66ecce6430c8fd9f7508764e7cf0a563dd90f16196b87d0b82c58d8437d2154c

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
Size

168KB
MD5

56102798356784bd395cfec9fec86a57
SHA1

ad67dd0f6520b3a746f69735f95063c1269aa355
SHA256

66ecce6430c8fd9f7508764e7cf0a563dd90f16196b87d0b82c58d8437d2154c
SHA512

23d6f559e8b86dcf4bf08bb3d36cbc77cc253c3a10e420dfd37743fbcc84e20d007df1be30ed8980bf8b2ed31962a6f1431e79cd0e6cc3fc929e6b7c14fada52
SSDEEP

1536:1EGh0oglq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oglqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016332-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c23-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016332-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016332-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016c23-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c90-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016c23-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016c90-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}\stubpath = "C:\\Windows\\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe"	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}	{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}\stubpath = "C:\\Windows\\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe"	{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}\stubpath = "C:\\Windows\\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe"	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}	{81149485-9761-4015-B32C-E8CC46D60A33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C907925-0E21-47b6-9483-ECEB4F301843}\stubpath = "C:\\Windows\\{4C907925-0E21-47b6-9483-ECEB4F301843}.exe"	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}\stubpath = "C:\\Windows\\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe"	{81149485-9761-4015-B32C-E8CC46D60A33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C907925-0E21-47b6-9483-ECEB4F301843}	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}\stubpath = "C:\\Windows\\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe"	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}\stubpath = "C:\\Windows\\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe"	{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D240640-6E76-4174-BE4D-8671748BB5DC}	{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81149485-9761-4015-B32C-E8CC46D60A33}	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81149485-9761-4015-B32C-E8CC46D60A33}\stubpath = "C:\\Windows\\{81149485-9761-4015-B32C-E8CC46D60A33}.exe"	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D240640-6E76-4174-BE4D-8671748BB5DC}\stubpath = "C:\\Windows\\{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe"	{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}\stubpath = "C:\\Windows\\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe"	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}\stubpath = "C:\\Windows\\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe"	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}	{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe
2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
2972	{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
1920	{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
2124	{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe
2316	{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
File created	C:\Windows\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
File created	C:\Windows\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
File created	C:\Windows\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
File created	C:\Windows\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
File created	C:\Windows\{81149485-9761-4015-B32C-E8CC46D60A33}.exe	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
File created	C:\Windows\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	{81149485-9761-4015-B32C-E8CC46D60A33}.exe
File created	C:\Windows\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
File created	C:\Windows\{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe	{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
File created	C:\Windows\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe	{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
File created	C:\Windows\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe	{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
Token: SeIncBasePriorityPrivilege	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe
Token: SeIncBasePriorityPrivilege	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
Token: SeIncBasePriorityPrivilege	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
Token: SeIncBasePriorityPrivilege	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
Token: SeIncBasePriorityPrivilege	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
Token: SeIncBasePriorityPrivilege	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
Token: SeIncBasePriorityPrivilege	2972	{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
Token: SeIncBasePriorityPrivilege	1920	{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
Token: SeIncBasePriorityPrivilege	2124	{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2904	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	28
PID 1772 wrote to memory of 2904	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	28
PID 1772 wrote to memory of 2904	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	28
PID 1772 wrote to memory of 2904	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	28
PID 1772 wrote to memory of 2684	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	29
PID 1772 wrote to memory of 2684	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	29
PID 1772 wrote to memory of 2684	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	29
PID 1772 wrote to memory of 2684	1772	2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe	29
PID 2904 wrote to memory of 2080	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	32
PID 2904 wrote to memory of 2080	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	32
PID 2904 wrote to memory of 2080	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	32
PID 2904 wrote to memory of 2080	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	32
PID 2904 wrote to memory of 1600	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	33
PID 2904 wrote to memory of 1600	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	33
PID 2904 wrote to memory of 1600	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	33
PID 2904 wrote to memory of 1600	2904	{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe	33
PID 2080 wrote to memory of 2480	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	34
PID 2080 wrote to memory of 2480	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	34
PID 2080 wrote to memory of 2480	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	34
PID 2080 wrote to memory of 2480	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	34
PID 2080 wrote to memory of 2436	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	35
PID 2080 wrote to memory of 2436	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	35
PID 2080 wrote to memory of 2436	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	35
PID 2080 wrote to memory of 2436	2080	{81149485-9761-4015-B32C-E8CC46D60A33}.exe	35
PID 2480 wrote to memory of 3052	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	36
PID 2480 wrote to memory of 3052	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	36
PID 2480 wrote to memory of 3052	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	36
PID 2480 wrote to memory of 3052	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	36
PID 2480 wrote to memory of 928	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	37
PID 2480 wrote to memory of 928	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	37
PID 2480 wrote to memory of 928	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	37
PID 2480 wrote to memory of 928	2480	{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe	37
PID 3052 wrote to memory of 1512	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	38
PID 3052 wrote to memory of 1512	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	38
PID 3052 wrote to memory of 1512	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	38
PID 3052 wrote to memory of 1512	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	38
PID 3052 wrote to memory of 1944	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	39
PID 3052 wrote to memory of 1944	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	39
PID 3052 wrote to memory of 1944	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	39
PID 3052 wrote to memory of 1944	3052	{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe	39
PID 1512 wrote to memory of 2868	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	40
PID 1512 wrote to memory of 2868	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	40
PID 1512 wrote to memory of 2868	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	40
PID 1512 wrote to memory of 2868	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	40
PID 1512 wrote to memory of 3064	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	41
PID 1512 wrote to memory of 3064	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	41
PID 1512 wrote to memory of 3064	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	41
PID 1512 wrote to memory of 3064	1512	{4C907925-0E21-47b6-9483-ECEB4F301843}.exe	41
PID 2868 wrote to memory of 2324	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	42
PID 2868 wrote to memory of 2324	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	42
PID 2868 wrote to memory of 2324	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	42
PID 2868 wrote to memory of 2324	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	42
PID 2868 wrote to memory of 2352	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	43
PID 2868 wrote to memory of 2352	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	43
PID 2868 wrote to memory of 2352	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	43
PID 2868 wrote to memory of 2352	2868	{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe	43
PID 2324 wrote to memory of 2972	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	44
PID 2324 wrote to memory of 2972	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	44
PID 2324 wrote to memory of 2972	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	44
PID 2324 wrote to memory of 2972	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	44
PID 2324 wrote to memory of 1996	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	45
PID 2324 wrote to memory of 1996	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	45
PID 2324 wrote to memory of 1996	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	45
PID 2324 wrote to memory of 1996	2324	{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_56102798356784bd395cfec9fec86a57_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
  C:\Windows\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{81149485-9761-4015-B32C-E8CC46D60A33}.exe
    C:\Windows\{81149485-9761-4015-B32C-E8CC46D60A33}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
      C:\Windows\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
        
        C:\Windows\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
        
        C:\Windows\{4C907925-0E21-47b6-9483-ECEB4F301843}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
        
        C:\Windows\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
        
        C:\Windows\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
        
        C:\Windows\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
        
        C:\Windows\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe
        
        C:\Windows\{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe
        
        C:\Windows\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D240~1.EXE > nul
        12⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36E92~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9160~1.EXE > nul
        10⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF3E~1.EXE > nul
        9⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8DC~1.EXE > nul
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C907~1.EXE > nul
        7⤵
        
        PID:3064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48569~1.EXE > nul
        6⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF728~1.EXE > nul
        5⤵
        
        PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81149~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{372E6~1.EXE > nul
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F8DCBBF-09FC-4eef-8C72-833372AF5396}.exe

Filesize
168KB

MD5
d764ee16439a584b91f7fe5162f78e50

SHA1
1a5d45a8f609d79404ed0692e9c9c4e6d40a1f78

SHA256
f8d5baad32301712ce79e2aefb813811cb06ffc78a4eddcd2215f69d3734efaf

SHA512
b2965bb4f21c94fe1516f2911b0a1ec3b3f81feebc235c64376729fe0a8e64173e76011a8a54b4557284aa3c90c5a6e7962a9e84d0ebc35a0d6db2de8fe42996

Download Submit
C:\Windows\{36E923F5-36DF-47f5-9D2D-EAC170FC5AA1}.exe

Filesize
168KB

MD5
b843074648ec934fb624d4960c6a7d90

SHA1
6d92f9a8f3434bdd62c2d8a7a115df74c6a93dd7

SHA256
a84f132fc1fa890ba1c356c44e565d0c334632fad11ac7db943516ffe4d6b629

SHA512
3e90f3bce1e643e67601edfca95f2520d4345bc67e5f39691e641aeb9b4707b91d8a1b3fee04ba271b1d5fe9f76c511ef2f36057bd50b40553501260c014ba4a

Download Submit
C:\Windows\{372E6235-35C2-4d1e-92CA-076B98EC6CD4}.exe

Filesize
168KB

MD5
92690c638c829095d0ed51bbe607026c

SHA1
a360a859bcd9546ca4812d3c48a8637931198a80

SHA256
8441041fb8953923aa0bf8a3125a4ba48c6d7659f030af9352fd5c96c5dbbc66

SHA512
67d7b29015bd2cb0ba9c3e71c68b4931e611c2bf4e84f0c0ea85811fd16213f34a9937a8d8db162b55010a25955e759922409bb37207936ef7c2a2cec775f9bb

Download Submit
C:\Windows\{48569A37-EF5E-44c7-8BED-05E747E2CCD8}.exe

Filesize
168KB

MD5
73e05650f89b7868246b3c24b36d1177

SHA1
66a7f8686cd6a7a31c1cbb2b20ec50d3ce27d1e8

SHA256
92617afadbc1b30ea69a8cea35c79a07cb8afb7c1d0801de3b76963e01748328

SHA512
7c8b9deb2bb7dd14f9234e19130b6b7222b7472e9e34624f92d11227bb9e45cb770f6095fa94b7a23fc7c5b6dab0b18ba6d92823241c9613041b9b5afcb5d84e

Download Submit
C:\Windows\{4C907925-0E21-47b6-9483-ECEB4F301843}.exe

Filesize
168KB

MD5
54858183172f51be680fb348fd232ad5

SHA1
4a1f50607899535901f794f03c5d3d695fcaee38

SHA256
2de06fbcd476df827d5d2d892e27138335e1a00ce68bf2d2f2f717b3fb9d6302

SHA512
381295dbfa62eb14e25978e8a1b19f8d6232cabb1ef2fe421f0a1790baa2d126e6e492069009e3d9b44a9883803dc27172e51700374963d0bdfb04829607c0ca

Download Submit
C:\Windows\{4D240640-6E76-4174-BE4D-8671748BB5DC}.exe

Filesize
168KB

MD5
22f2701fea97215bc37993de6d1c4416

SHA1
4169e9c58193bd88eefcbb4ae1c1bb0bf16215d4

SHA256
bdda5ab0180eb850006e60994bc14303798295527663e3d90b0dfb1c4c83a3e4

SHA512
d5ac4824a2c99595cf0d35e95e33d894229e1c4bf6c3a5748821cf898ef7aaed6df84a5ec09c7c0a844d4ccd25da13e7faeb99fca15f15c75fd865e6558c1d43

Download Submit
C:\Windows\{81149485-9761-4015-B32C-E8CC46D60A33}.exe

Filesize
168KB

MD5
53d07525bae8eb24a3e2f911f9f4f9bc

SHA1
6010c908b9989e1a3d65f022082946123a54161e

SHA256
b091dd618f6efa6e0c2a8ace33cde57c42d1bea7c2bae64bc2347296906a3d9c

SHA512
3e6a7565ca457bc89f0dbcfb31a20487e6225483fde117df7a47c18d509ca4e2430ed6601d20268c8465a90add369d02ad16945b6b42bebc56001ec84e4bd322

Download Submit
C:\Windows\{ADF3E96E-3FE0-41e5-A044-272A3D6BD93C}.exe

Filesize
168KB

MD5
77c4daa36ee56597d2ad19d032814da2

SHA1
de933bb45f3f0ac35ece907933e7291aabfbe5f9

SHA256
2b87d4a8c05dc70015216c2f9ec90b92ef7277e23b9b9a19438ede0e083867ab

SHA512
95b324dc2ca321b77cf17e02ea99d441c8f4772d6ef20e556052a1b3e096db3bf4c9101527d8b94a2680745ff60ea3b4e551ede73a8178ef2275922a207f970a

Download Submit
C:\Windows\{BF7283CD-C92A-4602-9E8B-E7249B6163E4}.exe

Filesize
168KB

MD5
bb0ecaf4e397aa9c0d2725e6aadb95e6

SHA1
24061776f40a2653dbdfd652d77c6cb5ec0e395d

SHA256
5b37b5344d644b0f4b683644caa07fa34760f81194b5ccdfd4c07262de9b06a9

SHA512
935587c2d446d7940d35ba78a7c92f34e1f6fa774679caf28df10f462e1fbc9db66602a7924ea5e6eacfce001e696f4f82273efa78ceb98c7cf76a2b7d346f93

Download Submit
C:\Windows\{C91607E3-F72F-4850-A4FD-8A5C3163A8AF}.exe

Filesize
168KB

MD5
b5bd91cace87f2a35bf98fe80c8e221b

SHA1
d90bb2ec74e65311a9a9c6280cc48368a962aa6c

SHA256
a7ee706db9fb7cb7b0a24ae32076f6ec98d406f4ab4e7f9903d7dc2e8db06ffb

SHA512
05d6ddcddd34f7478b796e610835cf0c5c831aa863f981db61bd084110fa6baf48b1933010d3c1b29d7c7a534722a093387934b27edc86467fda4b3514e28302

Download Submit
C:\Windows\{EA75325E-AFCB-46ee-BBF6-4DA8E759955A}.exe

Filesize
168KB

MD5
112afed18ad054e4312c036fe556642b

SHA1
b98ff828daa0f8380ee0201a4ce04acfedfa34c6

SHA256
11f6d15900a419856022f6a7387855d8410a25216f907e12860ab9067c297002

SHA512
e11148d7609291c57f5f360d4e945d7e340234350020f379ccb1011379f5ad4b6c8726d1be72fcd0fcbb4c0c81d3b747ab4becaf9a58ba1d3fb39adf628a7b60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads