14b3d860d7398c09e99956ae2adbda9c27b85e23916cbf4d9765498bf24d1390

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Size

408KB
MD5

4685ee0c84f2725585ba2ba2b23b5d5a
SHA1

8aaa71707fb6c8dea15493151164d6c35d6e35d6
SHA256

14b3d860d7398c09e99956ae2adbda9c27b85e23916cbf4d9765498bf24d1390
SHA512

117484d1718b6c171ce2a4453980bf692a00fe33aef7c2d0a941445557cf656deac7bdaf515d061e6576d2e3ed193cf0d00e0f4269ba2e16e57cd55ee57c00ad
SSDEEP

3072:CEGh0ohl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001424e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001232e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000144e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000144e4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000144f0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000144f0-67.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08852A01-21BA-46c6-A912-070E36AB7D77}\stubpath = "C:\\Windows\\{08852A01-21BA-46c6-A912-070E36AB7D77}.exe"	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7168DA8-9713-46a9-ABF0-B27924032729}	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}	{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBEF0508-86F2-4be0-9065-FB44433D3B94}	{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBEF0508-86F2-4be0-9065-FB44433D3B94}\stubpath = "C:\\Windows\\{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe"	{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08852A01-21BA-46c6-A912-070E36AB7D77}	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C4C65D-F127-4076-AD9A-772A61008F45}\stubpath = "C:\\Windows\\{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe"	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{518272CA-74A9-41a3-8455-FF51183FC4EB}\stubpath = "C:\\Windows\\{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe"	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}\stubpath = "C:\\Windows\\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe"	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}\stubpath = "C:\\Windows\\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe"	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}	{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}\stubpath = "C:\\Windows\\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe"	{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}\stubpath = "C:\\Windows\\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe"	{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}\stubpath = "C:\\Windows\\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe"	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C4C65D-F127-4076-AD9A-772A61008F45}	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}\stubpath = "C:\\Windows\\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe"	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7168DA8-9713-46a9-ABF0-B27924032729}\stubpath = "C:\\Windows\\{A7168DA8-9713-46a9-ABF0-B27924032729}.exe"	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{518272CA-74A9-41a3-8455-FF51183FC4EB}	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
2676	{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
2280	{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
844	{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
1104	{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe	{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
File created	C:\Windows\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
File created	C:\Windows\{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
File created	C:\Windows\{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
File created	C:\Windows\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe	{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
File created	C:\Windows\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe	{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
File created	C:\Windows\{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
File created	C:\Windows\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
File created	C:\Windows\{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
File created	C:\Windows\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
File created	C:\Windows\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
Token: SeIncBasePriorityPrivilege	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
Token: SeIncBasePriorityPrivilege	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
Token: SeIncBasePriorityPrivilege	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
Token: SeIncBasePriorityPrivilege	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
Token: SeIncBasePriorityPrivilege	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
Token: SeIncBasePriorityPrivilege	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
Token: SeIncBasePriorityPrivilege	2676	{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
Token: SeIncBasePriorityPrivilege	2280	{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
Token: SeIncBasePriorityPrivilege	844	{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1984	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	28
PID 2856 wrote to memory of 1984	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	28
PID 2856 wrote to memory of 1984	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	28
PID 2856 wrote to memory of 1984	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	28
PID 2856 wrote to memory of 2852	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	29
PID 2856 wrote to memory of 2852	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	29
PID 2856 wrote to memory of 2852	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	29
PID 2856 wrote to memory of 2852	2856	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	29
PID 1984 wrote to memory of 2732	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	30
PID 1984 wrote to memory of 2732	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	30
PID 1984 wrote to memory of 2732	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	30
PID 1984 wrote to memory of 2732	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	30
PID 1984 wrote to memory of 2580	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	31
PID 1984 wrote to memory of 2580	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	31
PID 1984 wrote to memory of 2580	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	31
PID 1984 wrote to memory of 2580	1984	{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe	31
PID 2732 wrote to memory of 2588	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	32
PID 2732 wrote to memory of 2588	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	32
PID 2732 wrote to memory of 2588	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	32
PID 2732 wrote to memory of 2588	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	32
PID 2732 wrote to memory of 2828	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	33
PID 2732 wrote to memory of 2828	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	33
PID 2732 wrote to memory of 2828	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	33
PID 2732 wrote to memory of 2828	2732	{08852A01-21BA-46c6-A912-070E36AB7D77}.exe	33
PID 2588 wrote to memory of 2976	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	36
PID 2588 wrote to memory of 2976	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	36
PID 2588 wrote to memory of 2976	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	36
PID 2588 wrote to memory of 2976	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	36
PID 2588 wrote to memory of 1280	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	37
PID 2588 wrote to memory of 1280	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	37
PID 2588 wrote to memory of 1280	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	37
PID 2588 wrote to memory of 1280	2588	{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe	37
PID 2976 wrote to memory of 2780	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	38
PID 2976 wrote to memory of 2780	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	38
PID 2976 wrote to memory of 2780	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	38
PID 2976 wrote to memory of 2780	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	38
PID 2976 wrote to memory of 2836	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	39
PID 2976 wrote to memory of 2836	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	39
PID 2976 wrote to memory of 2836	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	39
PID 2976 wrote to memory of 2836	2976	{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe	39
PID 2780 wrote to memory of 296	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	40
PID 2780 wrote to memory of 296	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	40
PID 2780 wrote to memory of 296	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	40
PID 2780 wrote to memory of 296	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	40
PID 2780 wrote to memory of 1376	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	41
PID 2780 wrote to memory of 1376	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	41
PID 2780 wrote to memory of 1376	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	41
PID 2780 wrote to memory of 1376	2780	{A7168DA8-9713-46a9-ABF0-B27924032729}.exe	41
PID 296 wrote to memory of 1696	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	42
PID 296 wrote to memory of 1696	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	42
PID 296 wrote to memory of 1696	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	42
PID 296 wrote to memory of 1696	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	42
PID 296 wrote to memory of 2000	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	43
PID 296 wrote to memory of 2000	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	43
PID 296 wrote to memory of 2000	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	43
PID 296 wrote to memory of 2000	296	{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe	43
PID 1696 wrote to memory of 2676	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	44
PID 1696 wrote to memory of 2676	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	44
PID 1696 wrote to memory of 2676	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	44
PID 1696 wrote to memory of 2676	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	44
PID 1696 wrote to memory of 2152	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	45
PID 1696 wrote to memory of 2152	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	45
PID 1696 wrote to memory of 2152	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	45
PID 1696 wrote to memory of 2152	1696	{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
  C:\Windows\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
    C:\Windows\{08852A01-21BA-46c6-A912-070E36AB7D77}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
      C:\Windows\{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
        
        C:\Windows\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
        
        C:\Windows\{A7168DA8-9713-46a9-ABF0-B27924032729}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
        
        C:\Windows\{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
        
        C:\Windows\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
        
        C:\Windows\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
        
        C:\Windows\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
        
        C:\Windows\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe
        
        C:\Windows\{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe
        12⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D177~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A167E~1.EXE > nul
        11⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B0BA~1.EXE > nul
        10⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0C3~1.EXE > nul
        9⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51827~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7168~1.EXE > nul
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE7CA~1.EXE > nul
        6⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C4C~1.EXE > nul
        5⤵
        
        PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08852~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73F96~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08852A01-21BA-46c6-A912-070E36AB7D77}.exe

Filesize
408KB

MD5
a2af999dd0b3e843ca87e7081b0d79ec

SHA1
baa11331e3562439d7ece89e574e9054ec45df9f

SHA256
4d2e43f060e2b80abe181bf604e81a60d7b4a0ea54f5c9bcf040a310465c7cb4

SHA512
e5ae3b8ad15d4d26fcdc17d4e806344e9d461c07721f4497f472aabcd68c198456d632281576c8f41a35c2e010bff063a71c7ee06004d7714a8b6f2af8cfe744

Download Submit
C:\Windows\{0B0BA423-6CEE-4f39-A18F-348BB0B2C6AF}.exe

Filesize
408KB

MD5
be4a1012dc92dbd033f8c7e5172493d4

SHA1
19a7ed691a703120ac0cb10984ac15a99994957e

SHA256
cb286fb22ea4a208fd2877f05a361a1afa88d0c4031ab26e27c3a5adcf6429e2

SHA512
8a97d75b6b8f750862d26d007e8a7218ab14befcf45f15fb8fc47469a07c187d061a3dc94b9ecf20b02ee5f7f742727b69b11cbebafdbf9f2c81362eeaed2e79

Download Submit
C:\Windows\{4F0C3DE2-9A7D-495c-8F7F-3EDD9FB809DC}.exe

Filesize
408KB

MD5
aaa4ea9bc1f1f8d77bb1bb74b2e9dab8

SHA1
230cd65a2d76a2e2afecd82280bd603a28ed8d69

SHA256
4bc75f1ad9b326c54d199cdf1c58d7a824c348537a81923f183d3b64448787f9

SHA512
f6e835dffbaf9051e99681095fedb9e5c579d602a6f745523d2f9b132d08acce59a82508d195be1637010a1a1a9f27deff5c4398bb40a93cc4d20f728e0fa824

Download Submit
C:\Windows\{518272CA-74A9-41a3-8455-FF51183FC4EB}.exe

Filesize
408KB

MD5
95eb9d8d9e6a05d9742cfd39198d3420

SHA1
a0ec16692b94d6defb7748e43d8c64958cc5b34d

SHA256
836ca88c3e0827ab13ccf47d42ed2ee0303ba2f9430f18e33a71064f9c8fdbf0

SHA512
2d4de1342b582bb2bf6590bf81ba61c245dc25eead5cc90c93e0bad9ed0c65aabaf5251fbbd2fff63a4c18157b13e72954cb9a4704ad1e6d28a721924c4f6686

Download Submit
C:\Windows\{6D177F32-7385-4ccb-9BFC-BCFB42E4D40E}.exe

Filesize
408KB

MD5
331c599e8111cc23def69a683c88bbe6

SHA1
5063bbbe70e348736ebceb9149bad7378feefb6a

SHA256
7eca11489f1faefe04b908018db6f2b61e63b044605fd1d25b82ee8a79164ff6

SHA512
3195fa767fc92db6a4939c2231a18849f23b3c4b30ba7233fb3aede125baf33b9e56bb31fa958b53365e363a2fa01f936bc1ae9734a7780e78fa1be87ae1336e

Download Submit
C:\Windows\{73F96AEA-8A7C-4aa7-89AE-8387362B7A7E}.exe

Filesize
408KB

MD5
77c2a447512d04d84c5019e37ab5cc54

SHA1
cf9f31d41dbee1e2cd619254d97ab5aad3ab224d

SHA256
649ac0d13c864efcc5640ff5a64d12199c033844d80872ad14cd390490487294

SHA512
a0bd177e29fc6752a19d961716b6da00a595dcaf205a308291784663fce0c9eb9f80cfab6e32fe02e9089b899ff97e106394c1e8f4787b9b4db4e136ac0070c0

Download Submit
C:\Windows\{A167EDAE-BDA1-4dfe-A6F5-2BF37DEC24D6}.exe

Filesize
408KB

MD5
99b3b19b1f285990482e4316a51f29d3

SHA1
7158835c08aded77d1e7eaab0b3ff97a940920d5

SHA256
82c06d5462f077bded542c44a15f5da9316ccfe6f5933779f1fff662cc5f0be0

SHA512
745f86f300d41ee9a580cfa83aff2c9adb33f285a9ea43c82b45964e92647aba414f0275c727baddce931d62595de15f1c2e46b1c1c4ddeb39d11428506c938e

Download Submit
C:\Windows\{A4C4C65D-F127-4076-AD9A-772A61008F45}.exe

Filesize
408KB

MD5
328f39e319b62f632b6e1d7e872fc641

SHA1
94ef3b627621d4da2e8351fe78906b8b2a027169

SHA256
48fad755eacbda210fcdf6a5e8781851b7345b5bdd9d4cfd3ffde91c2a855d60

SHA512
e4550c7a0b6ccefa2b1c848dcfd269d92f3fd925e0182ccd2d5a9ee36dc6373a728bd11be0e115724a18b96e04fc4629c0ef837c9a60a3db7a54dc99956ce233

Download Submit
C:\Windows\{A7168DA8-9713-46a9-ABF0-B27924032729}.exe

Filesize
408KB

MD5
e50e598c6d1a8516c1815b63b4e24f15

SHA1
185f6d7642cd7990616e26cdde397ed29a48cda1

SHA256
f9d5fee506296d01c2bdea780941d7970111ff584d0e29e021da8b720ac42f3e

SHA512
ae483ed00396675cba5cb80db7680584b83f6afd2f6ed243b3c56788d7872e9209974376e152b5753227378aa0aa83504260fab49e0152b798d635dfd0dfe750

Download Submit
C:\Windows\{DBEF0508-86F2-4be0-9065-FB44433D3B94}.exe

Filesize
408KB

MD5
320c150987c1c413e260afdab489c6c3

SHA1
2d3310a9ff446adf382a4bc43706e58c0ed4febe

SHA256
1f8c7021262946ccfe8057b55c25a95445bdf1ab2b5529f5810f38fb29c9a279

SHA512
d34d2940ddf0e37acac41a1c88af777dfb33869a14605c0ee985b1b075f927d7a1a17e95b049f680e03e0224d04739b402b51835e90d760ca750f40ec2a010eb

Download Submit
C:\Windows\{DE7CAFE5-D64A-47ec-9E5D-644DBEE22F50}.exe

Filesize
408KB

MD5
25fdde5a654e8df7fb2f27f5705c3aff

SHA1
3dc69aa28b6533e96a83878d715b22071b008e82

SHA256
3bec0ba5c17fcee13c7e14e0e1a001d45ab7514ca411220ca921ef70a1cbd26e

SHA512
8a6ad7c1a0abaa84482366deb0bd3408c3f4e5f74ba51e89f2bbc69d9a34b517d7ea6d033ea9b81a12685b6c15e3f6b925b2cc62b6c72f15481695cf84e4ca4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads