "C:\\Windows\\{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe"	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95720FA6-071D-4511-8636-5AC0E889A221}	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D871DFE3-4856-4050-A841-553FCAD086D5}\stubpath = "C:\\Windows\\{D871DFE3-4856-4050-A841-553FCAD086D5}.exe"	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565B27F9-9608-4729-991D-85A94C6DEB30}\stubpath = "C:\\Windows\\{565B27F9-9608-4729-991D-85A94C6DEB30}.exe"	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}\stubpath = "C:\\Windows\\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe"	{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}\stubpath = "C:\\Windows\\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe"	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E062473-0950-4737-B33E-906DE6DBFBCB}	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D871DFE3-4856-4050-A841-553FCAD086D5}	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565B27F9-9608-4729-991D-85A94C6DEB30}	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3A9E00-518B-48bd-AF82-863FFE458E65}	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}	{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}\stubpath = "C:\\Windows\\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe"	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95720FA6-071D-4511-8636-5AC0E889A221}\stubpath = "C:\\Windows\\{95720FA6-071D-4511-8636-5AC0E889A221}.exe"	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe
2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
1604	{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
2536	{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
1392	{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe
1336	{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
File created	C:\Windows\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe	{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
File created	C:\Windows\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe	{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
File created	C:\Windows\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
File created	C:\Windows\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
File created	C:\Windows\{95720FA6-071D-4511-8636-5AC0E889A221}.exe	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
File created	C:\Windows\{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	{95720FA6-071D-4511-8636-5AC0E889A221}.exe
File created	C:\Windows\{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
File created	C:\Windows\{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
File created	C:\Windows\{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
File created	C:\Windows\{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe	{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
Token: SeIncBasePriorityPrivilege	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
Token: SeIncBasePriorityPrivilege	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
Token: SeIncBasePriorityPrivilege	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe
Token: SeIncBasePriorityPrivilege	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
Token: SeIncBasePriorityPrivilege	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
Token: SeIncBasePriorityPrivilege	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
Token: SeIncBasePriorityPrivilege	1604	{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
Token: SeIncBasePriorityPrivilege	2536	{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
Token: SeIncBasePriorityPrivilege	1392	{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2972	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	28
PID 2200 wrote to memory of 2972	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	28
PID 2200 wrote to memory of 2972	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	28
PID 2200 wrote to memory of 2972	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	28
PID 2200 wrote to memory of 2968	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	29
PID 2200 wrote to memory of 2968	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	29
PID 2200 wrote to memory of 2968	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	29
PID 2200 wrote to memory of 2968	2200	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	29
PID 2972 wrote to memory of 2264	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	30
PID 2972 wrote to memory of 2264	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	30
PID 2972 wrote to memory of 2264	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	30
PID 2972 wrote to memory of 2264	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	30
PID 2972 wrote to memory of 2724	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	31
PID 2972 wrote to memory of 2724	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	31
PID 2972 wrote to memory of 2724	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	31
PID 2972 wrote to memory of 2724	2972	{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe	31
PID 2264 wrote to memory of 2616	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	32
PID 2264 wrote to memory of 2616	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	32
PID 2264 wrote to memory of 2616	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	32
PID 2264 wrote to memory of 2616	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	32
PID 2264 wrote to memory of 2576	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	33
PID 2264 wrote to memory of 2576	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	33
PID 2264 wrote to memory of 2576	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	33
PID 2264 wrote to memory of 2576	2264	{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe	33
PID 2616 wrote to memory of 2920	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	36
PID 2616 wrote to memory of 2920	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	36
PID 2616 wrote to memory of 2920	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	36
PID 2616 wrote to memory of 2920	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	36
PID 2616 wrote to memory of 1840	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	37
PID 2616 wrote to memory of 1840	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	37
PID 2616 wrote to memory of 1840	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	37
PID 2616 wrote to memory of 1840	2616	{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe	37
PID 2920 wrote to memory of 2776	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	38
PID 2920 wrote to memory of 2776	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	38
PID 2920 wrote to memory of 2776	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	38
PID 2920 wrote to memory of 2776	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	38
PID 2920 wrote to memory of 2892	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	39
PID 2920 wrote to memory of 2892	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	39
PID 2920 wrote to memory of 2892	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	39
PID 2920 wrote to memory of 2892	2920	{95720FA6-071D-4511-8636-5AC0E889A221}.exe	39
PID 2776 wrote to memory of 1820	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	40
PID 2776 wrote to memory of 1820	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	40
PID 2776 wrote to memory of 1820	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	40
PID 2776 wrote to memory of 1820	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	40
PID 2776 wrote to memory of 2028	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	41
PID 2776 wrote to memory of 2028	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	41
PID 2776 wrote to memory of 2028	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	41
PID 2776 wrote to memory of 2028	2776	{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe	41
PID 1820 wrote to memory of 1940	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	42
PID 1820 wrote to memory of 1940	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	42
PID 1820 wrote to memory of 1940	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	42
PID 1820 wrote to memory of 1940	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	42
PID 1820 wrote to memory of 776	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	43
PID 1820 wrote to memory of 776	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	43
PID 1820 wrote to memory of 776	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	43
PID 1820 wrote to memory of 776	1820	{D871DFE3-4856-4050-A841-553FCAD086D5}.exe	43
PID 1940 wrote to memory of 1604	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	44
PID 1940 wrote to memory of 1604	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	44
PID 1940 wrote to memory of 1604	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	44
PID 1940 wrote to memory of 1604	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	44
PID 1940 wrote to memory of 1448	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	45
PID 1940 wrote to memory of 1448	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	45
PID 1940 wrote to memory of 1448	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	45
PID 1940 wrote to memory of 1448	1940	{565B27F9-9608-4729-991D-85A94C6DEB30}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
  C:\Windows\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
    C:\Windows\{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
      C:\Windows\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{95720FA6-071D-4511-8636-5AC0E889A221}.exe
        
        C:\Windows\{95720FA6-071D-4511-8636-5AC0E889A221}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
        
        C:\Windows\{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
        
        C:\Windows\{D871DFE3-4856-4050-A841-553FCAD086D5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
        
        C:\Windows\{565B27F9-9608-4729-991D-85A94C6DEB30}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
        
        C:\Windows\{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
        
        C:\Windows\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe
        
        C:\Windows\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe
        
        C:\Windows\{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe
        12⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26DC6~1.EXE > nul
        12⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A5E0~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3A9~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{565B2~1.EXE > nul
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D871D~1.EXE > nul
        8⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F7A~1.EXE > nul
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95720~1.EXE > nul
        6⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D554~1.EXE > nul
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E062~1.EXE > nul
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D9A4~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26DC6FB0-3E1D-469e-B757-DE4697A0A585}.exe

Filesize
180KB

MD5
2f527f8091190078ffb5d47e9d92f550

SHA1
62a0741ad4440a6f100d8e13d7dd94bbad6f875c

SHA256
08d1e5d8d7fcf6f63bcf676f0b92ed0e8a1274fbcac8ad3d2b1be9921e6d85cd

SHA512
1abd751489ae80106a8c015cc1102072518ba01e1632b8915cb22306b62df268a685361209838523b80d31073e4c4db6954861a6b4ec88a9428ec9cb8fba696e

Download Submit
C:\Windows\{2A5E0468-862A-4731-B6BE-0BB560CB7DA0}.exe

Filesize
180KB

MD5
329d117a1dd9009eaf1b5a46fb6697cc

SHA1
2905ab20f62161d4b5d1df2ada0f246bb7813fb0

SHA256
afb6b6198afda43800f2b68458f9523177e07e5978a3d00c4601ba6af0abb66f

SHA512
aa366ea7dc2d8b875abff68bccf04a74518edd2ac4737fbdc8306e9f1f469d6075d6f7ca15caac3b7050ce713ca335c1f8c30d6ec51d83841c697896d0127701

Download Submit
C:\Windows\{4D9A462C-23D5-434f-83A5-2C1B0774BB05}.exe

Filesize
180KB

MD5
3be9c0907abc62c17913a27d0faee360

SHA1
ada9c063aaecc5345165b2d255f7a54ad4091346

SHA256
d74e0ca10a73c218bc08b3a50880febae094f22c5025920712297658406eca4e

SHA512
628cfef0b3f74e3ef12f69c5ec5073e4a4adf1a3ab525f3b2dbb0b10a3a1a8419fb4121a16f1bbc2af457a4b8ccc48958f7f67852ca92f435a1026de4fa62080

Download Submit
C:\Windows\{565B27F9-9608-4729-991D-85A94C6DEB30}.exe

Filesize
180KB

MD5
ad5fb634b2aed3d6d16016d310dad3e8

SHA1
ab64907b7cc58eb7d72e946b7201cc975d2343ec

SHA256
1d15c8d7f7e0ea654c1242ac2cf98b0fedb7f37809e92fcc017549ad73e6dbfc

SHA512
736401ef99a94093254c8968b7a8676157d4465dc757dcd5afbd1716b6421658c8454e8409d22810d624057c69b9d4f74b89f3f8fe5a61086c0a658ee41002b7

Download Submit
C:\Windows\{5D5547A4-72E0-4157-BAA1-D8BBF35A819A}.exe

Filesize
180KB

MD5
fca64b38e5823f1749ac3988576e29e5

SHA1
89b54c1af050dce8b87aab951fd95871b6df6e3a

SHA256
ebd9f50a1e4b73bd6acd8821646a04a52d16902fa4ff0e1c4e85f586beef4897

SHA512
58886fed9e6bdb9a94988ac0484c898dc1c096d3825d2bb79546e04b2aa66a5ea4dbf6e22e5c7e37de4bdb279cf5e53af7905b56cd547a9880c5c29ffcc8e824

Download Submit
C:\Windows\{5E062473-0950-4737-B33E-906DE6DBFBCB}.exe

Filesize
180KB

MD5
3b9d23ec1d248e3b349d00635d3293a0

SHA1
3a4e12b63b0e221b9b842c43dbe1b641cdbae947

SHA256
ccedb1bc87c5a567590debb2264d029f54f71c8a5c44eea2b63ecda56a090990

SHA512
9d94d32979ec21013dac583b843fc613b5679ee5e6b4b8afa954d0e98b0ccf1181af175dd03ae3a21d64fee7d7685d7095ba671892461339fb7d74f329a3abbf

Download Submit
C:\Windows\{95720FA6-071D-4511-8636-5AC0E889A221}.exe

Filesize
180KB

MD5
ea9af757a9881b66973a6b96baabc505

SHA1
81b957f2733ec2256f24bfdb31647fadd1ae8628

SHA256
acb4bead55026f57aa85fad17aa7c18026468e4e0e2389431c5d1053e61b33d2

SHA512
6546d9890b9add29cf738ba59a5c108ec3d77e93869e9051018dc91a82559b15a7cc09c1d600ef28ee9a6d4986cdd5824e1271cdfbcfed0c632c353007f09155

Download Submit
C:\Windows\{B6F7AD88-1FAE-4741-978C-132091F0D866}.exe

Filesize
180KB

MD5
4ffea27b55d2f4849b9922f5d86bdadd

SHA1
faff318a1f3cbfd6adf451c859ca5a3b0d113782

SHA256
054b409e5357c850e17b3ccffe44b27ff2d12d2b05e9a5b5ea8667be6ac3a281

SHA512
28b381f47f8b30dabe4f45b8861c63a196744bc8bcb6bb95a3718853e5541710b60cbe504c5b977596d853e758707b0489e3154ee801e2d5ef8855f02ced9f7d

Download Submit
C:\Windows\{D871DFE3-4856-4050-A841-553FCAD086D5}.exe

Filesize
180KB

MD5
10e90156d5ca6de8b5847aad73e1bdce

SHA1
96e04dabb6ea888f9e843fe39feca0e21a93213f

SHA256
7fc4cdd3caf7bc18478537c565878a7ee261a71a6e9e1d0faa62e80d703d56ce

SHA512
041850f4cbc12940b6ed3c2603e2dc9ba25cb9800bcd5bf99c9e8a7fce2be8cbbbb155b25ef9a5c42b6d04d6f6c800e0b836e98894e7b096bc4922d0764f0e77

Download Submit
C:\Windows\{FE3A9E00-518B-48bd-AF82-863FFE458E65}.exe

Filesize
180KB

MD5
d2071be4c9f078b18c45f8f24a07d6be

SHA1
4052afa336fa9b7288c7b2381251ec8e82dbe47d

SHA256
848e7d891bfe3cb4fc69667f2af3487cbe54d43fce852e9b4cd506061935b00a

SHA512
088cd699a0d24b423a5ad70b869fa028a6f5d08ea6d958e4cfa3be04a3f3fb7e8d25267c09ba5d22cd86dec2a110747c431655f1094ab472f16d891c826d50f8

Download Submit
C:\Windows\{FF6ECA22-42D5-4b01-9A75-00C424A45518}.exe

Filesize
180KB

MD5
f12c526913627deaf22ade4fbedc99d8

SHA1
d699a5f9dc2455e61918740d77cd36fe1933a4cd

SHA256
07f6ae4096f208f39c3472f7bd139c48dd7afa711372b9ce4efc72368feee220

SHA512
1dfd1da9142ac82247863eb5c901d0dffa550b83ad4a2e078a89749086f98bf8643c10d222c06cff66d595b957e469ab46b97e2464d85a359b052872d84fc5fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads