fc4319a2f7625f342debcd3e2f64f4c87db5127838b506eb2eef9673c04d01b0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Size

408KB
MD5

3bd9ae7226c412e3e6a9291732140a72
SHA1

bd941ff83e8bf3d80d85b512f64565b2c8bb17ae
SHA256

fc4319a2f7625f342debcd3e2f64f4c87db5127838b506eb2eef9673c04d01b0
SHA512

ff4e5008117b897b4727bf15cd447572901e953f9cadc57879c6a7e6ef4423d0cda1706391ea9f9fa7a196d7bcb37bf544dce7f8ac9747ce49f2b3dba81e3949
SSDEEP

3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012254-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b27-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e00000001508a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0015000000015659-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001508a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001508a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003100000001508a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}	{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}\stubpath = "C:\\Windows\\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe"	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}\stubpath = "C:\\Windows\\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe"	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33F2820B-895A-4baa-8041-876A0C6F33DF}	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}\stubpath = "C:\\Windows\\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe"	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}\stubpath = "C:\\Windows\\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe"	{25AA08FA-8370-4812-8B41-F1762384767F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CD78D99-982E-4ce4-9033-D9674194F8F4}	{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CD78D99-982E-4ce4-9033-D9674194F8F4}\stubpath = "C:\\Windows\\{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe"	{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33F2820B-895A-4baa-8041-876A0C6F33DF}\stubpath = "C:\\Windows\\{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe"	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F6389C-9145-4995-B9BC-4B5506273B22}	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F6389C-9145-4995-B9BC-4B5506273B22}\stubpath = "C:\\Windows\\{77F6389C-9145-4995-B9BC-4B5506273B22}.exe"	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25AA08FA-8370-4812-8B41-F1762384767F}	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}\stubpath = "C:\\Windows\\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe"	{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C32871-4C7E-4871-B929-9C55C69D66FE}	{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C32871-4C7E-4871-B929-9C55C69D66FE}\stubpath = "C:\\Windows\\{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe"	{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E12407-2F6C-4966-8217-9BCBC620C1A8}	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E12407-2F6C-4966-8217-9BCBC620C1A8}\stubpath = "C:\\Windows\\{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe"	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25AA08FA-8370-4812-8B41-F1762384767F}\stubpath = "C:\\Windows\\{25AA08FA-8370-4812-8B41-F1762384767F}.exe"	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}	{25AA08FA-8370-4812-8B41-F1762384767F}.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe
1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
2012	{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
1048	{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
2324	{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe
956	{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
File created	C:\Windows\{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
File created	C:\Windows\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	{25AA08FA-8370-4812-8B41-F1762384767F}.exe
File created	C:\Windows\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe	{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
File created	C:\Windows\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
File created	C:\Windows\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
File created	C:\Windows\{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
File created	C:\Windows\{25AA08FA-8370-4812-8B41-F1762384767F}.exe	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
File created	C:\Windows\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
File created	C:\Windows\{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe	{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
File created	C:\Windows\{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe	{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
Token: SeIncBasePriorityPrivilege	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
Token: SeIncBasePriorityPrivilege	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
Token: SeIncBasePriorityPrivilege	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
Token: SeIncBasePriorityPrivilege	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
Token: SeIncBasePriorityPrivilege	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe
Token: SeIncBasePriorityPrivilege	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
Token: SeIncBasePriorityPrivilege	2012	{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
Token: SeIncBasePriorityPrivilege	1048	{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
Token: SeIncBasePriorityPrivilege	2324	{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2632	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	28
PID 1976 wrote to memory of 2632	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	28
PID 1976 wrote to memory of 2632	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	28
PID 1976 wrote to memory of 2632	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	28
PID 1976 wrote to memory of 2588	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	29
PID 1976 wrote to memory of 2588	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	29
PID 1976 wrote to memory of 2588	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	29
PID 1976 wrote to memory of 2588	1976	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	29
PID 2632 wrote to memory of 2108	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	30
PID 2632 wrote to memory of 2108	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	30
PID 2632 wrote to memory of 2108	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	30
PID 2632 wrote to memory of 2108	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	30
PID 2632 wrote to memory of 2452	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	31
PID 2632 wrote to memory of 2452	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	31
PID 2632 wrote to memory of 2452	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	31
PID 2632 wrote to memory of 2452	2632	{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe	31
PID 2108 wrote to memory of 2472	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	32
PID 2108 wrote to memory of 2472	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	32
PID 2108 wrote to memory of 2472	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	32
PID 2108 wrote to memory of 2472	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	32
PID 2108 wrote to memory of 2580	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	33
PID 2108 wrote to memory of 2580	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	33
PID 2108 wrote to memory of 2580	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	33
PID 2108 wrote to memory of 2580	2108	{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe	33
PID 2472 wrote to memory of 1716	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	36
PID 2472 wrote to memory of 1716	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	36
PID 2472 wrote to memory of 1716	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	36
PID 2472 wrote to memory of 1716	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	36
PID 2472 wrote to memory of 1640	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	37
PID 2472 wrote to memory of 1640	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	37
PID 2472 wrote to memory of 1640	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	37
PID 2472 wrote to memory of 1640	2472	{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe	37
PID 1716 wrote to memory of 2904	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	38
PID 1716 wrote to memory of 2904	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	38
PID 1716 wrote to memory of 2904	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	38
PID 1716 wrote to memory of 2904	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	38
PID 1716 wrote to memory of 3048	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	39
PID 1716 wrote to memory of 3048	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	39
PID 1716 wrote to memory of 3048	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	39
PID 1716 wrote to memory of 3048	1716	{77F6389C-9145-4995-B9BC-4B5506273B22}.exe	39
PID 2904 wrote to memory of 756	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	40
PID 2904 wrote to memory of 756	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	40
PID 2904 wrote to memory of 756	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	40
PID 2904 wrote to memory of 756	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	40
PID 2904 wrote to memory of 2668	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	41
PID 2904 wrote to memory of 2668	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	41
PID 2904 wrote to memory of 2668	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	41
PID 2904 wrote to memory of 2668	2904	{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe	41
PID 756 wrote to memory of 1756	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	42
PID 756 wrote to memory of 1756	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	42
PID 756 wrote to memory of 1756	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	42
PID 756 wrote to memory of 1756	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	42
PID 756 wrote to memory of 2688	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	43
PID 756 wrote to memory of 2688	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	43
PID 756 wrote to memory of 2688	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	43
PID 756 wrote to memory of 2688	756	{25AA08FA-8370-4812-8B41-F1762384767F}.exe	43
PID 1756 wrote to memory of 2012	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	44
PID 1756 wrote to memory of 2012	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	44
PID 1756 wrote to memory of 2012	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	44
PID 1756 wrote to memory of 2012	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	44
PID 1756 wrote to memory of 1632	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	45
PID 1756 wrote to memory of 1632	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	45
PID 1756 wrote to memory of 1632	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	45
PID 1756 wrote to memory of 1632	1756	{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
  C:\Windows\{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
    C:\Windows\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
      C:\Windows\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
        
        C:\Windows\{77F6389C-9145-4995-B9BC-4B5506273B22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
        
        C:\Windows\{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{25AA08FA-8370-4812-8B41-F1762384767F}.exe
        
        C:\Windows\{25AA08FA-8370-4812-8B41-F1762384767F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
        
        C:\Windows\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
        
        C:\Windows\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
        
        C:\Windows\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe
        
        C:\Windows\{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe
        
        C:\Windows\{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe
        12⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD78~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C91~1.EXE > nul
        11⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868F4~1.EXE > nul
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71985~1.EXE > nul
        9⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25AA0~1.EXE > nul
        8⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E12~1.EXE > nul
        7⤵
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77F63~1.EXE > nul
        6⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D3DA~1.EXE > nul
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4BE6~1.EXE > nul
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33F28~1.EXE > nul
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CD78D99-982E-4ce4-9033-D9674194F8F4}.exe

Filesize
408KB

MD5
b621f425248422cfb3105dbfd86a1b0d

SHA1
1b15cbb490abee8b5f6f5ce3e4f1f5d64e3ba2e4

SHA256
460f065150de23827ce20fccce0f69342aeee08fdf08b394518cbb0348f22dbd

SHA512
0185fe80ace781f6045583667d17fb9c30c78f4e5285d5361ee5b47a2bc4d6cc9416343549794712d85a452a684e03fb18d8cb0769e99ef3ce7445c5bf122a35

Download Submit
C:\Windows\{1D3DA1E8-6DFB-49c5-ABAC-10152CEF9C63}.exe

Filesize
408KB

MD5
8566a7ca9e620775a19e780cc6ba7702

SHA1
c0ec096cd74ec699e56b05d5f3f534b789a2b377

SHA256
ee4871e5a8a52a95949e68c815d2a3e5e0e29eb964e1c33d83c40102b053ee05

SHA512
0bfc3dddf971d62037d4b6577aabf61353f7b4813dd4e2817be7c9f0e719edfdcc839cd672809af7d3f18dc499c189081db2e7e7ff2acc6c5fdd6cfe6e315dba

Download Submit
C:\Windows\{25AA08FA-8370-4812-8B41-F1762384767F}.exe

Filesize
408KB

MD5
82314f2dae9ecc91546874c7a990ec5c

SHA1
75c0acb7e8bf424e18ee12e758815d5491fe8df1

SHA256
d82a3fc6a262648b8a289dbe3fd7a8346e6fc201fdbbd65b6a0afb65361ae1c8

SHA512
a04f1595928340a4d0f442ad8aab3c3a18f83ab7cb58e66afaa16e8527cdd8b43dfde3612b5142b2a1564872993379f1ab21a1adf55d1af8bdd50d5958f46036

Download Submit
C:\Windows\{33F2820B-895A-4baa-8041-876A0C6F33DF}.exe

Filesize
408KB

MD5
d6e6e1d80b77a49f0cd0582ecda85bfc

SHA1
aaa067cb1ee200475aefdb36448aa7bf182de2e2

SHA256
5d890ec0202f274503f1639dc0c4be1493ac145ebb514b7436144e6268389517

SHA512
cc9177a8e0417f150235ff1325d345df416306db4fa63b8caa2d2a6d02d47125fd11dc6cc74a4d3c342fe104da73085d4eb767a3a7231e8cfac255f1cf347968

Download Submit
C:\Windows\{64C913B5-004B-4dcd-93C7-4A8A8CDE7F35}.exe

Filesize
408KB

MD5
5e2f10c79a0be7047bbe9141c289c5dc

SHA1
be93a91c53768b0e2b15c9bff8ed81ea9802e628

SHA256
b03cd09ee1ae0a8d012ce085e52974b7718e2aa6a3fdce3bcf640406860d94f1

SHA512
d9c320af2402ffba9db4d10192fdee50c8df29466611ce2c861012945b72822f8f4381584e1e448ddf89af2628c85bdc33eaf22c56f4bb574f188b9d92d19313

Download Submit
C:\Windows\{71985C43-4199-4c94-A5ED-68B40B8A4D3A}.exe

Filesize
408KB

MD5
456a40203143c8e2c4765e2922da7a9e

SHA1
c3b9f4afe319ec2d16d89e0d6c9bce1981513524

SHA256
f0ca2f5ae35e9f8a429ea0c4911547a0d949ab19d113c4631474dbd6b295aac1

SHA512
b84a8141eda571fdd05b0507e34017a4bf888335c199787aa41d0e11f93dad6fc89db7842901190cbd71ebdbcb0035531905b4b6595915856e4e6aa8d764ae22

Download Submit
C:\Windows\{71E12407-2F6C-4966-8217-9BCBC620C1A8}.exe

Filesize
408KB

MD5
02fee88d1245a1b3ce24cf0c60333f92

SHA1
2ffc3ea1e9493dee0397406e432274f918374af0

SHA256
22c0713a8056e2ea4b389675539ab1707f7412fec027183dc99ac0e4befa7c74

SHA512
91b63339a20ab96324fece8a0861734ba6bd32663c7b2abb49aa604402a9f3bbe2252d0085b725e26134b29799573aa253edfdf8b88152dc5bb44f1453750a10

Download Submit
C:\Windows\{77F6389C-9145-4995-B9BC-4B5506273B22}.exe

Filesize
408KB

MD5
812e0bda962be4254e2dd2d3dfca0b93

SHA1
fde3fbad63a4125cb01b59df9891948eed81c3f4

SHA256
27aacb980f4b5a0cf87becae4fa571a627130d0d7575a24d1f917ed746a56d3a

SHA512
12d543ef39a2c8eeb997cdaf80081e8b2dd4bd0c12115377d6a0952051d46c93b5cfc2bcd9aa4f65043d0fdb9945910a1d0b95c90e58c1f4d72772fa178862e1

Download Submit
C:\Windows\{868F4485-2C54-482a-A6F0-AD43E8B34E9B}.exe

Filesize
408KB

MD5
3972fce0decfabe6aa3864953ca0884d

SHA1
22d0bb6cbaf69f440499d368f0d735f3d6a26ce2

SHA256
6c358ccaf024de42a4b6182c9ee444d4e817c06bf1daa09cf996c5879c591fb7

SHA512
6d5462a18ae9de3116fb8b73088dfe516f8e59d875e93b7162e1fb64a5cad304e257f7c3c664c2f0edaee00c33a0b11cf82bc6ada98396471341aff336b3da29

Download Submit
C:\Windows\{F4BE6538-AF53-4cb6-B731-BA55BF6EF4B5}.exe

Filesize
408KB

MD5
620b13cf322d8657a792e28f4ca0889d

SHA1
c13977014b66b901d29fbd32fdf918d1000bc811

SHA256
b2a211edccb569a1208a577b7ed1ae2f1443f94a6667e5db34e89f26f196157c

SHA512
bf94fc90d986f43bf55f3db1ca883d41d899e944581d6f78503809749d74765a2e5cff023b0a716b21128b9967e9759338b2984dcd9a8904f51f96b856ca38f2

Download Submit
C:\Windows\{F5C32871-4C7E-4871-B929-9C55C69D66FE}.exe

Filesize
408KB

MD5
6d034424b613cbe3c01f72153d76b496

SHA1
8790ad903febf9bb3965b178d0c4f523ee4ac31f

SHA256
897906c9b0a0f7be7443a905989e7a424ad7e1665996511c883513ab0b55b0f5

SHA512
6c253ee2561fc4628eb9bbf0006a7b0a0057d52b2b4b20f827dbbe56b429ec36c4aa6a0f915e2430f1e9a5272c7b697ee489b2e2d55721a341776caca5cf9336

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads