36d1eda264e5f503dbb95ea1d2a9c34935584b2f02364617c35755c47355e472

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
Size

204KB
MD5

d79366da22494ea57f5bc1b1448c0c87
SHA1

6b1b2bb2a8bff5551b2cc36db019fa1a1b2353b0
SHA256

36d1eda264e5f503dbb95ea1d2a9c34935584b2f02364617c35755c47355e472
SHA512

154f9319f11c6f790ae59a817a7f6cbbb13a6c5a5e4e7814072b00b4ea3b2711ba39b2108802e8e3379c7cd98c0fa96d74230702dff685fe339ee218f12f072f
SSDEEP

1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oSl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000143fb-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d61-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016122-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000163eb-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000167bf-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000167bf-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000167bf-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A6A324-F84F-40ae-9F8A-8E832B171070}	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E29B121-6DDA-4d25-9C72-2B23942896B8}\stubpath = "C:\\Windows\\{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe"	{A017B308-F24B-4095-8A4B-1354449C3843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04954C90-E944-4855-9CA4-8584FD9EF408}\stubpath = "C:\\Windows\\{04954C90-E944-4855-9CA4-8584FD9EF408}.exe"	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582034C8-2A39-403e-9C53-052D9BC2DF41}\stubpath = "C:\\Windows\\{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe"	{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6737F935-E585-40a0-96B1-B14D43B5BE57}	{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}	{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A017B308-F24B-4095-8A4B-1354449C3843}	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A017B308-F24B-4095-8A4B-1354449C3843}\stubpath = "C:\\Windows\\{A017B308-F24B-4095-8A4B-1354449C3843}.exe"	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}\stubpath = "C:\\Windows\\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe"	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}\stubpath = "C:\\Windows\\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe"	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04954C90-E944-4855-9CA4-8584FD9EF408}	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}\stubpath = "C:\\Windows\\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe"	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582034C8-2A39-403e-9C53-052D9BC2DF41}	{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6737F935-E585-40a0-96B1-B14D43B5BE57}\stubpath = "C:\\Windows\\{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe"	{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E29B121-6DDA-4d25-9C72-2B23942896B8}	{A017B308-F24B-4095-8A4B-1354449C3843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}\stubpath = "C:\\Windows\\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe"	{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A6A324-F84F-40ae-9F8A-8E832B171070}\stubpath = "C:\\Windows\\{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe"	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}\stubpath = "C:\\Windows\\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe"	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe
2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
2680	{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
588	{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
3068	{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
816	{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
File created	C:\Windows\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe	{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
File created	C:\Windows\{A017B308-F24B-4095-8A4B-1354449C3843}.exe	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
File created	C:\Windows\{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	{A017B308-F24B-4095-8A4B-1354449C3843}.exe
File created	C:\Windows\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
File created	C:\Windows\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
File created	C:\Windows\{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
File created	C:\Windows\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
File created	C:\Windows\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
File created	C:\Windows\{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe	{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
File created	C:\Windows\{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe	{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe
Token: SeIncBasePriorityPrivilege	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
Token: SeIncBasePriorityPrivilege	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
Token: SeIncBasePriorityPrivilege	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
Token: SeIncBasePriorityPrivilege	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
Token: SeIncBasePriorityPrivilege	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
Token: SeIncBasePriorityPrivilege	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
Token: SeIncBasePriorityPrivilege	2680	{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
Token: SeIncBasePriorityPrivilege	588	{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
Token: SeIncBasePriorityPrivilege	3068	{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2904	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	28
PID 3040 wrote to memory of 2904	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	28
PID 3040 wrote to memory of 2904	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	28
PID 3040 wrote to memory of 2904	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	28
PID 3040 wrote to memory of 2564	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	29
PID 3040 wrote to memory of 2564	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	29
PID 3040 wrote to memory of 2564	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	29
PID 3040 wrote to memory of 2564	3040	2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe	29
PID 2904 wrote to memory of 2600	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	30
PID 2904 wrote to memory of 2600	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	30
PID 2904 wrote to memory of 2600	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	30
PID 2904 wrote to memory of 2600	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	30
PID 2904 wrote to memory of 2616	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	31
PID 2904 wrote to memory of 2616	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	31
PID 2904 wrote to memory of 2616	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	31
PID 2904 wrote to memory of 2616	2904	{A017B308-F24B-4095-8A4B-1354449C3843}.exe	31
PID 2600 wrote to memory of 2516	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	32
PID 2600 wrote to memory of 2516	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	32
PID 2600 wrote to memory of 2516	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	32
PID 2600 wrote to memory of 2516	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	32
PID 2600 wrote to memory of 2640	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	33
PID 2600 wrote to memory of 2640	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	33
PID 2600 wrote to memory of 2640	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	33
PID 2600 wrote to memory of 2640	2600	{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe	33
PID 2516 wrote to memory of 2188	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	36
PID 2516 wrote to memory of 2188	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	36
PID 2516 wrote to memory of 2188	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	36
PID 2516 wrote to memory of 2188	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	36
PID 2516 wrote to memory of 1476	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	37
PID 2516 wrote to memory of 1476	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	37
PID 2516 wrote to memory of 1476	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	37
PID 2516 wrote to memory of 1476	2516	{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe	37
PID 2188 wrote to memory of 2444	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	38
PID 2188 wrote to memory of 2444	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	38
PID 2188 wrote to memory of 2444	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	38
PID 2188 wrote to memory of 2444	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	38
PID 2188 wrote to memory of 2668	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	39
PID 2188 wrote to memory of 2668	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	39
PID 2188 wrote to memory of 2668	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	39
PID 2188 wrote to memory of 2668	2188	{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe	39
PID 2444 wrote to memory of 640	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	40
PID 2444 wrote to memory of 640	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	40
PID 2444 wrote to memory of 640	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	40
PID 2444 wrote to memory of 640	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	40
PID 2444 wrote to memory of 272	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	41
PID 2444 wrote to memory of 272	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	41
PID 2444 wrote to memory of 272	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	41
PID 2444 wrote to memory of 272	2444	{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe	41
PID 640 wrote to memory of 1876	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	42
PID 640 wrote to memory of 1876	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	42
PID 640 wrote to memory of 1876	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	42
PID 640 wrote to memory of 1876	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	42
PID 640 wrote to memory of 1808	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	43
PID 640 wrote to memory of 1808	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	43
PID 640 wrote to memory of 1808	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	43
PID 640 wrote to memory of 1808	640	{04954C90-E944-4855-9CA4-8584FD9EF408}.exe	43
PID 1876 wrote to memory of 2680	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	44
PID 1876 wrote to memory of 2680	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	44
PID 1876 wrote to memory of 2680	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	44
PID 1876 wrote to memory of 2680	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	44
PID 1876 wrote to memory of 1184	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	45
PID 1876 wrote to memory of 1184	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	45
PID 1876 wrote to memory of 1184	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	45
PID 1876 wrote to memory of 1184	1876	{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_d79366da22494ea57f5bc1b1448c0c87_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{A017B308-F24B-4095-8A4B-1354449C3843}.exe
  C:\Windows\{A017B308-F24B-4095-8A4B-1354449C3843}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
    C:\Windows\{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
      C:\Windows\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
        
        C:\Windows\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
        
        C:\Windows\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
        
        C:\Windows\{04954C90-E944-4855-9CA4-8584FD9EF408}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
        
        C:\Windows\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
        
        C:\Windows\{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
        
        C:\Windows\{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
        
        C:\Windows\{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe
        
        C:\Windows\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe
        12⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6737F~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58203~1.EXE > nul
        11⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A6A~1.EXE > nul
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CF5~1.EXE > nul
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04954~1.EXE > nul
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{660D5~1.EXE > nul
        7⤵
        
        PID:272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB371~1.EXE > nul
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC85~1.EXE > nul
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E29B~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A017B~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04954C90-E944-4855-9CA4-8584FD9EF408}.exe

Filesize
204KB

MD5
2303b4118fe19b94969f4cb2d22816bb

SHA1
ff4b66a4b282eb988a26ee450c446f6e8a6c7229

SHA256
cc84ccadae0a5240f19ea3a077b7a3f7cdb99069abab8c561aa64338cff890dd

SHA512
267b710ecd7acfcd26a9ee288854f42e4e9e66976c06ed3c00a2fb7c94c18ee300e50b2c605dca04518016f8db4b3e18db6f95309db499dea62a72d182554103

Download Submit
C:\Windows\{0A0DB418-D4F5-4620-9C3A-72442A7E3E98}.exe

Filesize
204KB

MD5
d22feeecd0eebe461fb870643d38d8f7

SHA1
c1453dd58209bbdab299502c7e0b96f03c031a17

SHA256
7153121dbc9b3713ea072fef594f4c9bee4ae130bd00ff86af29f6cfaa1cead1

SHA512
f5d50d8515448d5134c00886bb151f7fd703748fd46cca4cd86f5ed06fbf7e5c756d6729b34869dfeb2c4eb7d9993ab25270d8c40f035ea5daa3f5716ef02450

Download Submit
C:\Windows\{582034C8-2A39-403e-9C53-052D9BC2DF41}.exe

Filesize
204KB

MD5
9466f9802c2c8fd8ec10c4d42f3947b3

SHA1
dc15ae9ee5fb7b7d4b5939a4eee285436f068ff4

SHA256
14776db5c60f68da06ab851907fe4a329dc3759a441ffb54f8528317d40b8f46

SHA512
5bb79078a90411a8327171f913249d9bed9b0d8863305860122380b7eb681c24b2b82608b69badf5af7824bd880e1fbf95e673bde9df6a17e2e92dce8d0068c1

Download Submit
C:\Windows\{5CC85862-65DF-4893-9FE6-E0CC2E58135E}.exe

Filesize
204KB

MD5
ba68667b2b28ceb1a4f22a382ec41751

SHA1
30b7afd943f34b32e38c42aeaf5a29e48d3759bd

SHA256
733acd861b968954dab431ac7e8c7d0512fedbd91e3631ab3263fee9f7496621

SHA512
77d2e5342f5ba7371ebb59771ebdc492bfebef56fdccb7b2cc46c58d0c2a9e8126f64f5484891d328bd98373f484d99a6654edeec00ac5084df2c00b73880bd6

Download Submit
C:\Windows\{660D586C-8BC6-444e-9C00-97F0FAD5E83C}.exe

Filesize
204KB

MD5
62a716f21cc8666fc6ac0ae5da895695

SHA1
02b983f96b7cf1d5d5293dfd3e203a1292481a32

SHA256
f0dd70e70f09df54f8bea0755840d13d54dd1868122cbbb4cd287175d0970ca5

SHA512
c33242f1e37738b47c75f5efd28367ef3f1c4015385334517daf901f1676f16a6d70abb5c36b19821be6f1262e1db881b70bd24da785bafcc0443365e9e09424

Download Submit
C:\Windows\{6737F935-E585-40a0-96B1-B14D43B5BE57}.exe

Filesize
204KB

MD5
2e1f57f6ca94053705110b609fc52b70

SHA1
917ba220da7c9704b4b9094f2621983334ca8431

SHA256
2307f333b0be670ab05aa2d751d74a62edfe4d0e8c50aeafa8270de59f59f315

SHA512
6aad78bf69564e38c0647abc78f626c053b4f2d6d8dc4f10507abaca2ceec3a41b60641c959bb20b5f67afc8d5a32b41018a6cdbe054f85dd268855b4f653d2b

Download Submit
C:\Windows\{6E29B121-6DDA-4d25-9C72-2B23942896B8}.exe

Filesize
204KB

MD5
8694de9725ef321b85b3f89a1384f054

SHA1
e2232a780324ee62079222fb93b2936cae8657f0

SHA256
d474371b688c7851a54ef86ec4042c7db07b3e9f49989a1fe410464de88ff9b2

SHA512
c9f30b3974156b95d7d7467fe12e615004c015c574d57e7eceba38de01989b034ee318833ed05ce518b309dd049e55c208e1d2d0f4cce676406b7556df6193ef

Download Submit
C:\Windows\{A017B308-F24B-4095-8A4B-1354449C3843}.exe

Filesize
204KB

MD5
77126faefde17b3df3b47f0381a86e91

SHA1
2bc40635eb61cc22e8b1b7d19dda08113c6777c2

SHA256
a6bfaf1a42958125c37ec69018f7da950f7bbeb0393e2f3fad253a5e317de667

SHA512
bba25c2eb20e549e132a3477733ce6f0fedc114fdcb0d255f1a193fc3d78f1932fd79262b4fa359b482a8de971f5416958555a4e169d2f97e12aa85268da5024

Download Submit
C:\Windows\{A7CF591A-7CDD-4efe-8225-CB51C1EEEF80}.exe

Filesize
204KB

MD5
067c6fc82f862bd54faf1058c94c4e4c

SHA1
b18d786f3a30ffd8455007e17b738253b9644489

SHA256
a8eb001eb5c31f9058d8bdf0dff990ae97d96a1fbbd0b3733c322d720659298b

SHA512
52aeae820c5ca9f7fccd886999994944130b3a19074d3d17731d33cda49865a4d45e5740f9ebf04fcc730dd1ca012cb8e09e1d52184a2082620b471c4fd7a3ae

Download Submit
C:\Windows\{DB3711E2-0C3F-4314-915E-4C48AF250DD8}.exe

Filesize
204KB

MD5
6eb28e22a26469d7a64437a43e996891

SHA1
2c7582cd21c7e9dc79a7fb615872b26cee9293ca

SHA256
5d74e340814b0c9a2bc7cf4d06060af67d7062949f03dc4f0164f62f5609d470

SHA512
e918af7a5c19f5cca0bdb0e0e0cfd5c33cc8ad90be389719fc86230e3bd1ddc24ce615ac65614497abda18726bd5a143170b549cdb510fc4828749fa23467c38

Download Submit
C:\Windows\{E9A6A324-F84F-40ae-9F8A-8E832B171070}.exe

Filesize
204KB

MD5
7ba11e3be2a7d6e74a462d5789956a91

SHA1
5d8f879ca9dad8fb63b9ef1edf7246de70052375

SHA256
391f9beb6ddcd42d70a3b53b2b9bd9cccb91a761c4e2434cc39d97c1ec448c42

SHA512
0a58acc6096c6f27caff5c30e8482c9a892143e96ee82f3bd22b9c96efde0a06b854ed508aaf2733a98067fa5def8a6b184d447953610cf18dd65fc3caf756db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads