b1200da047520f89c8a7329d769d455c3c5e30191d5ab3b63fd780395eed5c76

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Size

372KB
MD5

c6e7a3dd3d088b8f333aa3964a537761
SHA1

ac6cd55a7f34d5563385e11a8edf887e7ced9808
SHA256

b1200da047520f89c8a7329d769d455c3c5e30191d5ab3b63fd780395eed5c76
SHA512

7b56e5efeb4a336af2b7c0a09997be3cc7195fc8eed478f31daa7895a75e3981650c37afb05cb1b699464a6418379f37af665d5f3241abf8209e1877466cc592
SSDEEP

3072:CEGh0oDlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG5lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014708-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014b63-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014b63-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014b63-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014baa-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014b63-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014baa-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b63-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9510DF5B-024F-4c13-9129-977DD18D1D36}	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}\stubpath = "C:\\Windows\\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe"	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293388FD-1A0B-469e-B032-DE530A25D249}\stubpath = "C:\\Windows\\{293388FD-1A0B-469e-B032-DE530A25D249}.exe"	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}\stubpath = "C:\\Windows\\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe"	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}\stubpath = "C:\\Windows\\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe"	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214FBF18-8D59-437a-B4D6-5A78A951B13A}	{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}\stubpath = "C:\\Windows\\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe"	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407FC583-16D1-473b-A3C6-B4A745541B68}\stubpath = "C:\\Windows\\{407FC583-16D1-473b-A3C6-B4A745541B68}.exe"	{293388FD-1A0B-469e-B032-DE530A25D249}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}	{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}\stubpath = "C:\\Windows\\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe"	{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D900E08-DED6-4c9d-A031-894B21478D7E}	{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9510DF5B-024F-4c13-9129-977DD18D1D36}\stubpath = "C:\\Windows\\{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe"	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293388FD-1A0B-469e-B032-DE530A25D249}	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}\stubpath = "C:\\Windows\\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe"	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407FC583-16D1-473b-A3C6-B4A745541B68}	{293388FD-1A0B-469e-B032-DE530A25D249}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214FBF18-8D59-437a-B4D6-5A78A951B13A}\stubpath = "C:\\Windows\\{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe"	{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D900E08-DED6-4c9d-A031-894B21478D7E}\stubpath = "C:\\Windows\\{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe"	{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe
2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
268	{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
856	{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
2416	{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe
1944	{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
File created	C:\Windows\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
File created	C:\Windows\{293388FD-1A0B-469e-B032-DE530A25D249}.exe	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
File created	C:\Windows\{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	{293388FD-1A0B-469e-B032-DE530A25D249}.exe
File created	C:\Windows\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
File created	C:\Windows\{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe	{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
File created	C:\Windows\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
File created	C:\Windows\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
File created	C:\Windows\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
File created	C:\Windows\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe	{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
File created	C:\Windows\{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe	{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
Token: SeIncBasePriorityPrivilege	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
Token: SeIncBasePriorityPrivilege	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
Token: SeIncBasePriorityPrivilege	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe
Token: SeIncBasePriorityPrivilege	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
Token: SeIncBasePriorityPrivilege	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
Token: SeIncBasePriorityPrivilege	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
Token: SeIncBasePriorityPrivilege	268	{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
Token: SeIncBasePriorityPrivilege	856	{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
Token: SeIncBasePriorityPrivilege	2416	{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2292	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	28
PID 2056 wrote to memory of 2292	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	28
PID 2056 wrote to memory of 2292	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	28
PID 2056 wrote to memory of 2292	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	28
PID 2056 wrote to memory of 2160	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	29
PID 2056 wrote to memory of 2160	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	29
PID 2056 wrote to memory of 2160	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	29
PID 2056 wrote to memory of 2160	2056	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	29
PID 2292 wrote to memory of 2572	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	30
PID 2292 wrote to memory of 2572	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	30
PID 2292 wrote to memory of 2572	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	30
PID 2292 wrote to memory of 2572	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	30
PID 2292 wrote to memory of 2156	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	31
PID 2292 wrote to memory of 2156	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	31
PID 2292 wrote to memory of 2156	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	31
PID 2292 wrote to memory of 2156	2292	{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe	31
PID 2572 wrote to memory of 2840	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	32
PID 2572 wrote to memory of 2840	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	32
PID 2572 wrote to memory of 2840	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	32
PID 2572 wrote to memory of 2840	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	32
PID 2572 wrote to memory of 2612	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	33
PID 2572 wrote to memory of 2612	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	33
PID 2572 wrote to memory of 2612	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	33
PID 2572 wrote to memory of 2612	2572	{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe	33
PID 2840 wrote to memory of 3068	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	36
PID 2840 wrote to memory of 3068	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	36
PID 2840 wrote to memory of 3068	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	36
PID 2840 wrote to memory of 3068	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	36
PID 2840 wrote to memory of 2844	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	37
PID 2840 wrote to memory of 2844	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	37
PID 2840 wrote to memory of 2844	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	37
PID 2840 wrote to memory of 2844	2840	{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe	37
PID 3068 wrote to memory of 2992	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	38
PID 3068 wrote to memory of 2992	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	38
PID 3068 wrote to memory of 2992	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	38
PID 3068 wrote to memory of 2992	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	38
PID 3068 wrote to memory of 3048	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	39
PID 3068 wrote to memory of 3048	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	39
PID 3068 wrote to memory of 3048	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	39
PID 3068 wrote to memory of 3048	3068	{293388FD-1A0B-469e-B032-DE530A25D249}.exe	39
PID 2992 wrote to memory of 1936	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	40
PID 2992 wrote to memory of 1936	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	40
PID 2992 wrote to memory of 1936	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	40
PID 2992 wrote to memory of 1936	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	40
PID 2992 wrote to memory of 1028	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	41
PID 2992 wrote to memory of 1028	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	41
PID 2992 wrote to memory of 1028	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	41
PID 2992 wrote to memory of 1028	2992	{407FC583-16D1-473b-A3C6-B4A745541B68}.exe	41
PID 1936 wrote to memory of 2172	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	42
PID 1936 wrote to memory of 2172	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	42
PID 1936 wrote to memory of 2172	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	42
PID 1936 wrote to memory of 2172	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	42
PID 1936 wrote to memory of 2804	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	43
PID 1936 wrote to memory of 2804	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	43
PID 1936 wrote to memory of 2804	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	43
PID 1936 wrote to memory of 2804	1936	{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe	43
PID 2172 wrote to memory of 268	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	44
PID 2172 wrote to memory of 268	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	44
PID 2172 wrote to memory of 268	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	44
PID 2172 wrote to memory of 268	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	44
PID 2172 wrote to memory of 1100	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	45
PID 2172 wrote to memory of 1100	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	45
PID 2172 wrote to memory of 1100	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	45
PID 2172 wrote to memory of 1100	2172	{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
  C:\Windows\{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
    C:\Windows\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
      C:\Windows\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{293388FD-1A0B-469e-B032-DE530A25D249}.exe
        
        C:\Windows\{293388FD-1A0B-469e-B032-DE530A25D249}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
        
        C:\Windows\{407FC583-16D1-473b-A3C6-B4A745541B68}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
        
        C:\Windows\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
        
        C:\Windows\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
        
        C:\Windows\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
        
        C:\Windows\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe
        
        C:\Windows\{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe
        
        C:\Windows\{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{214FB~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06F72~1.EXE > nul
        11⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F912~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D8F~1.EXE > nul
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{555E1~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{407FC~1.EXE > nul
        7⤵
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29338~1.EXE > nul
        6⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F06~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E08~1.EXE > nul
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9510D~1.EXE > nul
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06F72CA8-F2C3-45a8-B65A-3B9F0FE36367}.exe

Filesize
372KB

MD5
92046efe7b4a75bf0487f799f1dfcc9e

SHA1
00243ad71615d2aaacb31ca5be4a76986102c743

SHA256
668a7b6b3786709eddc16da38487331e3bb84fd9ab7e4fcd7d40d5136ab5b25d

SHA512
df10bbbe90d3fa28b233168b1df96e51375e256e04ce756c0696540a80f60918b9f4feff8df6d45d79fcf5abd73e2b1fb3b3d69e8145ff9956b3b2ee1b343885

Download Submit
C:\Windows\{214FBF18-8D59-437a-B4D6-5A78A951B13A}.exe

Filesize
372KB

MD5
7ed8233a8d1db2dcce0c70e95218ecc8

SHA1
b93b1a539e8b0556dadeb1e169dd68ca18d2e5d4

SHA256
bfa269384d9ff61998bed5c8cdd53bc08868de07f61327552ae57bd121ea8063

SHA512
e5695a46b71ef19ef7f7b52659e18829e32b91f11cc51d686c87b439bdb9da16ca282264b1b62d2cb92abf1365291ad81121836ccf3b5390c9aa97648d73b4e2

Download Submit
C:\Windows\{26D8F4E5-BCC0-4c79-8528-5CAA8C0767FA}.exe

Filesize
372KB

MD5
08a118fc4b318aa56225a86c1a71f8a9

SHA1
d95c9a0ab0362f24c8380f19c4b22ec0852d7a4e

SHA256
eb7c2df91d3a757c2c769773a5a8ebd8e4c72897bf378b447b1f8a3013214724

SHA512
8498483dcddc35a93f435b26d3c00cec7523a0a6cf8f80e5cf67af148edde77c578799d408209899f5841e8f7001f08d282fbf5a1eef56c0e8016926430c6425

Download Submit
C:\Windows\{293388FD-1A0B-469e-B032-DE530A25D249}.exe

Filesize
372KB

MD5
c0b9f80ef211bef68d3f17aa6b1d889f

SHA1
21ce6d9993790354973c66b99ec70c553a19dba7

SHA256
786b2ae20c78afcd918267482c00691c69eaaacbdbaa06dbb70ab0d74b83e812

SHA512
ce5db07dbed499a450af724be3f404de737cc52a23d8482467cc32d376ef555c465b8e13a546aa3d2d8eaeec64edbced4bb72567633f3d53fb22bc1c0715051e

Download Submit
C:\Windows\{407FC583-16D1-473b-A3C6-B4A745541B68}.exe

Filesize
372KB

MD5
236d7c25f4a156cb76f0529d8237b14a

SHA1
86e8d42fa4c634ae34e0022554e53d82b279be10

SHA256
cd87256b2604f6456d2cce657b6e1c498e032c1ac87a0ee42433d81f87c9f91e

SHA512
fef8551f66b451dc08d1c6ad015dfb2d1a700ae6cec7df27c3f5ea0669270015257dbf17ea7c2801e161cdbcbc8013e794875a8aca2fe81929371cf4f5ed6d66

Download Submit
C:\Windows\{555E14DE-6F79-4600-9C81-270CF2BA8CCF}.exe

Filesize
372KB

MD5
123ae7f5db092cae2e5047d1733dab2a

SHA1
4721358e5a325ee0b8aa8b7da477355590392946

SHA256
1c5fd755fc73e48c74e427cba6a93f232c8fec0addafbde05ec9fc8fe5fb2684

SHA512
54e28f552b8fd4a1fa0495da77d0cb92f2603e1f79d646e204556918db25fee5e4abb49e66b27224cd69d2e321f353dbb91c6974ac48309d59d221b65ac5e24b

Download Submit
C:\Windows\{5F912B66-96E4-4d4d-BB83-13BEEFAF2F8B}.exe

Filesize
372KB

MD5
1543f5765f7170fb27c5e1f57d60ac84

SHA1
274b09f03bd29297e15d3ed603ff9c6ae5aa2f9d

SHA256
14a53b24bd9600cd5b8c3264b127c51aa640df5a96fc895cfee09f4690b12c74

SHA512
a90501f61e48f4e9339264de043e26abc00fa69322e6afa1690bdb2b05e279fe899c170f9e305d356a8ccaaad514976a54b01a8538b3eb3ca05d8645b2235ead

Download Submit
C:\Windows\{9510DF5B-024F-4c13-9129-977DD18D1D36}.exe

Filesize
372KB

MD5
ea91d0d79dde86a2c566bfca4098ed72

SHA1
f4ae3d65276e9b6b5340d82b11e2afd52a9c5c3f

SHA256
de5f93db96063fb4afa57593ed1a5a9961ff634579a7c45cd8b4fb9505748c83

SHA512
4929bd0e2272392fa2e105b177807664f1751e342bc9dc2a26ce2143ab480aa48726aef5e949acde278c4d053872189d71b895eed7ed81fc7aeef9feeec552de

Download Submit
C:\Windows\{9D900E08-DED6-4c9d-A031-894B21478D7E}.exe

Filesize
372KB

MD5
313ece6334485e49934e4cb2be3a9a69

SHA1
a578b8f19b62d11dd6b759cfe2995fcc4fe06d29

SHA256
d0d2a56cef04618d27c1f2f3e30d84a61f7b12ff7b42f83648ec3485f97ce437

SHA512
e0480b026e09b80489f21ade37c9d9ca679218da53feba880963845f56f408d7f8ec4b2aa1fd5cfd99d7ff3461b9ec035448b0aba6a5898210c55e5359f1f5ea

Download Submit
C:\Windows\{A7E085B8-4A3A-4975-BA46-5B40B3E1B52A}.exe

Filesize
372KB

MD5
501b751b57742e31e256e2445f9511d1

SHA1
e85a356af1e0d4f6c32b3223bd2d0e859216787f

SHA256
99c0d47da5099ee717169424a41ec4fa3f47de4bc1002e4a5c26c0b1e3762e15

SHA512
549d1fbd201c919f5c4d5f66acef691525e9642d65856cf2c41117d31852dd94212d98600b84dba2fc572f575fc9762fcd6676791e48aa8da5a63fbfa731a442

Download Submit
C:\Windows\{D0F06ADD-741B-4e11-A0EC-9BD42FE15318}.exe

Filesize
372KB

MD5
00f4ed7dc8260a0629442143b2972520

SHA1
f9007222147b472b002243da248686fb8404bd8e

SHA256
37ed4f3c5f46422c3aedb551f8e666a0c265b3b55999f4abc7f8443a6c1addf0

SHA512
cc4f3d1197da9861531dcec942781a6c6cd7cf611b00773cfeb937f007a87f371f5216f3162fc1ab5e37b51f824350e8cfe46c91472d4de1c28673ecf807174f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads