ae76db1319fe94de8c4ede1c4f671c7be99a7f65a114ae2515b853d19a7db8cb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
Size

216KB
MD5

6229cb26bbd088e6796c364e03b807c6
SHA1

5d31372d2439df50ddf15b9a9d1c7f6e9d7674f0
SHA256

ae76db1319fe94de8c4ede1c4f671c7be99a7f65a114ae2515b853d19a7db8cb
SHA512

69ddfba2f087e58f2c733a6635889025677f27c98293a5b6f9bf82fcdac1251f34a0dc96717e159cb1492722f5fe471951b10fd4c7fd009ba7c1cd75255d0cf1
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGSlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014890-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015083-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FA392A-C796-47cf-8221-5760008A9FA5}	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}\stubpath = "C:\\Windows\\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe"	{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}\stubpath = "C:\\Windows\\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe"	{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}\stubpath = "C:\\Windows\\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe"	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}\stubpath = "C:\\Windows\\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe"	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}\stubpath = "C:\\Windows\\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe"	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}\stubpath = "C:\\Windows\\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe"	{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7832D26B-D0ED-4850-8B46-1B83340304F6}	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}	{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}\stubpath = "C:\\Windows\\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe"	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FA392A-C796-47cf-8221-5760008A9FA5}\stubpath = "C:\\Windows\\{01FA392A-C796-47cf-8221-5760008A9FA5}.exe"	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36282275-D248-4dfe-99EF-BDE62FCCC87C}	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36282275-D248-4dfe-99EF-BDE62FCCC87C}\stubpath = "C:\\Windows\\{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe"	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F34A76A2-0302-477f-BACD-32474818ED8C}	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F34A76A2-0302-477f-BACD-32474818ED8C}\stubpath = "C:\\Windows\\{F34A76A2-0302-477f-BACD-32474818ED8C}.exe"	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7832D26B-D0ED-4850-8B46-1B83340304F6}\stubpath = "C:\\Windows\\{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe"	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}	{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}	{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
1556	{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
2032	{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
600	{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
580	{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
File created	C:\Windows\{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
File created	C:\Windows\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
File created	C:\Windows\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe	{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
File created	C:\Windows\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe	{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
File created	C:\Windows\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe	{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
File created	C:\Windows\{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
File created	C:\Windows\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
File created	C:\Windows\{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
File created	C:\Windows\{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
File created	C:\Windows\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
Token: SeIncBasePriorityPrivilege	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
Token: SeIncBasePriorityPrivilege	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
Token: SeIncBasePriorityPrivilege	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
Token: SeIncBasePriorityPrivilege	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
Token: SeIncBasePriorityPrivilege	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
Token: SeIncBasePriorityPrivilege	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
Token: SeIncBasePriorityPrivilege	1556	{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
Token: SeIncBasePriorityPrivilege	2032	{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
Token: SeIncBasePriorityPrivilege	600	{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2500	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	28
PID 2220 wrote to memory of 2500	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	28
PID 2220 wrote to memory of 2500	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	28
PID 2220 wrote to memory of 2500	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	28
PID 2220 wrote to memory of 2576	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	29
PID 2220 wrote to memory of 2576	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	29
PID 2220 wrote to memory of 2576	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	29
PID 2220 wrote to memory of 2576	2220	2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe	29
PID 2500 wrote to memory of 2688	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	30
PID 2500 wrote to memory of 2688	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	30
PID 2500 wrote to memory of 2688	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	30
PID 2500 wrote to memory of 2688	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	30
PID 2500 wrote to memory of 2532	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	31
PID 2500 wrote to memory of 2532	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	31
PID 2500 wrote to memory of 2532	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	31
PID 2500 wrote to memory of 2532	2500	{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe	31
PID 2688 wrote to memory of 2536	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	32
PID 2688 wrote to memory of 2536	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	32
PID 2688 wrote to memory of 2536	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	32
PID 2688 wrote to memory of 2536	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	32
PID 2688 wrote to memory of 2672	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	33
PID 2688 wrote to memory of 2672	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	33
PID 2688 wrote to memory of 2672	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	33
PID 2688 wrote to memory of 2672	2688	{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe	33
PID 2536 wrote to memory of 2608	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	36
PID 2536 wrote to memory of 2608	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	36
PID 2536 wrote to memory of 2608	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	36
PID 2536 wrote to memory of 2608	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	36
PID 2536 wrote to memory of 2604	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	37
PID 2536 wrote to memory of 2604	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	37
PID 2536 wrote to memory of 2604	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	37
PID 2536 wrote to memory of 2604	2536	{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe	37
PID 2608 wrote to memory of 2712	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	38
PID 2608 wrote to memory of 2712	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	38
PID 2608 wrote to memory of 2712	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	38
PID 2608 wrote to memory of 2712	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	38
PID 2608 wrote to memory of 860	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	39
PID 2608 wrote to memory of 860	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	39
PID 2608 wrote to memory of 860	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	39
PID 2608 wrote to memory of 860	2608	{01FA392A-C796-47cf-8221-5760008A9FA5}.exe	39
PID 2712 wrote to memory of 376	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	40
PID 2712 wrote to memory of 376	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	40
PID 2712 wrote to memory of 376	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	40
PID 2712 wrote to memory of 376	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	40
PID 2712 wrote to memory of 1936	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	41
PID 2712 wrote to memory of 1936	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	41
PID 2712 wrote to memory of 1936	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	41
PID 2712 wrote to memory of 1936	2712	{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe	41
PID 376 wrote to memory of 292	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	42
PID 376 wrote to memory of 292	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	42
PID 376 wrote to memory of 292	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	42
PID 376 wrote to memory of 292	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	42
PID 376 wrote to memory of 1512	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	43
PID 376 wrote to memory of 1512	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	43
PID 376 wrote to memory of 1512	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	43
PID 376 wrote to memory of 1512	376	{F34A76A2-0302-477f-BACD-32474818ED8C}.exe	43
PID 292 wrote to memory of 1556	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	44
PID 292 wrote to memory of 1556	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	44
PID 292 wrote to memory of 1556	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	44
PID 292 wrote to memory of 1556	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	44
PID 292 wrote to memory of 2868	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	45
PID 292 wrote to memory of 2868	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	45
PID 292 wrote to memory of 2868	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	45
PID 292 wrote to memory of 2868	292	{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_6229cb26bbd088e6796c364e03b807c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
  C:\Windows\{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
    C:\Windows\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
      C:\Windows\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
        
        C:\Windows\{01FA392A-C796-47cf-8221-5760008A9FA5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
        
        C:\Windows\{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
        
        C:\Windows\{F34A76A2-0302-477f-BACD-32474818ED8C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
        
        C:\Windows\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
        
        C:\Windows\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
        
        C:\Windows\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
        
        C:\Windows\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe
        
        C:\Windows\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C62CD~1.EXE > nul
        12⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55D9E~1.EXE > nul
        11⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFAB3~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EB23~1.EXE > nul
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34A7~1.EXE > nul
        8⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36282~1.EXE > nul
        7⤵
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01FA3~1.EXE > nul
        6⤵
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{991A5~1.EXE > nul
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{622FE~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7832D~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01FA392A-C796-47cf-8221-5760008A9FA5}.exe

Filesize
216KB

MD5
8468b56aed2f6abe7190a2b072c99934

SHA1
774088f5bfa37696586fb800702a9176bd9eca63

SHA256
c5ce9006f168a9c5c95358c247eec096a589c21299128112259473327c2013e7

SHA512
15d26bce13eabbca43f8512e16d78286abe4a209a6f1a7e98439d14cd0070ed84f2e513a6b5baacc8c9c0ae5551e7f16efcb805b71c9e118fcae800ef5af9a3a

Download Submit
C:\Windows\{36282275-D248-4dfe-99EF-BDE62FCCC87C}.exe

Filesize
216KB

MD5
853ccf1ed0bbd300fa8155fa814cf6aa

SHA1
678d7a84d2f8cc8fd616c50f776d676cdff2ebdc

SHA256
7cfa2e0600ab0566212e2d54f70b89a20d924dc695323dc6a0a34be7338f3728

SHA512
71074f34e75b53e7cfdaeaa219d5f3fb479cd67fc86090cebaa7b51996d43eb8915af65815d616408fff1591c701a2ad93b51ac9873a9544c4875268bdecf32f

Download Submit
C:\Windows\{55D9E232-924A-4cd8-8DB5-DE14AFE0CCB8}.exe

Filesize
216KB

MD5
df500e16ea4e409bcf0db57187051eb6

SHA1
f0c1fc937c9b577087e083a08ba5aa63b4e1bd06

SHA256
d09994e197763312ff266f363a08b88880853b69c78cc1c4307c8ab6e05a17c8

SHA512
7b7741bc90171e84e12069cdc4e37e0a45fd719a3313a1bd42e0ee93dc2fc05f3e22407044ccec19cc5f954dda23725de7f173f5f02027a7c7200294ccc3c7cb

Download Submit
C:\Windows\{622FEF9B-1AAC-44bc-A201-20A57DBBC5C4}.exe

Filesize
216KB

MD5
67a289a2ad1b322b7b6b31d162beb2c8

SHA1
226da3a1dde404aa0a5ba5935b2a01a0a9497aa1

SHA256
17fbf70217f65fc65f9190c5ffffbed67d26c07a857ae874216bcfa66f34030c

SHA512
555e1ed06e1681bb1449655db59c8968133b1d255735ad9f6fc9ac81d6251baf181805f25af7ad1fd893b4368b1d7cac31096ecc89c6ff812c02fd77f5170efe

Download Submit
C:\Windows\{7832D26B-D0ED-4850-8B46-1B83340304F6}.exe

Filesize
216KB

MD5
1749011d695a8bdc47071cf3391c1c45

SHA1
1af0cdde4556ecd3df090ca0dde94410e80f0a8d

SHA256
62db8effe9aafb6d385f1686d516a329f032639be159970f7ad64bcbdcdd548f

SHA512
173a691d9749d8e8f969bb1dcd937529cf3ffdddda345feed5d6b13331841496f93ef0b39a400dc61df70ff93fb159e3421f057c2e8737d40751cdb1121b4705

Download Submit
C:\Windows\{7856F7BD-7FF6-40da-A43E-0DE864FA8D5D}.exe

Filesize
216KB

MD5
e1a5a60e45605e859103e12242f0d172

SHA1
32f09b189cfd239d7ac35236d7e57b1699339654

SHA256
d2f27328ce2c956bfee39e9220f36da4ba846f8548eca223b91370c7e76401ba

SHA512
d273c73feb553f0cd89cf05aa305e0688b577265b13e7dab8cb2735c44b59f8950a9c0326096fdb9020c5fb44833e90895fa6c2cba24bf4b2b327a57e0314471

Download Submit
C:\Windows\{8EB237CC-309C-4371-B1DE-B0D11E4DB61B}.exe

Filesize
216KB

MD5
888f75d189114985d9184d633aa4ae37

SHA1
ecab2386ffb4ff483d75d879a77631aa937b61b3

SHA256
8e1d550c8bff77f37d443c425eff41086cd02846f7b3a72e64d8334a3921ac28

SHA512
eb599c79accd7ebdabf0e32b16d09f7f69e90da633086821f230d5005a362a4e9dbfad31eb887f32b03dfebf8e0d3d7068a6aa0261e03b868564c4075aa33d7a

Download Submit
C:\Windows\{991A50E5-7F5B-4cfc-AA5E-5EEA2C8F53DD}.exe

Filesize
216KB

MD5
8ca6d38c8c84732b737d4631bf15adb8

SHA1
c0ddacd9ca1cd4997181226bed97dd860a9bddf5

SHA256
d7cfe80f2bbd0c524c3668c5162bbfd99d1e605228ae4d2a5318310656577e92

SHA512
e0904991648da6ac3d457af6499de77bd6082f027ce24a175b8850e03a3709c96a190911e197216110edcb9808e337bd55974e3b5b2ca6183ebfd205ef6d7aad

Download Submit
C:\Windows\{C62CDEB5-BCEB-4500-9B2F-E8D2F06912F3}.exe

Filesize
216KB

MD5
33de1f860d03b0b1c94114dbecf45802

SHA1
b99389e439b7dbe9f5da2d6be57e6060687445cd

SHA256
a08ea06bf0e648ca7edf90addf84c400ee1d8f9b9b8c4751c9dd942aad1edbbe

SHA512
a5575f1851d40c68b1c4f96a5264ef58968037140d8796b6c84192db4d1464c9079d8a8eafa737757309b15354ae4d02e77538731eba9e2c69df0af277747f1d

Download Submit
C:\Windows\{DFAB3C79-F77B-4f7a-8A55-727ED148F484}.exe

Filesize
216KB

MD5
3582dceb9a37ec9e3c388888f622cc61

SHA1
814936e3a728d2f5b9c64fbf95656626d115a50c

SHA256
473ef1f2f6561e66419affb35222b6753ade1e282e658412e57bc26d2eb2c1cd

SHA512
8470ed422f3043db9201ec4eed5e7980918da2d83815e54f71c0b9461b7db44ad09fe038dbb30844cec0f63162587fcb72b8a001042e923ee1fe45f261de41a9

Download Submit
C:\Windows\{F34A76A2-0302-477f-BACD-32474818ED8C}.exe

Filesize
216KB

MD5
0d5ad0055073d07d4a31f5c934a5d919

SHA1
410ff35b1f12816dfdb7ac5acc390e4d0bcaa03e

SHA256
2f62240ac147bcfaeec3f3c4b50752940af973642187707cb33e811ff8cbf414

SHA512
1668434707852d6f45025855d8f100c6f16069e2c2c714b3a3910330e45e3670d1d13a5af712b045333b8222ee821505fe945acbc91dedb540e1b935dd473bd3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads