6f049962a0ceaccb3e07f683ad3d58a64a7ced67995543f2902b8f1cfb3fd3e3

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Size

380KB
MD5

f95b01f8fe2f46edcefbdd1f83d3f54e
SHA1

f2b723b136b2de7ae4442599f4852e949a88a797
SHA256

6f049962a0ceaccb3e07f683ad3d58a64a7ced67995543f2902b8f1cfb3fd3e3
SHA512

9cd9f7f2cb80c0be4dc0cfa3a1c7430317e43c9c8b468c75e5c3486b2f5664f68370c45573954871651b8a651f5f22ed4c61f3562870e9fdce0495eab35d90e5
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D68D33-77A4-455d-889A-30016F60B19B}	{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}\stubpath = "C:\\Windows\\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe"	{B7D68D33-77A4-455d-889A-30016F60B19B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3184B97-7F1C-4720-A477-BBA308850941}\stubpath = "C:\\Windows\\{A3184B97-7F1C-4720-A477-BBA308850941}.exe"	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}\stubpath = "C:\\Windows\\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe"	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}	{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1738F942-88AB-4fa8-A26F-145B5D197525}	{A3184B97-7F1C-4720-A477-BBA308850941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1738F942-88AB-4fa8-A26F-145B5D197525}\stubpath = "C:\\Windows\\{1738F942-88AB-4fa8-A26F-145B5D197525}.exe"	{A3184B97-7F1C-4720-A477-BBA308850941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDD167E-A86E-4881-A63D-E55A26F1261A}\stubpath = "C:\\Windows\\{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe"	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}\stubpath = "C:\\Windows\\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe"	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3184B97-7F1C-4720-A477-BBA308850941}	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{105264AB-D9D4-4003-9E54-E6D42CAB970F}\stubpath = "C:\\Windows\\{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe"	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}\stubpath = "C:\\Windows\\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe"	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}\stubpath = "C:\\Windows\\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe"	{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D68D33-77A4-455d-889A-30016F60B19B}\stubpath = "C:\\Windows\\{B7D68D33-77A4-455d-889A-30016F60B19B}.exe"	{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}\stubpath = "C:\\Windows\\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe"	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{105264AB-D9D4-4003-9E54-E6D42CAB970F}	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDD167E-A86E-4881-A63D-E55A26F1261A}	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}	{B7D68D33-77A4-455d-889A-30016F60B19B}.exe

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe
320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
768	{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
1704	{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
2716	{B7D68D33-77A4-455d-889A-30016F60B19B}.exe
1324	{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A3184B97-7F1C-4720-A477-BBA308850941}.exe	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
File created	C:\Windows\{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	{A3184B97-7F1C-4720-A477-BBA308850941}.exe
File created	C:\Windows\{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
File created	C:\Windows\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
File created	C:\Windows\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
File created	C:\Windows\{B7D68D33-77A4-455d-889A-30016F60B19B}.exe	{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
File created	C:\Windows\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe	{B7D68D33-77A4-455d-889A-30016F60B19B}.exe
File created	C:\Windows\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
File created	C:\Windows\{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
File created	C:\Windows\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe	{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
File created	C:\Windows\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
Token: SeIncBasePriorityPrivilege	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe
Token: SeIncBasePriorityPrivilege	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
Token: SeIncBasePriorityPrivilege	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
Token: SeIncBasePriorityPrivilege	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
Token: SeIncBasePriorityPrivilege	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
Token: SeIncBasePriorityPrivilege	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
Token: SeIncBasePriorityPrivilege	768	{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
Token: SeIncBasePriorityPrivilege	1704	{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
Token: SeIncBasePriorityPrivilege	2716	{B7D68D33-77A4-455d-889A-30016F60B19B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1160	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	28
PID 2228 wrote to memory of 1160	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	28
PID 2228 wrote to memory of 1160	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	28
PID 2228 wrote to memory of 1160	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	28
PID 2228 wrote to memory of 2556	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	29
PID 2228 wrote to memory of 2556	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	29
PID 2228 wrote to memory of 2556	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	29
PID 2228 wrote to memory of 2556	2228	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	29
PID 1160 wrote to memory of 2728	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	30
PID 1160 wrote to memory of 2728	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	30
PID 1160 wrote to memory of 2728	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	30
PID 1160 wrote to memory of 2728	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	30
PID 1160 wrote to memory of 2588	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	31
PID 1160 wrote to memory of 2588	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	31
PID 1160 wrote to memory of 2588	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	31
PID 1160 wrote to memory of 2588	1160	{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe	31
PID 2728 wrote to memory of 320	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	32
PID 2728 wrote to memory of 320	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	32
PID 2728 wrote to memory of 320	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	32
PID 2728 wrote to memory of 320	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	32
PID 2728 wrote to memory of 3000	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	33
PID 2728 wrote to memory of 3000	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	33
PID 2728 wrote to memory of 3000	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	33
PID 2728 wrote to memory of 3000	2728	{A3184B97-7F1C-4720-A477-BBA308850941}.exe	33
PID 320 wrote to memory of 2636	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	36
PID 320 wrote to memory of 2636	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	36
PID 320 wrote to memory of 2636	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	36
PID 320 wrote to memory of 2636	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	36
PID 320 wrote to memory of 1992	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	37
PID 320 wrote to memory of 1992	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	37
PID 320 wrote to memory of 1992	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	37
PID 320 wrote to memory of 1992	320	{1738F942-88AB-4fa8-A26F-145B5D197525}.exe	37
PID 2636 wrote to memory of 2840	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	38
PID 2636 wrote to memory of 2840	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	38
PID 2636 wrote to memory of 2840	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	38
PID 2636 wrote to memory of 2840	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	38
PID 2636 wrote to memory of 2852	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	39
PID 2636 wrote to memory of 2852	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	39
PID 2636 wrote to memory of 2852	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	39
PID 2636 wrote to memory of 2852	2636	{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe	39
PID 2840 wrote to memory of 816	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	40
PID 2840 wrote to memory of 816	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	40
PID 2840 wrote to memory of 816	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	40
PID 2840 wrote to memory of 816	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	40
PID 2840 wrote to memory of 2176	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	41
PID 2840 wrote to memory of 2176	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	41
PID 2840 wrote to memory of 2176	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	41
PID 2840 wrote to memory of 2176	2840	{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe	41
PID 816 wrote to memory of 1732	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	42
PID 816 wrote to memory of 1732	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	42
PID 816 wrote to memory of 1732	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	42
PID 816 wrote to memory of 1732	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	42
PID 816 wrote to memory of 1724	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	43
PID 816 wrote to memory of 1724	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	43
PID 816 wrote to memory of 1724	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	43
PID 816 wrote to memory of 1724	816	{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe	43
PID 1732 wrote to memory of 768	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	44
PID 1732 wrote to memory of 768	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	44
PID 1732 wrote to memory of 768	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	44
PID 1732 wrote to memory of 768	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	44
PID 1732 wrote to memory of 1444	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	45
PID 1732 wrote to memory of 1444	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	45
PID 1732 wrote to memory of 1444	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	45
PID 1732 wrote to memory of 1444	1732	{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
  C:\Windows\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\{A3184B97-7F1C-4720-A477-BBA308850941}.exe
    C:\Windows\{A3184B97-7F1C-4720-A477-BBA308850941}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
      C:\Windows\{1738F942-88AB-4fa8-A26F-145B5D197525}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
        
        C:\Windows\{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
        
        C:\Windows\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
        
        C:\Windows\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
        
        C:\Windows\{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
        
        C:\Windows\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
        
        C:\Windows\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\{B7D68D33-77A4-455d-889A-30016F60B19B}.exe
        
        C:\Windows\{B7D68D33-77A4-455d-889A-30016F60B19B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe
        
        C:\Windows\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe
        12⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D68~1.EXE > nul
        12⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B3A9~1.EXE > nul
        11⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49D1B~1.EXE > nul
        10⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDD1~1.EXE > nul
        9⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57551~1.EXE > nul
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2446E~1.EXE > nul
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10526~1.EXE > nul
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1738F~1.EXE > nul
        5⤵
        
        PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3184~1.EXE > nul
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{497D0~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{105264AB-D9D4-4003-9E54-E6D42CAB970F}.exe

Filesize
380KB

MD5
2b8f9aeccd9f24fdd7ff6d01d314017d

SHA1
39e24b911f04142f34075d4feed32a2ea48334e8

SHA256
d49ed78f7011229c5b83b9014618b91fff504c7e7521a8dc2261e8f63382603d

SHA512
31d7778c3d9a641f33f85145526fe8cfc50139f9ab12f58a635f7dbb4e572f4af5f5bd97a38b79aee3e201389fae02d9a6bd6d97ef712677d8c248b3a9f24ddf

Download Submit
C:\Windows\{1738F942-88AB-4fa8-A26F-145B5D197525}.exe

Filesize
380KB

MD5
fc3f5ab82dca3bfb0a5c662587364aff

SHA1
2f3bd046da0af0f17762c66c3f94026162f2a8ec

SHA256
5a978ff595bd22bb94618dd2cbaab783d39e28e87a5f9ebf669a3ec38c2ed46b

SHA512
3fbd2c52433bdb80e3469ad30b936480b7ca6cdb2c5a4fc64f849607c4c5b5281eb6d527c49bf0e9cd1172f0e93c083414da6aeb34aebdb86e597283b9ad0b2a

Download Submit
C:\Windows\{2446E579-E8E4-4d5e-87A7-39C65E6E2BA4}.exe

Filesize
380KB

MD5
1565e88dc0d2fdddeeba971f6c230378

SHA1
9dd4d3b1145bac6fe530adea1a8ee8459917ae44

SHA256
278c54c7ca756c15c61b9ff516acb9bdc63eed74b206798ddbe288974973d11c

SHA512
e31c68c9d6a9f0bf010794c304c2b9bef63d0e56b2c57d876dc3ef9eac3e4ce2dce4c3a703316c5fe48f050cec2780d89749fc9240a935c9a35c323474c898c5

Download Submit
C:\Windows\{2B3A9A97-C56F-44c7-9201-DA8BCAC0A7CA}.exe

Filesize
380KB

MD5
5f40b5029efa2115e138aa9ad4f1b626

SHA1
41470caac9e38ed54f48dcc304c2aaeb06769800

SHA256
3d0a298f6dd3ebb97a0b93a6a204691ab261e7b7d6a3dbe9a7e548a0cf7b8bbb

SHA512
3926c0cd28d17e27b7aad6fa3a42b1dded90e5233da21122cad05ab5b9cb2fd9b2fe86701b87087b893927cd17766a7b84a5d8927784261e8af5965c1c4f292d

Download Submit
C:\Windows\{497D0926-D7E9-4e9a-8BC1-1B0ED081519C}.exe

Filesize
380KB

MD5
8d09f3bf9d4d72456e86f3168d022b77

SHA1
6798c492ac4bddcec46f1f11feb6df4a1b1cc292

SHA256
5072283d179636d13a1cc02529cca29b6c49366b042b7821f1ecc6bcc193fca5

SHA512
74d81e8fc5752c3aa2a13406d084458e69426145b31e7eb8ddba5ab3beb41a2f43b97f971bf24db3887d89190b51f17d0905e13a1165d8aaae0971555d5a0547

Download Submit
C:\Windows\{49D1B4DE-89ED-44b0-A232-A602F968A1AD}.exe

Filesize
380KB

MD5
7b561e55a88b56eb945a5038a5e85d26

SHA1
b6a0344897cceaf31177d3ca6b407f325151498f

SHA256
02cd253b324360523d85760283ebb16a5a5ada181657487ef9df7e9297392689

SHA512
5ffd7f9b59e16513666c5dcb47858c7382d8432b4c1bcba0f7ca0e4350ec6ad37c4e9d61f9352e23d090af0a163a1cbed4df84be36ac9f9be9d5850aa623025e

Download Submit
C:\Windows\{57551691-998B-4d8a-9AC3-DB9FFA8BBFC2}.exe

Filesize
380KB

MD5
d6338ec2f8748c6fc74f8284c05245ff

SHA1
871b7770488c3ec5424e9ee425f9c292f0899798

SHA256
aea1ed29532c5e500d224629880e9e857abe5e68b9055d64db26b6d4eff410b5

SHA512
3d90b966ff678157416d4439dc7a7f05d3a069c9c08e8ca319a8ab39b850412c3da1a42eee3d0e2928e0f3956626309d03ebb20fd0784d0f3a1cc6eb157f8458

Download Submit
C:\Windows\{74A8DCFC-970E-4f5e-9809-FB2A89C4FD78}.exe

Filesize
380KB

MD5
4375b8cd748d21deaa2f5859d5c6f3a7

SHA1
e01ce8a50dcc3ab4e1e37e6e89faba2924315387

SHA256
23eb6844013f3e71046e82ebc74755e362b1626153d7c116e68324fa8998b649

SHA512
a170e3dfb19f05623192a7ce904a88f6400218957d23b342c0c9560aa66b1b72624e4896294d0d4160d8d30f67c3c591a5496d5fe1606687fb48e1764937dfde

Download Submit
C:\Windows\{7BDD167E-A86E-4881-A63D-E55A26F1261A}.exe

Filesize
380KB

MD5
0894e6784ef98efd533b14daba0bc335

SHA1
7265fcef63c62e0444da1fb7d44c5555dfc556d8

SHA256
a207e78b98eb50ca230bc4258346cde1c86c125560406ef39eb3cca51363bb76

SHA512
c1a52495842d6550bee311a62aaeb014a97b0435b6d335272c9eabeeb7a954c3b2d1650c2bc4ba328e4429f99a0a6b20275c1e38e6ca54c82fb3958b7f484303

Download Submit
C:\Windows\{A3184B97-7F1C-4720-A477-BBA308850941}.exe

Filesize
380KB

MD5
15c3955b28764a379f9884dc431608ff

SHA1
94ff25e26b45f26c796fe0828d4be0777990b822

SHA256
6586b0f9283c4556afa7d89107d0147f5eaa050f325fdfa91a0bc4e4ee653052

SHA512
8b41c81fe49a6759d3c61e8c734c20b578f9d9f56ddaca998fca0ec52e65e1aee323b3e52d7e896d39f97bd6f64354ddf0d7d4c8d112c64acee512f2a6f8df8d

Download Submit
C:\Windows\{B7D68D33-77A4-455d-889A-30016F60B19B}.exe

Filesize
380KB

MD5
b4724188d68954523471eb7f29009528

SHA1
e3d7e09efafb19c3f053a93522d5581be55418eb

SHA256
0a8f041bb81c57d3fa77b381ec4b456b8dd277e866619a9b1858cd8e38999388

SHA512
5c55fe17fb6eb2b61a6d108e6e5d5dc0473aea0ddc27c03083e0d3ad12ab74d977edbbf39726fba601ebd429b22b12d70e56dde7670b3cd0821993c8a286d07e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads