9e1260cda05b0f2861aa89e690d73e15314c5d367bd34b6fe40eecad365d9869

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Size

344KB
MD5

c946504509d770d84c90bce809a98a86
SHA1

4ca7a5ca47f58de7fb1f0145694cd450c059593f
SHA256

9e1260cda05b0f2861aa89e690d73e15314c5d367bd34b6fe40eecad365d9869
SHA512

53e434a058026433fd62ef0410b7b69aeecfb280e4b79eef19bee6acb9dfef1dd5b3923946c70415cd93486e660fb4443fbb9585af90241b66a94ac585c103b3
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG0lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013ab9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001654a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C837572C-C894-4885-8058-97C5ADE70EEA}\stubpath = "C:\\Windows\\{C837572C-C894-4885-8058-97C5ADE70EEA}.exe"	{5537506C-04A7-444d-B5A0-B398835EF458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B754630-30F9-418e-BC4F-43A9235EA0FB}\stubpath = "C:\\Windows\\{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe"	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}\stubpath = "C:\\Windows\\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe"	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C29CFE-CB95-427a-838D-26B6751C40C6}\stubpath = "C:\\Windows\\{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe"	{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2474F023-3A26-4d28-B602-0252E90DC516}\stubpath = "C:\\Windows\\{2474F023-3A26-4d28-B602-0252E90DC516}.exe"	{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5537506C-04A7-444d-B5A0-B398835EF458}\stubpath = "C:\\Windows\\{5537506C-04A7-444d-B5A0-B398835EF458}.exe"	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C837572C-C894-4885-8058-97C5ADE70EEA}	{5537506C-04A7-444d-B5A0-B398835EF458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}\stubpath = "C:\\Windows\\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe"	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4F8408-649E-463d-ABE3-1A5E7207D979}\stubpath = "C:\\Windows\\{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe"	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}\stubpath = "C:\\Windows\\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe"	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}	{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C29CFE-CB95-427a-838D-26B6751C40C6}	{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4F8408-649E-463d-ABE3-1A5E7207D979}	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5537506C-04A7-444d-B5A0-B398835EF458}	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B754630-30F9-418e-BC4F-43A9235EA0FB}	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}\stubpath = "C:\\Windows\\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe"	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}\stubpath = "C:\\Windows\\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe"	{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2474F023-3A26-4d28-B602-0252E90DC516}	{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe
2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
1280	{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
2236	{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
604	{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe
972	{2474F023-3A26-4d28-B602-0252E90DC516}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
File created	C:\Windows\{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
File created	C:\Windows\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
File created	C:\Windows\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
File created	C:\Windows\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe	{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
File created	C:\Windows\{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe	{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
File created	C:\Windows\{2474F023-3A26-4d28-B602-0252E90DC516}.exe	{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe
File created	C:\Windows\{5537506C-04A7-444d-B5A0-B398835EF458}.exe	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
File created	C:\Windows\{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	{5537506C-04A7-444d-B5A0-B398835EF458}.exe
File created	C:\Windows\{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
File created	C:\Windows\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe
Token: SeIncBasePriorityPrivilege	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
Token: SeIncBasePriorityPrivilege	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
Token: SeIncBasePriorityPrivilege	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
Token: SeIncBasePriorityPrivilege	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
Token: SeIncBasePriorityPrivilege	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
Token: SeIncBasePriorityPrivilege	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
Token: SeIncBasePriorityPrivilege	1280	{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
Token: SeIncBasePriorityPrivilege	2236	{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
Token: SeIncBasePriorityPrivilege	604	{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1960	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	28
PID 2484 wrote to memory of 1960	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	28
PID 2484 wrote to memory of 1960	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	28
PID 2484 wrote to memory of 1960	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	28
PID 2484 wrote to memory of 2544	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	29
PID 2484 wrote to memory of 2544	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	29
PID 2484 wrote to memory of 2544	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	29
PID 2484 wrote to memory of 2544	2484	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	29
PID 1960 wrote to memory of 2268	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	30
PID 1960 wrote to memory of 2268	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	30
PID 1960 wrote to memory of 2268	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	30
PID 1960 wrote to memory of 2268	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	30
PID 1960 wrote to memory of 2564	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	31
PID 1960 wrote to memory of 2564	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	31
PID 1960 wrote to memory of 2564	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	31
PID 1960 wrote to memory of 2564	1960	{5537506C-04A7-444d-B5A0-B398835EF458}.exe	31
PID 2268 wrote to memory of 2540	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	32
PID 2268 wrote to memory of 2540	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	32
PID 2268 wrote to memory of 2540	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	32
PID 2268 wrote to memory of 2540	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	32
PID 2268 wrote to memory of 2464	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	33
PID 2268 wrote to memory of 2464	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	33
PID 2268 wrote to memory of 2464	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	33
PID 2268 wrote to memory of 2464	2268	{C837572C-C894-4885-8058-97C5ADE70EEA}.exe	33
PID 2540 wrote to memory of 1820	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	36
PID 2540 wrote to memory of 1820	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	36
PID 2540 wrote to memory of 1820	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	36
PID 2540 wrote to memory of 1820	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	36
PID 2540 wrote to memory of 2640	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	37
PID 2540 wrote to memory of 2640	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	37
PID 2540 wrote to memory of 2640	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	37
PID 2540 wrote to memory of 2640	2540	{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe	37
PID 1820 wrote to memory of 2772	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	38
PID 1820 wrote to memory of 2772	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	38
PID 1820 wrote to memory of 2772	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	38
PID 1820 wrote to memory of 2772	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	38
PID 1820 wrote to memory of 1620	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	39
PID 1820 wrote to memory of 1620	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	39
PID 1820 wrote to memory of 1620	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	39
PID 1820 wrote to memory of 1620	1820	{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe	39
PID 2772 wrote to memory of 1728	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	40
PID 2772 wrote to memory of 1728	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	40
PID 2772 wrote to memory of 1728	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	40
PID 2772 wrote to memory of 1728	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	40
PID 2772 wrote to memory of 1388	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	41
PID 2772 wrote to memory of 1388	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	41
PID 2772 wrote to memory of 1388	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	41
PID 2772 wrote to memory of 1388	2772	{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe	41
PID 1728 wrote to memory of 1644	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	42
PID 1728 wrote to memory of 1644	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	42
PID 1728 wrote to memory of 1644	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	42
PID 1728 wrote to memory of 1644	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	42
PID 1728 wrote to memory of 888	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	43
PID 1728 wrote to memory of 888	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	43
PID 1728 wrote to memory of 888	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	43
PID 1728 wrote to memory of 888	1728	{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe	43
PID 1644 wrote to memory of 1280	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	44
PID 1644 wrote to memory of 1280	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	44
PID 1644 wrote to memory of 1280	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	44
PID 1644 wrote to memory of 1280	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	44
PID 1644 wrote to memory of 2032	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	45
PID 1644 wrote to memory of 2032	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	45
PID 1644 wrote to memory of 2032	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	45
PID 1644 wrote to memory of 2032	1644	{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\{5537506C-04A7-444d-B5A0-B398835EF458}.exe
  C:\Windows\{5537506C-04A7-444d-B5A0-B398835EF458}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
    C:\Windows\{C837572C-C894-4885-8058-97C5ADE70EEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
      C:\Windows\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
        
        C:\Windows\{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
        
        C:\Windows\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
        
        C:\Windows\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
        
        C:\Windows\{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
        
        C:\Windows\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
        
        C:\Windows\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe
        
        C:\Windows\{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{2474F023-3A26-4d28-B602-0252E90DC516}.exe
        
        C:\Windows\{2474F023-3A26-4d28-B602-0252E90DC516}.exe
        12⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C29~1.EXE > nul
        12⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7EB7~1.EXE > nul
        11⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{305FA~1.EXE > nul
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C4F8~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAFD5~1.EXE > nul
        8⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4363B~1.EXE > nul
        7⤵
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B754~1.EXE > nul
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8DA~1.EXE > nul
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8375~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{55375~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F8DA4B4-24E7-4eaa-8151-C1AD865E49C8}.exe

Filesize
344KB

MD5
55133ebd687a07e3bcb89adde74759bd

SHA1
86396eb6a29b848f210f08b3bfcbf7b2f38eaceb

SHA256
6a00314e6c95bd88ec9230e4f2fa09e6a64abc177cf85a5e28a5b9c813414f4d

SHA512
5ac030211ce13c6ac19a3a212f5fd15d7899b53c40acdc8b1d9998bf14acdaa4f361806eb8b9d0634bdeb4151aa33c2a3b78341a45994d17ccc88b812b8ad499

Download Submit
C:\Windows\{2474F023-3A26-4d28-B602-0252E90DC516}.exe

Filesize
344KB

MD5
5889b4b4fb3ba3cf95f3618e8af1188b

SHA1
1e3e83160f31ecbf2a3981e85631b2914bcad445

SHA256
c7dbce29463224f578dd70980d01a6f9e1d6b606face4772792714e21172a491

SHA512
34ab51160727e473bead15a2b52d199c4310d1ffb2cf58ee7e27db72ee3d4fddb415eb95e12c9fb18fa15997469dc9e69970e295afc34d50628b1ffb317d3711

Download Submit
C:\Windows\{305FAD70-C32A-41ed-B974-1F70C93C0AA7}.exe

Filesize
344KB

MD5
0ad6799ce4f83db1ab419e5689b36390

SHA1
900a569f9ca3b687128c827e994cc9f851163645

SHA256
712d11f8be9e8b7a28efe1b8d557ff63883d8250df3c5f953835eab73049508e

SHA512
2300a479f5c92f675bbff1dfe0ed4c64f51b24c2eef2e517d41486c07194287fb1cdc0e700896edfb3a302be3f54a3672f891bf5ed8348de3351e1f6b5611ee0

Download Submit
C:\Windows\{4363B369-4B9E-4557-8FEE-EF8C2F9588C7}.exe

Filesize
344KB

MD5
e4191f3cf31062078862c4bf3019adc5

SHA1
6671e4a071731de21fd5f979241ab82e206291db

SHA256
e20a0fb950232ce9701f449d2f8ec5fd00ac2d29d9a9ea712a7d1a2df7a4d96a

SHA512
a71f138b44814081dc8acb5d6deaa2e0eb5b964a4952ea9a2f786b6ca220cd30f62180456e6380f7349aed59caf20ff9ad9ba0ffcbc8526a23710914367001d6

Download Submit
C:\Windows\{5537506C-04A7-444d-B5A0-B398835EF458}.exe

Filesize
344KB

MD5
26bb80bcbd82b387ba60a8637c316ffc

SHA1
f9f0ec7a43d7b7576debfde9dd3ffe444dac38f7

SHA256
ffa976ad29f821dfd88774beb2e621a2127d930fcaa5e9b12fe7ca50c1410218

SHA512
ad98e11ebc3c2e0d67b006c31e887b9337417575109745656a626c20d2c4c97cd8af4ddcda817f3fe64948eba80784b3414b5053111a2a19f1c8ecdf40d2456d

Download Submit
C:\Windows\{9B754630-30F9-418e-BC4F-43A9235EA0FB}.exe

Filesize
344KB

MD5
28a7509dcd53a5a0d7fb44edd889dc9c

SHA1
52be45cec20e470a891c325ed98258ff32824d1a

SHA256
577b45bdac6764e6ac176a915fa4384af4cfef577f77f64a325ae3847a6246f2

SHA512
a627b64955ed57003c81a8223c24afccc075513c8b2b5701235a16d41ca680e295a8b5147c170efc8d43fac2f65f02c1c9ad2a8512323e789781f3828151f55e

Download Submit
C:\Windows\{9C4F8408-649E-463d-ABE3-1A5E7207D979}.exe

Filesize
344KB

MD5
900290b2821d2e39af1aa749c0fca928

SHA1
38499c652c897e10f87bdc038cdeed6b12856fb2

SHA256
a19808d1d936130356118251efb84ce09b49a786983c024a522533b5a4df71b0

SHA512
7bd5ed11898a9bbe3e109e79e4b0e5f849432dfa7cbce2371740cbae69e6f486f60d455e2a0ba96096231b2c9a987e0c4d2c5f0a7118119d2bd65d37448f89a3

Download Submit
C:\Windows\{C837572C-C894-4885-8058-97C5ADE70EEA}.exe

Filesize
344KB

MD5
4477245e5f96b4ec74c55bfdb720f32b

SHA1
995cc2d2f5dc1e7f87e6327bba39b4511bae031b

SHA256
314e78931718c85a9adc38baf5f4f44e5159ce347d1523def80e270307d517fa

SHA512
6b026778d00139cca4631de629206a4171af765cfb3aa45dde96acc0d9e58baf393039ed91e7187dc7f1fe8188cac40d54c731069420af83a6bdc5121b172fe8

Download Submit
C:\Windows\{F7EB7B47-C095-42f4-B467-0E48378C6FBB}.exe

Filesize
344KB

MD5
72440b779b2b4374d4bef76ee4bca92e

SHA1
d181502d552875e1f6c2b35c8e75c154839c5fe4

SHA256
03c0cffc6afc83bec1a7b2bc4bd1bb042bbb71ee82a5bbd691e15edd3684a39f

SHA512
3b8b24abe913463b443c792942b191c8e0e4f5866bac2c5a33ccd9efa8440de5d3065d98ec8b7c815ad9f39114f37c779151a563b8af71d9e48007136e37fe39

Download Submit
C:\Windows\{F8C29CFE-CB95-427a-838D-26B6751C40C6}.exe

Filesize
344KB

MD5
b23a8b508989ebd4e3c25b50d4e10995

SHA1
ee5dcf374fbe07a8c14e94b103eba125667bdd70

SHA256
47464ec3d5bfeed3e20e66d94b6d763b02e83fd96bbbebe0666f3b29106f3793

SHA512
1b3a7c59c952448d7682e493f1478cd0ff4fa4c7bae6152848d649857c838ff9854b85833db9f346d5cb62dc19e4caa84557adb822bba43639605c816cd78ba3

Download Submit
C:\Windows\{FAFD56A2-84AE-461d-8D5A-9AD2726971C3}.exe

Filesize
344KB

MD5
4db8d7804d4a709f9931ccdd55b1f9a9

SHA1
7ab73019b5ae23a8a7b8d1bc6be18b3c558bd4e4

SHA256
e3a4ed92bb7239c0456dabda6ac371cb315d1fe96caee63c30a4f831779b2050

SHA512
04912cad6174d84097fd4a04da7daf789f430636a5daf9adb43d975734d4d03f89752f540c716b2cb46c13d4036f083e65c8372881330f578319834186d4d8de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads