6b238ee962bd094a56c0571dcf1dda8574ac5ac8d9dadb7f2036912fd8c62fbf

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Size

192KB
MD5

41d2feb21daa69e9d4fc37619c2259e2
SHA1

01d78a0551acd1075afe8d28dad837a626a1fe03
SHA256

6b238ee962bd094a56c0571dcf1dda8574ac5ac8d9dadb7f2036912fd8c62fbf
SHA512

a0a9a0bcd956fa350306823ce8c710ffd8d2a265104bf052e6b399eb20b79fccb8ed99d631af5ed60834093a937711ccbcd2356ff8d484fd409b125c4d35fbf2
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ocl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000015c13-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{644376B4-BECD-45b6-898E-8E538E248475}	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{644376B4-BECD-45b6-898E-8E538E248475}\stubpath = "C:\\Windows\\{644376B4-BECD-45b6-898E-8E538E248475}.exe"	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}	{644376B4-BECD-45b6-898E-8E538E248475}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}	{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}\stubpath = "C:\\Windows\\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe"	{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}\stubpath = "C:\\Windows\\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe"	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D581349-908B-4976-8C59-C7A98D4CD0A1}	{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D581349-908B-4976-8C59-C7A98D4CD0A1}\stubpath = "C:\\Windows\\{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe"	{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC51D18-FAAC-435e-8742-49521DCA0E85}\stubpath = "C:\\Windows\\{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe"	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3440366A-0788-4a14-B5AB-7D737BF025DB}\stubpath = "C:\\Windows\\{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe"	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}\stubpath = "C:\\Windows\\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe"	{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}\stubpath = "C:\\Windows\\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe"	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}\stubpath = "C:\\Windows\\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe"	{644376B4-BECD-45b6-898E-8E538E248475}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3440366A-0788-4a14-B5AB-7D737BF025DB}	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25DE6019-41B1-4901-94B2-D01CCDE1278A}	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25DE6019-41B1-4901-94B2-D01CCDE1278A}\stubpath = "C:\\Windows\\{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe"	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}	{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC51D18-FAAC-435e-8742-49521DCA0E85}	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}\stubpath = "C:\\Windows\\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe"	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe
2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
1700	{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
1556	{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
1156	{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe
804	{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
File created	C:\Windows\{644376B4-BECD-45b6-898E-8E538E248475}.exe	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
File created	C:\Windows\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	{644376B4-BECD-45b6-898E-8E538E248475}.exe
File created	C:\Windows\{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
File created	C:\Windows\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe	{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
File created	C:\Windows\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe	{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
File created	C:\Windows\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
File created	C:\Windows\{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
File created	C:\Windows\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
File created	C:\Windows\{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
File created	C:\Windows\{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe	{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
Token: SeIncBasePriorityPrivilege	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
Token: SeIncBasePriorityPrivilege	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe
Token: SeIncBasePriorityPrivilege	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
Token: SeIncBasePriorityPrivilege	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
Token: SeIncBasePriorityPrivilege	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
Token: SeIncBasePriorityPrivilege	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
Token: SeIncBasePriorityPrivilege	1700	{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
Token: SeIncBasePriorityPrivilege	1556	{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
Token: SeIncBasePriorityPrivilege	1156	{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2512	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	28
PID 1944 wrote to memory of 2512	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	28
PID 1944 wrote to memory of 2512	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	28
PID 1944 wrote to memory of 2512	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	28
PID 1944 wrote to memory of 2528	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	29
PID 1944 wrote to memory of 2528	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	29
PID 1944 wrote to memory of 2528	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	29
PID 1944 wrote to memory of 2528	1944	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	29
PID 2512 wrote to memory of 2620	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	30
PID 2512 wrote to memory of 2620	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	30
PID 2512 wrote to memory of 2620	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	30
PID 2512 wrote to memory of 2620	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	30
PID 2512 wrote to memory of 2552	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	31
PID 2512 wrote to memory of 2552	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	31
PID 2512 wrote to memory of 2552	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	31
PID 2512 wrote to memory of 2552	2512	{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe	31
PID 2620 wrote to memory of 2752	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	32
PID 2620 wrote to memory of 2752	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	32
PID 2620 wrote to memory of 2752	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	32
PID 2620 wrote to memory of 2752	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	32
PID 2620 wrote to memory of 2464	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	33
PID 2620 wrote to memory of 2464	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	33
PID 2620 wrote to memory of 2464	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	33
PID 2620 wrote to memory of 2464	2620	{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe	33
PID 2752 wrote to memory of 2220	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	36
PID 2752 wrote to memory of 2220	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	36
PID 2752 wrote to memory of 2220	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	36
PID 2752 wrote to memory of 2220	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	36
PID 2752 wrote to memory of 2180	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	37
PID 2752 wrote to memory of 2180	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	37
PID 2752 wrote to memory of 2180	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	37
PID 2752 wrote to memory of 2180	2752	{644376B4-BECD-45b6-898E-8E538E248475}.exe	37
PID 2220 wrote to memory of 2696	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	38
PID 2220 wrote to memory of 2696	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	38
PID 2220 wrote to memory of 2696	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	38
PID 2220 wrote to memory of 2696	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	38
PID 2220 wrote to memory of 2360	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	39
PID 2220 wrote to memory of 2360	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	39
PID 2220 wrote to memory of 2360	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	39
PID 2220 wrote to memory of 2360	2220	{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe	39
PID 2696 wrote to memory of 2040	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	40
PID 2696 wrote to memory of 2040	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	40
PID 2696 wrote to memory of 2040	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	40
PID 2696 wrote to memory of 2040	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	40
PID 2696 wrote to memory of 1824	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	41
PID 2696 wrote to memory of 1824	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	41
PID 2696 wrote to memory of 1824	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	41
PID 2696 wrote to memory of 1824	2696	{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe	41
PID 2040 wrote to memory of 656	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	42
PID 2040 wrote to memory of 656	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	42
PID 2040 wrote to memory of 656	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	42
PID 2040 wrote to memory of 656	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	42
PID 2040 wrote to memory of 1160	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	43
PID 2040 wrote to memory of 1160	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	43
PID 2040 wrote to memory of 1160	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	43
PID 2040 wrote to memory of 1160	2040	{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe	43
PID 656 wrote to memory of 1700	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	44
PID 656 wrote to memory of 1700	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	44
PID 656 wrote to memory of 1700	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	44
PID 656 wrote to memory of 1700	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	44
PID 656 wrote to memory of 2328	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	45
PID 656 wrote to memory of 2328	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	45
PID 656 wrote to memory of 2328	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	45
PID 656 wrote to memory of 2328	656	{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
  C:\Windows\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
    C:\Windows\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{644376B4-BECD-45b6-898E-8E538E248475}.exe
      C:\Windows\{644376B4-BECD-45b6-898E-8E538E248475}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
        
        C:\Windows\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
        
        C:\Windows\{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
        
        C:\Windows\{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
        
        C:\Windows\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
        
        C:\Windows\{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
        
        C:\Windows\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe
        
        C:\Windows\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe
        
        C:\Windows\{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe
        12⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEDAF~1.EXE > nul
        12⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F380~1.EXE > nul
        11⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25DE6~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{561B3~1.EXE > nul
        9⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34403~1.EXE > nul
        8⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC51~1.EXE > nul
        7⤵
        
        PID:1824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46FC6~1.EXE > nul
        6⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64437~1.EXE > nul
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A51F~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5AB00~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25DE6019-41B1-4901-94B2-D01CCDE1278A}.exe

Filesize
192KB

MD5
a9dd64eede21ac9cab4b120626963364

SHA1
df0004567a340759cbb9bdecb38777f23efa66a2

SHA256
35c24e25db96636758421f120dda02ee7607504e6b7dcca32bbd5f230885d2d0

SHA512
ab9fb0c958ffc7afe9aef5c093739b2a543bc70c107c91fe53f7708d0f65eab1201abd1c6ec260ce042b85a9f0cc6fa73b67c9474bcdadc69d6a0c8ff9f87b82

Download Submit
C:\Windows\{3440366A-0788-4a14-B5AB-7D737BF025DB}.exe

Filesize
192KB

MD5
d558f7134e58df5301745e4fbb6bd7ce

SHA1
bd93816b9f6c52cf63878a175326c94969b1e674

SHA256
2e99ac012f4c46561611ed2d309d26db19b65bf69a8fb9bc9a055598d27d2a52

SHA512
b715162afc1f8d1cf71222501bcfd78858f7f71994a6eb3e7529661948da3930c69a53ff3f1a33185e0adfb2474f509649d084b2dcf601030ed09f0f755e36fd

Download Submit
C:\Windows\{3F3809C6-D5B5-4c99-A3BA-0ABC48892E9D}.exe

Filesize
192KB

MD5
fe01dabf4c151e826d828cf6653b84b0

SHA1
0b2613d48ec8ec007eb37d68bb0cf4edf8dc99d8

SHA256
645849fb18eb7f66a5e9aac2a102942c5957ac30faa8858a452fe1a378ca108c

SHA512
369bc2c36d4bd4256cf8130be030a00d44fd0493f25ec9834f16b3feec86515d8a154b8461f787e3b8ff97eac795b286d7a91b70fa91263b3ed3753cd9fd9c44

Download Submit
C:\Windows\{46FC61D9-F4D4-4d6e-9CB2-7A39ABC08C77}.exe

Filesize
192KB

MD5
1ed71c46de0520b60e90ab6db6c0d18e

SHA1
6da0602ad5005a312b26b4ca66869ecb4639816c

SHA256
09675cf7b7d112774784335bf45d263c934dab5807264bcd5c5f05c5aba8198a

SHA512
c3530577a92c43343bd713b3bbc76532a4482fa672d6134d06bb8763097b39441b4f2eb64aa26dddd3eae45954af39de7a9b893ef1c50e13ae1b6471f98e3fa0

Download Submit
C:\Windows\{561B30BF-3DB5-4a80-AB1B-26F60C02C98E}.exe

Filesize
192KB

MD5
03ca10214d6585a76929675123012da1

SHA1
282c6955c103777ffed2b0ef1de372866ca6a600

SHA256
fb3a26e05c82e71e720516c5e39d032020a88cf1cc8382a8b7a562f5db194bec

SHA512
50d45962927a29ee729ae53f459c5a00bb69a7b2bc21cb7947673cdfd20a2ecc4fe5d834bdb2818b217824b92a9f76717d71e67f3b5fb4617ca6ad76eae83957

Download Submit
C:\Windows\{5AB002F4-7C29-4c61-BCC5-C52505205F9D}.exe

Filesize
192KB

MD5
66f2de18d41237693ee3101490ad6f7f

SHA1
cec57902a7900f56495db7af11b3dc7d4f37f853

SHA256
0f3f6f19ca5f0fd3b25670c1a611b5a3e974d3d33a276cb5a51cfd2318561ed4

SHA512
bbbb519ebfc6148a812f69dfda164534d262a17e4866c32b57ecdf83f2df8818c1ef7c9356f3fff78f64d7d92efd34f120bed299a6300dc75240053b1056c5f6

Download Submit
C:\Windows\{5D581349-908B-4976-8C59-C7A98D4CD0A1}.exe

Filesize
192KB

MD5
04cec52d99584294694de20b32a34557

SHA1
086aaae160e8af76b71d4899e0095c54d5edc886

SHA256
b05ee977c50558f26fe8eae55f56491ce4b3833f16268456321a9a65ab94c314

SHA512
2e8a03f946ff5c6ff60946c262b7cab259cc4d1f86aee061380b213dd707a16013f2d9a1d5eb3c276e58857ab0183bdbffc349ae970d3067b374c9846e17ec62

Download Submit
C:\Windows\{644376B4-BECD-45b6-898E-8E538E248475}.exe

Filesize
192KB

MD5
651f2b48de02737c02e9fa305ea37922

SHA1
bb7aacec8d246eecdfcbc21b87ef6d025e261e1c

SHA256
3f57ca9df35615207f10448f8280fe299ffa8e0e1de0560eeb959df433eae9af

SHA512
ae7224fba7d53cc0ec45f72a400b627029545b1b3f80430e56e222837b4f7b29e141c8d9a84ad1dabf40f1efe6bcea26d277792008b76f687bc99c8fde09cc1b

Download Submit
C:\Windows\{8A51FC26-A356-4bfe-B0F8-CC904AC2091D}.exe

Filesize
192KB

MD5
a585e80f1b32adf83402eda211f9453f

SHA1
c7582855e48883f584a610957c35f46779a683ad

SHA256
90604787699d40b7c15cc32dc1f9a751bf900772e97a15fdb53a6b0e1e4908cc

SHA512
68650251603a12bac71497dac9a2c4cfdedb7121df9dc2e310a3ac8faa868b4111b7499654e78653ea7d62789b313b237a9ffa4bacf2bd85b602dd52e529c464

Download Submit
C:\Windows\{AEC51D18-FAAC-435e-8742-49521DCA0E85}.exe

Filesize
192KB

MD5
eabf700e1a45d8d47317ffe486615c81

SHA1
379ecc7038c0e21ab701a4e3c0701946428aa6a8

SHA256
035ab482a55ba15e7fc38d417cf56bb0d35041ac0831a6f5b603939410eaea45

SHA512
f1f521eb35593f9db7cda319a937ae8b1f7b4993237295d35789c239facc0586d31ec424dc66346d5d1065d530fe3c33e722418cb056b204a052758d8e1cf4a5

Download Submit
C:\Windows\{CEDAFECE-4A71-4a2a-8EC4-D4F4FCF2166B}.exe

Filesize
192KB

MD5
20f5a651012563551a1312b57bd5bed9

SHA1
6f15f328d20288c8c1748ef829e376320fce1d3d

SHA256
ecbcef9bd0dc179bcec93269f6f197f5248607879729a4986898e183c6043968

SHA512
e0ccab839f7c23b2a5982c3ece8d2c9ad460cbb6e31191934960638387856851d3f8f55888fbfff507a8673db499d75b4697409565c4ac739d78be8d3534b1e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads