1db6972133a60dd292868216b8b8dbfd383540092088609fe8f3e9c978636ef1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Size

180KB
MD5

ca9f6bdece87de190988dcd214e5634c
SHA1

ae4fbc94c51dc80b11496613cf6c2171edbe9428
SHA256

1db6972133a60dd292868216b8b8dbfd383540092088609fe8f3e9c978636ef1
SHA512

72483505fd70112d38ca3010a9fc2cd5c29cddde7cd1a065a691a09d23be46699fe5fc956c84cb6416575ede77da0fbdb3f5d3bbe6018b1f1e6d5ce25943c1ff
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGdl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a06-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001415f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}	{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B456EF80-3357-405a-879B-E0A743D39A6B}	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E818878A-6FAD-457b-A67C-6F244967D074}	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}	{E818878A-6FAD-457b-A67C-6F244967D074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}\stubpath = "C:\\Windows\\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe"	{E818878A-6FAD-457b-A67C-6F244967D074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE05C981-44A4-4db7-9ED0-B87903A1A566}	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}\stubpath = "C:\\Windows\\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe"	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}\stubpath = "C:\\Windows\\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe"	{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E306C34-E91F-4596-9F35-88EFAC142573}	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}\stubpath = "C:\\Windows\\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe"	{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}\stubpath = "C:\\Windows\\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe"	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B456EF80-3357-405a-879B-E0A743D39A6B}\stubpath = "C:\\Windows\\{B456EF80-3357-405a-879B-E0A743D39A6B}.exe"	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E818878A-6FAD-457b-A67C-6F244967D074}\stubpath = "C:\\Windows\\{E818878A-6FAD-457b-A67C-6F244967D074}.exe"	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE05C981-44A4-4db7-9ED0-B87903A1A566}\stubpath = "C:\\Windows\\{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe"	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}	{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}\stubpath = "C:\\Windows\\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe"	{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E306C34-E91F-4596-9F35-88EFAC142573}\stubpath = "C:\\Windows\\{3E306C34-E91F-4596-9F35-88EFAC142573}.exe"	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624505D8-0A13-4edb-85EE-BB4097D252ED}	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624505D8-0A13-4edb-85EE-BB4097D252ED}\stubpath = "C:\\Windows\\{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe"	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}	{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe
852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
2044	{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
1652	{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
2844	{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
2632	{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
File created	C:\Windows\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe	{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
File created	C:\Windows\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe	{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
File created	C:\Windows\{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
File created	C:\Windows\{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
File created	C:\Windows\{E818878A-6FAD-457b-A67C-6F244967D074}.exe	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
File created	C:\Windows\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	{E818878A-6FAD-457b-A67C-6F244967D074}.exe
File created	C:\Windows\{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
File created	C:\Windows\{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
File created	C:\Windows\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
File created	C:\Windows\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe	{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
Token: SeIncBasePriorityPrivilege	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
Token: SeIncBasePriorityPrivilege	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
Token: SeIncBasePriorityPrivilege	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe
Token: SeIncBasePriorityPrivilege	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
Token: SeIncBasePriorityPrivilege	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
Token: SeIncBasePriorityPrivilege	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
Token: SeIncBasePriorityPrivilege	2044	{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
Token: SeIncBasePriorityPrivilege	1652	{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
Token: SeIncBasePriorityPrivilege	2844	{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2208	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	28
PID 1948 wrote to memory of 2208	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	28
PID 1948 wrote to memory of 2208	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	28
PID 1948 wrote to memory of 2208	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	28
PID 1948 wrote to memory of 1796	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	29
PID 1948 wrote to memory of 1796	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	29
PID 1948 wrote to memory of 1796	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	29
PID 1948 wrote to memory of 1796	1948	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	29
PID 2208 wrote to memory of 2340	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	30
PID 2208 wrote to memory of 2340	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	30
PID 2208 wrote to memory of 2340	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	30
PID 2208 wrote to memory of 2340	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	30
PID 2208 wrote to memory of 2396	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	31
PID 2208 wrote to memory of 2396	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	31
PID 2208 wrote to memory of 2396	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	31
PID 2208 wrote to memory of 2396	2208	{3E306C34-E91F-4596-9F35-88EFAC142573}.exe	31
PID 2340 wrote to memory of 2412	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	32
PID 2340 wrote to memory of 2412	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	32
PID 2340 wrote to memory of 2412	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	32
PID 2340 wrote to memory of 2412	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	32
PID 2340 wrote to memory of 2520	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	33
PID 2340 wrote to memory of 2520	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	33
PID 2340 wrote to memory of 2520	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	33
PID 2340 wrote to memory of 2520	2340	{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe	33
PID 2412 wrote to memory of 2312	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	36
PID 2412 wrote to memory of 2312	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	36
PID 2412 wrote to memory of 2312	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	36
PID 2412 wrote to memory of 2312	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	36
PID 2412 wrote to memory of 1564	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	37
PID 2412 wrote to memory of 1564	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	37
PID 2412 wrote to memory of 1564	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	37
PID 2412 wrote to memory of 1564	2412	{B456EF80-3357-405a-879B-E0A743D39A6B}.exe	37
PID 2312 wrote to memory of 852	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	38
PID 2312 wrote to memory of 852	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	38
PID 2312 wrote to memory of 852	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	38
PID 2312 wrote to memory of 852	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	38
PID 2312 wrote to memory of 2564	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	39
PID 2312 wrote to memory of 2564	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	39
PID 2312 wrote to memory of 2564	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	39
PID 2312 wrote to memory of 2564	2312	{E818878A-6FAD-457b-A67C-6F244967D074}.exe	39
PID 852 wrote to memory of 1548	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	40
PID 852 wrote to memory of 1548	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	40
PID 852 wrote to memory of 1548	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	40
PID 852 wrote to memory of 1548	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	40
PID 852 wrote to memory of 772	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	41
PID 852 wrote to memory of 772	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	41
PID 852 wrote to memory of 772	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	41
PID 852 wrote to memory of 772	852	{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe	41
PID 1548 wrote to memory of 2156	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	42
PID 1548 wrote to memory of 2156	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	42
PID 1548 wrote to memory of 2156	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	42
PID 1548 wrote to memory of 2156	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	42
PID 1548 wrote to memory of 2064	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	43
PID 1548 wrote to memory of 2064	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	43
PID 1548 wrote to memory of 2064	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	43
PID 1548 wrote to memory of 2064	1548	{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe	43
PID 2156 wrote to memory of 2044	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	44
PID 2156 wrote to memory of 2044	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	44
PID 2156 wrote to memory of 2044	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	44
PID 2156 wrote to memory of 2044	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	44
PID 2156 wrote to memory of 2016	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	45
PID 2156 wrote to memory of 2016	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	45
PID 2156 wrote to memory of 2016	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	45
PID 2156 wrote to memory of 2016	2156	{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
  C:\Windows\{3E306C34-E91F-4596-9F35-88EFAC142573}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
    C:\Windows\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
      C:\Windows\{B456EF80-3357-405a-879B-E0A743D39A6B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\{E818878A-6FAD-457b-A67C-6F244967D074}.exe
        
        C:\Windows\{E818878A-6FAD-457b-A67C-6F244967D074}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
        
        C:\Windows\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
        
        C:\Windows\{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
        
        C:\Windows\{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
        
        C:\Windows\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
        
        C:\Windows\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
        
        C:\Windows\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe
        
        C:\Windows\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe
        12⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89CB5~1.EXE > nul
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E03D~1.EXE > nul
        11⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F398~1.EXE > nul
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62450~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE05C~1.EXE > nul
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BC5~1.EXE > nul
        7⤵
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8188~1.EXE > nul
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B456E~1.EXE > nul
        5⤵
        
        PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50C2A~1.EXE > nul
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E306~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11DE9B93-4B89-4c8c-A6EF-2B420670FDE0}.exe

Filesize
180KB

MD5
d3c37d0fe748f8a91615cabf5a779341

SHA1
26d03d26afe433879f621b8f31d453326bc05949

SHA256
2e11d81593985444b15cb847555d7d067f8f79a4c242a74312aef7476918e2c6

SHA512
1c0984cc5c81082882f90c554ea66d5009870793e024363dfaa79dac3e9f231463dea35ac8d0fd7f47d58f50c46f04586f50b8f03a4efffc07148b91063cf610

Download Submit
C:\Windows\{3E306C34-E91F-4596-9F35-88EFAC142573}.exe

Filesize
180KB

MD5
4f19c91aac473c500080fcfb62d2bf09

SHA1
759d194c47202c1409c82e0507ecd09ddd967b65

SHA256
986648f248e1ab72596f59ea5daa473595a3b45ffbdb2a631052239b2217310b

SHA512
690263963bf33307b32cec66e2d94ee5522564bedb3441f872a4fef25bb1c2e01bae2f22ecd8d8692ef1a222fd2f146964aef554bc0ccd78799df159ca8bde4c

Download Submit
C:\Windows\{50C2A4A9-DA36-49ce-833C-F69E9672DA98}.exe

Filesize
180KB

MD5
19bb6a303e8065b31d9f2e57f15062cb

SHA1
46fa597300af7eed682608e84f312c0476f45086

SHA256
1ed943bb01796be835f54c0eef1868643e6b04d2bc6085fcebb101c6ff2ef3d9

SHA512
658a7252786f2f85a753b91d3a867af210e5cae3ac2625e0a78a5bd9651d6a794443e86eef713681c32d834bb30d8216c7267919550ed4b2aae39dacf4b46f38

Download Submit
C:\Windows\{5F39856F-7039-43f2-953B-C62C2C2CBBF3}.exe

Filesize
180KB

MD5
f3c03c3f6523668682e2dc266ebc8f22

SHA1
54fd682ff58e96d8bb1fed61e8486d27f3de14bb

SHA256
6dcf4ac0f86dc506aabf3690d025d81bbc16dba80e0d59ad17a079f68d49bff5

SHA512
94db8922b5e2c16e0cfddfcc81bf90f67051f02e12d16402bb7f8c52c311a201c64b3b8c28895001f171069b4424c3f89da0cedbe7464fc07460eaf181e91e0a

Download Submit
C:\Windows\{624505D8-0A13-4edb-85EE-BB4097D252ED}.exe

Filesize
180KB

MD5
b82496abc00b566994c524dfd6ea65a2

SHA1
25cd4e4678c52f12aa185d628c760c7eeb69ba0d

SHA256
18a653a519071e1225c9dbb3f6a33828b0d314ab484a30c2533314801ba0b1d5

SHA512
dfee28dff0a37f2cb899aa3e34145360918cc5aebd1eb1a546c280833c7f1314492b40180bad25327f03f834bf7028f5fc4244207627ece029f4fdceb67224c0

Download Submit
C:\Windows\{6E03DD57-16ED-4738-B58C-E7DDF96D8D8A}.exe

Filesize
180KB

MD5
b54018f55d9f0ff233bde832a9f0284f

SHA1
4fcbc36a9e7c10547b7b808c017730339206a683

SHA256
cf85818c1e8d15fab80e81f7473755724adc8b8a6fff5f58ea72a10729ef79d9

SHA512
8314e5d7dd0877ecfff13e8d8cbf3e6721825c0e957c50bc9c976d9bb700a562dce82674c0d20debe371640b61e0c0676897d525a933f444a9a03604e53d7ba0

Download Submit
C:\Windows\{89CB56BA-AF5B-44d2-9756-80D65AF8DC55}.exe

Filesize
180KB

MD5
f92d6b13dad5506ab39c44d553dca2c2

SHA1
7bd497799febee36c81966b3bab1af43a99f7d80

SHA256
353e36bdec0d17229e38e163140c6023fba46e86b2d12fcea12676a2d10aef92

SHA512
2d1992ad6420c1bcfd4e929e40ec5fa5e1ff6842f729df7f006da5a83308f9ae1068fb30d50624df25d8ddc8182313cf16ba7f068ee3ec9a296f22142fd7979b

Download Submit
C:\Windows\{B456EF80-3357-405a-879B-E0A743D39A6B}.exe

Filesize
180KB

MD5
6618f5250b14e223a7647ba86ed61668

SHA1
6649f718fb2b69214ae50664a7a0526c79215ed1

SHA256
6877a7246b256cf5f5ec6eb6bad8fa75c8ffa3b27046df56d832fc0391ab55da

SHA512
8cd4243c2daad79d4f084c515959613e933157be2e9f51a7421f432483b1731fea99e106383d6a2d6d881d6a5a775906364035b13763d0844ed55ab56fdc6850

Download Submit
C:\Windows\{D6BC5B0C-13D7-443a-AC49-59E568B64ADA}.exe

Filesize
180KB

MD5
e1e2553fa951d238f3ce87ec2675f1aa

SHA1
93fda945a9851eda01a293239cd4bc75ebf0a348

SHA256
ccc84b73737a90d2f9cf10a128ee233dc23df4313e9fb109e68b26aa7d35974b

SHA512
9e78911a2b47ba8813e96c3d2ff54f1b9c733c8500f4af43038dbff21ac7c459119b0173ae72a65ac767f05269c7b9140536ca1cb9168b8e82f3add5502c9eae

Download Submit
C:\Windows\{E818878A-6FAD-457b-A67C-6F244967D074}.exe

Filesize
180KB

MD5
144a7b3779866788cf28049c991b6496

SHA1
f6e8dca397b79f13776e9f9be1942294798b4f6f

SHA256
f91940857ba6f9905005cd660d97b9c5ae3942d8f2b43b542d47379a2f25777e

SHA512
e83b98bbfa15910c41e08cfc9839d75a6822789248fe807273cb82b87b1d43d97d71c4762d1f49594849cac30d58f6cd90d360d64a4739f8cede6e8d08701c13

Download Submit
C:\Windows\{FE05C981-44A4-4db7-9ED0-B87903A1A566}.exe

Filesize
180KB

MD5
fb7775822da7fb45151be3a78f0d9f46

SHA1
b23a31f4afdb4f1f128e5269ddb9acebef94442c

SHA256
1fe9eefe8441164bbcc301a88ce0da1bd57ee37c69a8bc05e20108bbbf2bb806

SHA512
24ba01509c62f051eb4f65650cb9c698f1e75499e60ebc36e9ba98252e94525ad0a49e6e805bf4768cd331a83a74955d7e243939c4b4e8ee63b8b545da2d1b0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads