4bca5e029ff5df9fce64aeabb079443625ccfcc66fd1d78e1882731c4a10a8ab

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Size

380KB
MD5

39858076ad8c772e14145879763d0a0d
SHA1

e1977a13a1ba98d99ace8f1d3c84eae09f049463
SHA256

4bca5e029ff5df9fce64aeabb079443625ccfcc66fd1d78e1882731c4a10a8ab
SHA512

eb26902d9e9b09a46852b6e0dd38d70fc44fe3a378f194f1add5952e5fbd4c5d6851a83aed51fd1a5b4469e6dd896423bbbee9944e73f9fa6599fed36ec5496c
SSDEEP

3072:mEGh0ozlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGRl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000144e9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014817-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}\stubpath = "C:\\Windows\\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe"	{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5518120-5A59-4875-8C58-9C2F851ED2F2}	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBFEE2C2-05EC-4aaf-8568-99423E814848}\stubpath = "C:\\Windows\\{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe"	{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5518120-5A59-4875-8C58-9C2F851ED2F2}\stubpath = "C:\\Windows\\{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe"	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{715E640A-5220-4bee-B63D-75129EC16A12}\stubpath = "C:\\Windows\\{715E640A-5220-4bee-B63D-75129EC16A12}.exe"	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}	{7E45ACA9-8758-4106-855E-30DE10736546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800C8457-0599-46a6-8685-9AF87FB8AD3D}\stubpath = "C:\\Windows\\{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe"	{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}\stubpath = "C:\\Windows\\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe"	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}\stubpath = "C:\\Windows\\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe"	{715E640A-5220-4bee-B63D-75129EC16A12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E45ACA9-8758-4106-855E-30DE10736546}	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E45ACA9-8758-4106-855E-30DE10736546}\stubpath = "C:\\Windows\\{7E45ACA9-8758-4106-855E-30DE10736546}.exe"	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}\stubpath = "C:\\Windows\\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe"	{7E45ACA9-8758-4106-855E-30DE10736546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}	{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}\stubpath = "C:\\Windows\\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe"	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}\stubpath = "C:\\Windows\\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe"	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800C8457-0599-46a6-8685-9AF87FB8AD3D}	{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}	{715E640A-5220-4bee-B63D-75129EC16A12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBFEE2C2-05EC-4aaf-8568-99423E814848}	{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{715E640A-5220-4bee-B63D-75129EC16A12}	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe
2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe
1528	{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
1256	{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
2888	{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
1492	{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
File created	C:\Windows\{7E45ACA9-8758-4106-855E-30DE10736546}.exe	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
File created	C:\Windows\{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe	{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
File created	C:\Windows\{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe	{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
File created	C:\Windows\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe	{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
File created	C:\Windows\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
File created	C:\Windows\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
File created	C:\Windows\{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
File created	C:\Windows\{715E640A-5220-4bee-B63D-75129EC16A12}.exe	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
File created	C:\Windows\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	{715E640A-5220-4bee-B63D-75129EC16A12}.exe
File created	C:\Windows\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe	{7E45ACA9-8758-4106-855E-30DE10736546}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
Token: SeIncBasePriorityPrivilege	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
Token: SeIncBasePriorityPrivilege	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
Token: SeIncBasePriorityPrivilege	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
Token: SeIncBasePriorityPrivilege	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe
Token: SeIncBasePriorityPrivilege	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
Token: SeIncBasePriorityPrivilege	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe
Token: SeIncBasePriorityPrivilege	1528	{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
Token: SeIncBasePriorityPrivilege	1256	{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
Token: SeIncBasePriorityPrivilege	2888	{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2856	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	28
PID 2928 wrote to memory of 2964	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	29
PID 2856 wrote to memory of 2652	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	30
PID 2856 wrote to memory of 2652	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	30
PID 2856 wrote to memory of 2652	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	30
PID 2856 wrote to memory of 2652	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	30
PID 2856 wrote to memory of 2564	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	31
PID 2856 wrote to memory of 2564	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	31
PID 2856 wrote to memory of 2564	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	31
PID 2856 wrote to memory of 2564	2856	{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe	31
PID 2652 wrote to memory of 2616	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	32
PID 2652 wrote to memory of 2616	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	32
PID 2652 wrote to memory of 2616	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	32
PID 2652 wrote to memory of 2616	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	32
PID 2652 wrote to memory of 2476	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	33
PID 2652 wrote to memory of 2476	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	33
PID 2652 wrote to memory of 2476	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	33
PID 2652 wrote to memory of 2476	2652	{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe	33
PID 2616 wrote to memory of 2968	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	36
PID 2616 wrote to memory of 2968	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	36
PID 2616 wrote to memory of 2968	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	36
PID 2616 wrote to memory of 2968	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	36
PID 2616 wrote to memory of 1996	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	37
PID 2616 wrote to memory of 1996	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	37
PID 2616 wrote to memory of 1996	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	37
PID 2616 wrote to memory of 1996	2616	{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe	37
PID 2968 wrote to memory of 2956	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	38
PID 2968 wrote to memory of 2956	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	38
PID 2968 wrote to memory of 2956	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	38
PID 2968 wrote to memory of 2956	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	38
PID 2968 wrote to memory of 2180	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	39
PID 2968 wrote to memory of 2180	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	39
PID 2968 wrote to memory of 2180	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	39
PID 2968 wrote to memory of 2180	2968	{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe	39
PID 2956 wrote to memory of 2240	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	40
PID 2956 wrote to memory of 2240	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	40
PID 2956 wrote to memory of 2240	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	40
PID 2956 wrote to memory of 2240	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	40
PID 2956 wrote to memory of 1940	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	41
PID 2956 wrote to memory of 1940	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	41
PID 2956 wrote to memory of 1940	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	41
PID 2956 wrote to memory of 1940	2956	{715E640A-5220-4bee-B63D-75129EC16A12}.exe	41
PID 2240 wrote to memory of 1156	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	42
PID 2240 wrote to memory of 1156	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	42
PID 2240 wrote to memory of 1156	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	42
PID 2240 wrote to memory of 1156	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	42
PID 2240 wrote to memory of 1444	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	43
PID 2240 wrote to memory of 1444	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	43
PID 2240 wrote to memory of 1444	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	43
PID 2240 wrote to memory of 1444	2240	{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe	43
PID 1156 wrote to memory of 1528	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	44
PID 1156 wrote to memory of 1528	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	44
PID 1156 wrote to memory of 1528	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	44
PID 1156 wrote to memory of 1528	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	44
PID 1156 wrote to memory of 1036	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	45
PID 1156 wrote to memory of 1036	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	45
PID 1156 wrote to memory of 1036	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	45
PID 1156 wrote to memory of 1036	1156	{7E45ACA9-8758-4106-855E-30DE10736546}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
  C:\Windows\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
    C:\Windows\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
      C:\Windows\{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
        
        C:\Windows\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{715E640A-5220-4bee-B63D-75129EC16A12}.exe
        
        C:\Windows\{715E640A-5220-4bee-B63D-75129EC16A12}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
        
        C:\Windows\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{7E45ACA9-8758-4106-855E-30DE10736546}.exe
        
        C:\Windows\{7E45ACA9-8758-4106-855E-30DE10736546}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
        
        C:\Windows\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
        
        C:\Windows\{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
        
        C:\Windows\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe
        
        C:\Windows\{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB1A~1.EXE > nul
        12⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBFEE~1.EXE > nul
        11⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A2BB~1.EXE > nul
        10⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E45A~1.EXE > nul
        9⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44B61~1.EXE > nul
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{715E6~1.EXE > nul
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62841~1.EXE > nul
        6⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5518~1.EXE > nul
        5⤵
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C128F~1.EXE > nul
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A5F6~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44B61A3F-AE92-497a-B1C3-D6FD81FBEB0B}.exe

Filesize
380KB

MD5
004822b073f818600ac35aaf84cb687f

SHA1
b1d123881c681b0108907d26ceebf6ac4e97d4b2

SHA256
394c031ea4f0bcb26d6874ab28b1a54c9a3228742a342e99fa215a93d6133a8e

SHA512
5cdbb24e9f4620204ab296b28357fdbfd0086c4177f5f0bf7696f07e3cdec2a75bac659d1eb99c1a0509c9fbb0e5b2c697da16f1ebab9200e3342a8db1b7a206

Download Submit
C:\Windows\{628412C2-E7E7-432c-8CE4-3A40D98FC2B2}.exe

Filesize
380KB

MD5
d8a41cd098921b6b92260690876f71c7

SHA1
863eb7a80805f1f6bb28cd8e5a2c24021c67a626

SHA256
91965d7ce2347ced36f5767054d947fa6c668cabbd7b35076240c231c11623cd

SHA512
0bd7fb87790badb60ddb8f9ea7a9c3604a1803318fff2cd2a4f4702350e6673c807198d1f037f92089e48b22c12eba5b654b1a8072e3659795896882610c5888

Download Submit
C:\Windows\{715E640A-5220-4bee-B63D-75129EC16A12}.exe

Filesize
380KB

MD5
484741f3c2b25a13315c753bfb527962

SHA1
7ad2909c98c709d8210027214bc7796da1cfafc5

SHA256
12c69db1d24411f2791938ea3131aa4a91fb4e96c723ac71409f6d8c06471f6f

SHA512
ba0c7bc5d3e817b28ffb1b784c0668037529ef6149089149c704f4f96ad8e0e30446d296d875cca64ca6200cb594228d56c26eb71bfff72c64142325eed6d5bb

Download Submit
C:\Windows\{7A2BBDDE-0135-4534-B7D8-4EECC60B6518}.exe

Filesize
380KB

MD5
80940c487dc633ce751df3ef97777902

SHA1
f5b6ca767b299c1df4691faedad464c8c6fafa5d

SHA256
9beacb39b6da35039a1feb10bfff037697bca1aa5dafe5c1d4826f79e95d966f

SHA512
6de9b52c9bbb6bb1fbb857bcc46b20ac4771cac1d778810f8e552f9541cce44c428bf41cc0c67be7a3f8a0f74e8a957fdc4c6d32e45635c3be5db65d2647b141

Download Submit
C:\Windows\{7A5F6E71-8408-482e-BEE7-9AB9E60D9F8B}.exe

Filesize
380KB

MD5
04a7262ff8d8ebc4ccdc4c4e8ea39d68

SHA1
181d628809ac58f92cff4bb93ebfd84732beb18d

SHA256
211bef66e794b3bb33efc96a574c719ea549e3d7eea045ca9786831ffbb5bd10

SHA512
e0372ad2a79d4b5661bfa74f8462e387aa25762366d76d3b1f4a590c394a33029be42610f1b7105135f81c27b96fe840d5982b5e05c7bd30b3d0a3ed06739b16

Download Submit
C:\Windows\{7BB1AFFE-359B-4d4c-B677-1217A454A4E8}.exe

Filesize
380KB

MD5
db576b226fa0d7909afac528d7e4aeca

SHA1
5b1626f36a5fb853c29906dabb3c74627651f39f

SHA256
acc0aadcddafda4bcad47228a2bb287592c247d822e4bc885e2b0beccca36eed

SHA512
22fe89c3807b52abb195da73313d9a4c47bf830af5c91f73fac5230458c1ca2100f0e63e8d335b5db6b0b09427387b8f0f99d559b486f416f77df7dd79642d77

Download Submit
C:\Windows\{7E45ACA9-8758-4106-855E-30DE10736546}.exe

Filesize
380KB

MD5
6be2666a2e022d1782cf5123c71fa3cc

SHA1
807223262ccd545086e8a68f434b753d54d7b6cc

SHA256
f665129ec74711b0754d39c8351b5096064563575296f941136e5d1d8ad74e3a

SHA512
171e3cad6f111b34e5d5c7aa59803fd309189bbc746ad80deca1634167cee25a36184c532440c2d0f97e42cce9911902ff166d378bc5139452a2b166bff20710

Download Submit
C:\Windows\{800C8457-0599-46a6-8685-9AF87FB8AD3D}.exe

Filesize
380KB

MD5
627b11240f287f2f69f152a74ffc67a1

SHA1
17014be3c46651c3f0c263408e5b253063db37bb

SHA256
b5c2c368b8aa6a56b7c59d85069bc7cb1f9efa3c3dfd8e40d9cc1a0ecd9d8fe8

SHA512
8e3d678f77637ff6a6b8de24b2fec9395d6df0128ccda5b6b94e34e36e2e6e704da85858809736e21ee67504a402a3d3d057b75a8cb101dfc72eafe3134c2eb2

Download Submit
C:\Windows\{A5518120-5A59-4875-8C58-9C2F851ED2F2}.exe

Filesize
380KB

MD5
800bd03d03b5f36fc1dece12a419e969

SHA1
3705ca74721a9f5d384e3ee094ab44f0da41d674

SHA256
08bd0caeb7203fc22f43d24c92cde8ffd3c8705f5c2ea6281d10275bc4608f79

SHA512
aed03e111282b90f685075a5cfcacd30ef36bcb8855ace3f97994a0487cbcbe9b875cd16d314206f4a8269db5b8687070b495c200cff562e1be67dae56fddc63

Download Submit
C:\Windows\{C128F74A-50F1-4afb-A8D9-8DD3BAD7F7D1}.exe

Filesize
380KB

MD5
c46120458db69ff87ec1b4796c61a7e5

SHA1
8a0effc48c9457f01b3c5f330769be3435a7ff58

SHA256
a4a8b4ae82dea2e726366fbdf37abf98a742fb574c9ba97fd72d99744469d2dc

SHA512
cddcaa24bad229cb9160470db2d8bd4856773373559749596eb32e815ffaaad65b6bae17a960082fda5e9b2426f25d99053322838492e357cd93e42a4f562eca

Download Submit
C:\Windows\{EBFEE2C2-05EC-4aaf-8568-99423E814848}.exe

Filesize
380KB

MD5
62b8657779f81021eff811ab83aee578

SHA1
e51a15ba8678851c0eae668ff778d5a6fb244223

SHA256
60ce69015c3954a28419aed63d009aa4a28d19c7e51ee5928441f60e62885ab8

SHA512
234cef491b995c9985c36f4b8fa7da8ac7ec26c554b4f2c8326507c0794fef381773002b5278fb4c6148aef75bd23e2c2e38b0df19e64043f343f55db1eee5b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads