8b47d879b2115f63dfd81bef703e3bc6dd6ae434cdec759bff06ebfefcaa5cb1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
Size

204KB
MD5

451387bd220cbd03b118ba333c2900b2
SHA1

b87acebf5105ab42e781ce43b25dc92dc233f2d7
SHA256

8b47d879b2115f63dfd81bef703e3bc6dd6ae434cdec759bff06ebfefcaa5cb1
SHA512

0c7bd47fc9fb62e3622b2db9efaca6ed1b27fa216490b926be3127c8256f8b2584f5070c90c086f64474a0baf7a8c5ec2944aef1c565419334b0f0abe2b0fe01
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0owl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012331-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000013a88-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012331-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012331-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49640AE4-D1BD-49f6-9881-76E22C2A5837}\stubpath = "C:\\Windows\\{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe"	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C74634E1-BA19-4801-A991-7E622226BCE3}	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0209C83F-1C51-4a33-A664-C4669174C5C3}	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0209C83F-1C51-4a33-A664-C4669174C5C3}\stubpath = "C:\\Windows\\{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe"	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}\stubpath = "C:\\Windows\\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe"	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C74634E1-BA19-4801-A991-7E622226BCE3}\stubpath = "C:\\Windows\\{C74634E1-BA19-4801-A991-7E622226BCE3}.exe"	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}\stubpath = "C:\\Windows\\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe"	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE15442-589B-4c7d-8369-6A01E7450692}	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE15442-589B-4c7d-8369-6A01E7450692}\stubpath = "C:\\Windows\\{2DE15442-589B-4c7d-8369-6A01E7450692}.exe"	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}	{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}\stubpath = "C:\\Windows\\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe"	{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}\stubpath = "C:\\Windows\\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe"	{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}\stubpath = "C:\\Windows\\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe"	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}\stubpath = "C:\\Windows\\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe"	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49640AE4-D1BD-49f6-9881-76E22C2A5837}	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}	{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}\stubpath = "C:\\Windows\\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe"	{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}	{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
2468	{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
2052	{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe
664	{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
1400	{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
File created	C:\Windows\{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
File created	C:\Windows\{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
File created	C:\Windows\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe	{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
File created	C:\Windows\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe	{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
File created	C:\Windows\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
File created	C:\Windows\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
File created	C:\Windows\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
File created	C:\Windows\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
File created	C:\Windows\{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
File created	C:\Windows\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe	{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
Token: SeIncBasePriorityPrivilege	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
Token: SeIncBasePriorityPrivilege	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
Token: SeIncBasePriorityPrivilege	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
Token: SeIncBasePriorityPrivilege	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
Token: SeIncBasePriorityPrivilege	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
Token: SeIncBasePriorityPrivilege	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
Token: SeIncBasePriorityPrivilege	2468	{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
Token: SeIncBasePriorityPrivilege	2052	{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe
Token: SeIncBasePriorityPrivilege	664	{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2472	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	28
PID 2184 wrote to memory of 2484	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe	29
PID 2472 wrote to memory of 2512	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	30
PID 2472 wrote to memory of 2512	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	30
PID 2472 wrote to memory of 2512	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	30
PID 2472 wrote to memory of 2512	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	30
PID 2472 wrote to memory of 2496	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	31
PID 2472 wrote to memory of 2496	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	31
PID 2472 wrote to memory of 2496	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	31
PID 2472 wrote to memory of 2496	2472	{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe	31
PID 2512 wrote to memory of 2304	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	32
PID 2512 wrote to memory of 2304	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	32
PID 2512 wrote to memory of 2304	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	32
PID 2512 wrote to memory of 2304	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	32
PID 2512 wrote to memory of 2424	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	33
PID 2512 wrote to memory of 2424	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	33
PID 2512 wrote to memory of 2424	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	33
PID 2512 wrote to memory of 2424	2512	{C74634E1-BA19-4801-A991-7E622226BCE3}.exe	33
PID 2304 wrote to memory of 2396	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	36
PID 2304 wrote to memory of 2396	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	36
PID 2304 wrote to memory of 2396	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	36
PID 2304 wrote to memory of 2396	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	36
PID 2304 wrote to memory of 1360	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	37
PID 2304 wrote to memory of 1360	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	37
PID 2304 wrote to memory of 1360	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	37
PID 2304 wrote to memory of 1360	2304	{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe	37
PID 2396 wrote to memory of 2660	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	38
PID 2396 wrote to memory of 2660	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	38
PID 2396 wrote to memory of 2660	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	38
PID 2396 wrote to memory of 2660	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	38
PID 2396 wrote to memory of 2724	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	39
PID 2396 wrote to memory of 2724	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	39
PID 2396 wrote to memory of 2724	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	39
PID 2396 wrote to memory of 2724	2396	{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe	39
PID 2660 wrote to memory of 1776	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	40
PID 2660 wrote to memory of 1776	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	40
PID 2660 wrote to memory of 1776	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	40
PID 2660 wrote to memory of 1776	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	40
PID 2660 wrote to memory of 1520	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	41
PID 2660 wrote to memory of 1520	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	41
PID 2660 wrote to memory of 1520	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	41
PID 2660 wrote to memory of 1520	2660	{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe	41
PID 1776 wrote to memory of 2268	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	42
PID 1776 wrote to memory of 2268	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	42
PID 1776 wrote to memory of 2268	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	42
PID 1776 wrote to memory of 2268	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	42
PID 1776 wrote to memory of 1484	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	43
PID 1776 wrote to memory of 1484	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	43
PID 1776 wrote to memory of 1484	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	43
PID 1776 wrote to memory of 1484	1776	{2DE15442-589B-4c7d-8369-6A01E7450692}.exe	43
PID 2268 wrote to memory of 2468	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	44
PID 2268 wrote to memory of 2468	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	44
PID 2268 wrote to memory of 2468	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	44
PID 2268 wrote to memory of 2468	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	44
PID 2268 wrote to memory of 1128	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	45
PID 2268 wrote to memory of 1128	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	45
PID 2268 wrote to memory of 1128	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	45
PID 2268 wrote to memory of 1128	2268	{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_451387bd220cbd03b118ba333c2900b2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
  C:\Windows\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
    C:\Windows\{C74634E1-BA19-4801-A991-7E622226BCE3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
      C:\Windows\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
        
        C:\Windows\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
        
        C:\Windows\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
        
        C:\Windows\{2DE15442-589B-4c7d-8369-6A01E7450692}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
        
        C:\Windows\{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
        
        C:\Windows\{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe
        
        C:\Windows\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
        
        C:\Windows\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe
        
        C:\Windows\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24309~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13828~1.EXE > nul
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0209C~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49640~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE15~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1225~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8AD6~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C691~1.EXE > nul
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7463~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87FE7~1.EXE > nul
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0209C83F-1C51-4a33-A664-C4669174C5C3}.exe

Filesize
204KB

MD5
1f40ae596bca326b5158b60b7e0470dc

SHA1
0a25812a41c649ee6d20ea5f9ea9eb63145b53cd

SHA256
69f5d0f5b62910c5301b1d8514f98640dedc5e9f97b40bae77c553108aed4aca

SHA512
c6c11eea85561ee8a60cf23cfd4b460a02a532aa134f42d42a24343f845eb47f81b44546b51e1a71661de188cc2f4687c13af84331a0df164b3de126a7dfbf1b

Download Submit
C:\Windows\{13828A8D-8CF7-4590-90A2-4C8D260AD17C}.exe

Filesize
204KB

MD5
32af046d4088b88e15f27b4b0c06a1f7

SHA1
25ff13a7b56498cefa5e3b7645ab523b4cc83e5c

SHA256
60ca1aa0aca236e5dc3d832b9565c9175aa182fa8557d70bff33039e052384a6

SHA512
000bba7ebc7a9a1d2f1d0ec7d4b7bfffad81833e467fb3629bfdd72d863b7bfe8d0960af534587fde7e613b81fb4304900b1d3c5d895b516a9c28c492a94750d

Download Submit
C:\Windows\{24309DEB-D2EF-4d8b-A802-C0D9F297686C}.exe

Filesize
204KB

MD5
b11065e136f03684fd2d9e577ca27b42

SHA1
7d8f90670ed8faa6c24820c36ae0a3b2acd5f17a

SHA256
ed02be82a41107559ed94e6888228351db48d9814b79534b8925a59ab21ff3cc

SHA512
a6fc2a946f2facc247e9c3ee0879e6b2771731440ca6dea90f7fb39b246e4eb6c553a96aed1d70591fbe557edeb8c7b8a260cc45373ae941bc66fe0d5fe7210c

Download Submit
C:\Windows\{2DE15442-589B-4c7d-8369-6A01E7450692}.exe

Filesize
204KB

MD5
10cdcd01842c1e7d6be57ed7ae740b34

SHA1
ba5e88a1a319e01ef6a3cfa3262cffef34770f75

SHA256
bd9631a75b669311ed9db6097140c9c9b76323705ea4cb17e73f041e19cc84a8

SHA512
3747d16efeba3f526f7fe324db3609f6e075b6b952bcf302156962ce9b27a2f613f7a982ce1c993433df7e09082e08fa97d6fafe1ac7e48c0495aa407fbc1fda

Download Submit
C:\Windows\{49640AE4-D1BD-49f6-9881-76E22C2A5837}.exe

Filesize
204KB

MD5
c4725919965b01a326d905925bb8b139

SHA1
62425bc72ba9be39142e2e91f28b10eb4703be2d

SHA256
cc1a1a6428fd5e56ff6f5b5cce30f28a8bc568998280370aef406d56da7b80c6

SHA512
8675e2f88081948f1138b009a8e0dfedb69bee3edf7eeeab27d2a27ead08e1ecbbae09f7e856bb1f0e832af7ad8ddd205ef57e4c4f6f6e90b4deb3f58c6815cd

Download Submit
C:\Windows\{87FE7CEF-65AA-47c8-8DEC-3ECE63D29B8A}.exe

Filesize
204KB

MD5
47457be9c7b9595a88367b1af6d34ea9

SHA1
b3cdb691a974510761c3a623d600d1e31b7eeadd

SHA256
fecd4c33e0380742a51ff7f8be7a04cac6586ab6b413e6a85fad8c6f2224b127

SHA512
7cfbd265917b3931caf261397979fe979a04d8c84c36e5e74ce61e5012eafa931b692662cd70294023b16f351b8dc312170a92c9996a59f56e0a92e98d5dac19

Download Submit
C:\Windows\{9C69191F-8DA1-4ab0-94A5-15B875B5C83E}.exe

Filesize
204KB

MD5
c5c1d73c14ee212cdc1c66acbb1200a5

SHA1
63f21beab4ff47bb36efb275dc001e1a580e91bd

SHA256
6404e6319dbd065e38905068cc808852042ab60bc84fba339fd3c9df269c27c5

SHA512
e4fb9353e6e08957ea828344501a022df95bc14db229701f109533da2e1a2ba8746733903b621096a8d978335d5269bdc814e1941b2defcc6ac649e87ebbd04c

Download Submit
C:\Windows\{9E69CD2C-DA3C-443d-B380-2A2CCB010E95}.exe

Filesize
204KB

MD5
b9466c26734d67f2b6a868ceb0f1b36a

SHA1
c6f425a70d8c39eb23f8bc869c815ab7e70a0cca

SHA256
4f5a53d95040d36314d49ea351124b5b0d70e9ffc588302974674a6e6c7be19c

SHA512
e66293d21f0d83444a1e610a0f5e1156fca8f29af8dc45540eaac462aab9d6d627c290e35a21831638d36c714ffcff365026d760d604e5043d5bf7908f20f39c

Download Submit
C:\Windows\{C74634E1-BA19-4801-A991-7E622226BCE3}.exe

Filesize
204KB

MD5
715c60f0577eb5728b2935ee81c2b391

SHA1
2f153db994c0d4d7db26cc4b2a142b9d8443856d

SHA256
0e14a88276cb9b17afbe6b45cd3ee22f97c40006140dd302b7da52dfd4d79d35

SHA512
b2c04abbd11e8d8f519cf110fb025b78b9f69d458cb0f858a63ca7d8861e6d756533ad342c3ee0186fcf62a3691c8b84fdf8933c9cb13112d494005ee4dcff67

Download Submit
C:\Windows\{D8AD60CC-0E0C-4b48-90D5-B152A31DCC90}.exe

Filesize
204KB

MD5
efd204c03688d9034bbbf52583bf6c1b

SHA1
e41c9bae28c6a910d2e1525e80910188d31492cf

SHA256
aa3b88f5525b2c289bb250c160e847a4c84d4e8b651ed4e36329685b561ae9f7

SHA512
b46b11846977ba184e83fdea9e1f9d5bbfbf242a2b3d9f7c97d6970e8c61c8faafa4cef9d890132b26a3c38f11aa2aea18c9633ea21208a8c65179e05ab1a002

Download Submit
C:\Windows\{F12253C3-1F35-45a5-82CE-2CDC5DBC078F}.exe

Filesize
204KB

MD5
8a551ee9e195acfbd5e60618061b8a78

SHA1
4c5ba729ab9855c020ba52330e1735e05e145972

SHA256
b8bcbe53d4b9e1b5d129b58c32388c346d12c78b7b02eef5860a496b3453119f

SHA512
ec8ec52084c8cd6ac12fd23d8d222c3f4ddc728b332758c59e88c0f0551d59fde3ffb05044c91c2a7f87967dff3ecfae758fa4f424518cf548a0e14740ae57e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads