a1688dbf25d82a32fd692f30d1f4e5011ca86a52a332e8c8e7fb44194f0c5e26

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Size

197KB
MD5

1b126990d9ab5c8b10b215f564fcbc97
SHA1

93043cef76b1e1e04586a1e37602bcf896292f57
SHA256

a1688dbf25d82a32fd692f30d1f4e5011ca86a52a332e8c8e7fb44194f0c5e26
SHA512

7f461512982e0fa1d79cfe5dd73437a657590f0ff975a48497001ebfdabd5663457b7013b1067184e32f5222712913a2e43da121b507934b5b55e7a7eb53f347
SSDEEP

3072:jEGh0oMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGmlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013420-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000013a84-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22BE17F-B353-437f-8535-A376ECC6B879}	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}\stubpath = "C:\\Windows\\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe"	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}	{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}\stubpath = "C:\\Windows\\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe"	{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}\stubpath = "C:\\Windows\\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe"	{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35BEFAE6-5B5D-423f-826C-694192D756D5}	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF91559-01C2-4174-B987-D9E535A9BE57}\stubpath = "C:\\Windows\\{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe"	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC906898-9382-48ef-9741-7513795E60A4}\stubpath = "C:\\Windows\\{DC906898-9382-48ef-9741-7513795E60A4}.exe"	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}\stubpath = "C:\\Windows\\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe"	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}\stubpath = "C:\\Windows\\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe"	{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}	{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35BEFAE6-5B5D-423f-826C-694192D756D5}\stubpath = "C:\\Windows\\{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe"	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22BE17F-B353-437f-8535-A376ECC6B879}\stubpath = "C:\\Windows\\{F22BE17F-B353-437f-8535-A376ECC6B879}.exe"	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF91559-01C2-4174-B987-D9E535A9BE57}	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49E647F-9AD3-4843-843C-B05F4807CDB1}\stubpath = "C:\\Windows\\{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe"	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56051EAC-2C17-4882-8856-81C73F3248F8}	{DC906898-9382-48ef-9741-7513795E60A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}	{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49E647F-9AD3-4843-843C-B05F4807CDB1}	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC906898-9382-48ef-9741-7513795E60A4}	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56051EAC-2C17-4882-8856-81C73F3248F8}\stubpath = "C:\\Windows\\{56051EAC-2C17-4882-8856-81C73F3248F8}.exe"	{DC906898-9382-48ef-9741-7513795E60A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe
2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
1748	{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
2176	{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
688	{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe
1400	{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
File created	C:\Windows\{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
File created	C:\Windows\{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	{DC906898-9382-48ef-9741-7513795E60A4}.exe
File created	C:\Windows\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe	{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
File created	C:\Windows\{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
File created	C:\Windows\{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
File created	C:\Windows\{DC906898-9382-48ef-9741-7513795E60A4}.exe	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
File created	C:\Windows\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
File created	C:\Windows\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
File created	C:\Windows\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe	{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
File created	C:\Windows\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe	{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
Token: SeIncBasePriorityPrivilege	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
Token: SeIncBasePriorityPrivilege	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
Token: SeIncBasePriorityPrivilege	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
Token: SeIncBasePriorityPrivilege	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe
Token: SeIncBasePriorityPrivilege	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
Token: SeIncBasePriorityPrivilege	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
Token: SeIncBasePriorityPrivilege	1748	{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
Token: SeIncBasePriorityPrivilege	2176	{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
Token: SeIncBasePriorityPrivilege	688	{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2480	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	28
PID 2088 wrote to memory of 2480	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	28
PID 2088 wrote to memory of 2480	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	28
PID 2088 wrote to memory of 2480	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	28
PID 2088 wrote to memory of 2556	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	29
PID 2088 wrote to memory of 2556	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	29
PID 2088 wrote to memory of 2556	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	29
PID 2088 wrote to memory of 2556	2088	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	29
PID 2480 wrote to memory of 2488	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	30
PID 2480 wrote to memory of 2488	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	30
PID 2480 wrote to memory of 2488	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	30
PID 2480 wrote to memory of 2488	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	30
PID 2480 wrote to memory of 2408	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	31
PID 2480 wrote to memory of 2408	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	31
PID 2480 wrote to memory of 2408	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	31
PID 2480 wrote to memory of 2408	2480	{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe	31
PID 2488 wrote to memory of 2592	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	32
PID 2488 wrote to memory of 2592	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	32
PID 2488 wrote to memory of 2592	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	32
PID 2488 wrote to memory of 2592	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	32
PID 2488 wrote to memory of 2376	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	33
PID 2488 wrote to memory of 2376	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	33
PID 2488 wrote to memory of 2376	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	33
PID 2488 wrote to memory of 2376	2488	{F22BE17F-B353-437f-8535-A376ECC6B879}.exe	33
PID 2592 wrote to memory of 2660	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	36
PID 2592 wrote to memory of 2660	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	36
PID 2592 wrote to memory of 2660	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	36
PID 2592 wrote to memory of 2660	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	36
PID 2592 wrote to memory of 2640	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	37
PID 2592 wrote to memory of 2640	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	37
PID 2592 wrote to memory of 2640	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	37
PID 2592 wrote to memory of 2640	2592	{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe	37
PID 2660 wrote to memory of 2712	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	38
PID 2660 wrote to memory of 2712	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	38
PID 2660 wrote to memory of 2712	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	38
PID 2660 wrote to memory of 2712	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	38
PID 2660 wrote to memory of 1580	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	39
PID 2660 wrote to memory of 1580	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	39
PID 2660 wrote to memory of 1580	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	39
PID 2660 wrote to memory of 1580	2660	{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe	39
PID 2712 wrote to memory of 2256	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	40
PID 2712 wrote to memory of 2256	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	40
PID 2712 wrote to memory of 2256	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	40
PID 2712 wrote to memory of 2256	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	40
PID 2712 wrote to memory of 1008	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	41
PID 2712 wrote to memory of 1008	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	41
PID 2712 wrote to memory of 1008	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	41
PID 2712 wrote to memory of 1008	2712	{DC906898-9382-48ef-9741-7513795E60A4}.exe	41
PID 2256 wrote to memory of 352	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	42
PID 2256 wrote to memory of 352	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	42
PID 2256 wrote to memory of 352	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	42
PID 2256 wrote to memory of 352	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	42
PID 2256 wrote to memory of 1372	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	43
PID 2256 wrote to memory of 1372	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	43
PID 2256 wrote to memory of 1372	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	43
PID 2256 wrote to memory of 1372	2256	{56051EAC-2C17-4882-8856-81C73F3248F8}.exe	43
PID 352 wrote to memory of 1748	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	44
PID 352 wrote to memory of 1748	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	44
PID 352 wrote to memory of 1748	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	44
PID 352 wrote to memory of 1748	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	44
PID 352 wrote to memory of 2792	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	45
PID 352 wrote to memory of 2792	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	45
PID 352 wrote to memory of 2792	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	45
PID 352 wrote to memory of 2792	352	{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
  C:\Windows\{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
    C:\Windows\{F22BE17F-B353-437f-8535-A376ECC6B879}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
      C:\Windows\{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
        
        C:\Windows\{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{DC906898-9382-48ef-9741-7513795E60A4}.exe
        
        C:\Windows\{DC906898-9382-48ef-9741-7513795E60A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
        
        C:\Windows\{56051EAC-2C17-4882-8856-81C73F3248F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
        
        C:\Windows\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
        
        C:\Windows\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
        
        C:\Windows\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe
        
        C:\Windows\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe
        
        C:\Windows\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09FC1~1.EXE > nul
        12⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5789B~1.EXE > nul
        11⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{040F7~1.EXE > nul
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99FD8~1.EXE > nul
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56051~1.EXE > nul
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC906~1.EXE > nul
        7⤵
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D49E6~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF91~1.EXE > nul
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F22BE~1.EXE > nul
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35BEF~1.EXE > nul
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{040F7890-6ABD-4f94-B7CA-2810BB9CFF43}.exe

Filesize
197KB

MD5
579c3439ddf0259278d79daf346f6136

SHA1
ff8b1a1df81438be202f7db4a0345baea2e6742b

SHA256
2e09383379e7ab3348350b7415cbfaaba02d131443e2a1cc0c145585691b2aff

SHA512
65f5f196ce22e4053a0b2483f2c06b6d708076854d273a43e9d5c9f2d7b7a5459a6f6a42f26a19b846fe8de4e624310bddc52a6476ccc06cd26f2e57d9d910b6

Download Submit
C:\Windows\{09FC120A-CAEF-4a67-AF92-68F7D11639EB}.exe

Filesize
197KB

MD5
28dcf907f370233948c73f1c9917a501

SHA1
c201c281aa03ee6f35a6dc8fa61139924bb044e8

SHA256
be30e7084ced6bcf968d33b9dca30e1112c4c55b07a210d49864babb5163fe94

SHA512
934158c4ee18c6ff71cbc4dd98f8b26f6f950dc90fffd3d158dcb96bbb1359bdc69a648c66bee60c1854ec348c1c3213f879f499674725b6df07c208845f519f

Download Submit
C:\Windows\{35BEFAE6-5B5D-423f-826C-694192D756D5}.exe

Filesize
197KB

MD5
82b68431c302610ff88624b24e41410d

SHA1
5de4f48a69d3c5420cd7ee373f53046cb5c99974

SHA256
8308d9e3f89962071fd848657e73f58375a901d112f54f0e8bd2488ddb1d6c23

SHA512
aa33c9f0b26d94777fb2840c4488e46c965d139f3f5d088a9778cb17dc9275904a69e8c91ea07001b5d23fa90152a4d64387efe16adeb57ca9eaacf372947bd1

Download Submit
C:\Windows\{56051EAC-2C17-4882-8856-81C73F3248F8}.exe

Filesize
197KB

MD5
1835854edd0c57b72aeff0869ce65115

SHA1
4db83222a8825f4c2f37b5aff8b938078b5ca4ea

SHA256
aeb5e609cf4e5adb9b3d5e4da043ab2e8b066a20907b7e768458cb3137c77d14

SHA512
c596c152221ca603e2f71cfacc508bd5ba00629635ac07216bb1c34b80bb2bf1adcc95fc25169542e243aa4b5c40cd6e77927bcc3810770b6c4b04296288dfea

Download Submit
C:\Windows\{5789B8E1-FD31-478c-93D5-0CDD8CC1F1F0}.exe

Filesize
197KB

MD5
646c8b9678ce5056a0c0dd43c427425b

SHA1
5b4c8b4d34f1d7e1d79cfca0a00a4069e87bbbab

SHA256
be82446d7ae7d526a575d48ad67483d05c0016500fdaadceb0d7fc927751de01

SHA512
8931bb449f55bda0500f72074f1aef157e343f507cd445e2fb7df8452c05e84d0c2ba24030337a3f20ebdf927d48782abcf6614a344b3dd92c52dac7413c8532

Download Submit
C:\Windows\{99FD8A16-C7D4-447c-AE0D-CFBCA93AC52A}.exe

Filesize
197KB

MD5
d1cacc37dd99bbfef898e7be89596cc5

SHA1
357f83039cd509ad06982057a8d6df17d798a38e

SHA256
8327e24328b1e770529ddb1ea4056f9b149e1681a74c18732a6991434066b47a

SHA512
6bfa78bacedd18cbcaabef2c2c6eddfbdcf94efc63e5bbbea115647511e91d04032b34627a3d1c1207f23cab4f497d142073d2d8d9fd3f5d8744414b1294da89

Download Submit
C:\Windows\{C7A00AC2-C8ED-4bcc-8803-B9B48412B4CD}.exe

Filesize
197KB

MD5
8c2f26d1026f3bbd89838d7db755b663

SHA1
c959aae945b0502617f7a4af4382d7cab41d1855

SHA256
6522e374f86b36cc02bdcc0d9c80672e70143c19449936d426ca6a90326253ee

SHA512
874e4a579fe8d2cd441c8ade3e109f806de63a1b95edd87c5dd43106eef4e358e8dd6fa769346e09ace7ffe558a9ef721f2c41635ad50b659f69e6a9b53059a1

Download Submit
C:\Windows\{D49E647F-9AD3-4843-843C-B05F4807CDB1}.exe

Filesize
197KB

MD5
9e403fcd3fdeb17ad466a68c96b73df9

SHA1
a8526febea1d69229937480846841465f4b81c51

SHA256
9d8e5d9b466444d61692220986b2bad381c8929fc69df04016c669f6f1e84db0

SHA512
d78aea94a08c00d890babf3fc370744946a618abb92646afd0f5661f25cd3a83788f0b8bda968d5e0122bdaf97afa48c8e6b58431cb6b9b4ee5f10c84cca5967

Download Submit
C:\Windows\{DC906898-9382-48ef-9741-7513795E60A4}.exe

Filesize
197KB

MD5
50fa59a0d484dcb3af27d6cbbe5decfb

SHA1
9a9f79a33519f334641f8266e421306e6f16bc19

SHA256
6dc817bfebca5f36886fa7ee6486818972ec67d102b8370db14a69c9bf004dca

SHA512
4ac0e9467c5f6c4e6fb184581ddff0682e78a3099c33ab84a3c862d89a1ac83c34eccd049815d6efcd71fd6ba370d9267f15abaf821713124d2b8554304e1c76

Download Submit
C:\Windows\{EBF91559-01C2-4174-B987-D9E535A9BE57}.exe

Filesize
197KB

MD5
493458225328b9cb2efadfb27949ed82

SHA1
5465d972b339a46824de6095aeee2abafabea9cd

SHA256
7c540fe03cdb3f6430d0ddc56a4f31687e2987710f145fb44d01396655029f97

SHA512
70410f0851ed0df94e21510327cf1ddf9a1af8db4d0377b7892f421f6d912ce18c6108e6fd3bcba33080dd5b48d2c3fca53d49bbe3011b7d87289db615d5c425

Download Submit
C:\Windows\{F22BE17F-B353-437f-8535-A376ECC6B879}.exe

Filesize
197KB

MD5
9e51fd1cb8e553b4925683f47e9161c1

SHA1
0fd774197032f56a70b9ae1e1f31210eab0a6b33

SHA256
482e51dfd5a2461630079b1833d69a74a1c10f5c4965d75497ca5b28ce780e4d

SHA512
8d54628a0778327c342ee3a3c340d2751ebc94b5a87a6be743f4266e944969f805df24e5fd0fd846bbe287bb7d3c32c742eeaf78833a5458f8b2b0162df91eb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads