0c5a7b45a8dd167245ed4d3bdc1df004ebfa7ee4d2f1b87571c053cc200f5896

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
Size

204KB
MD5

bc6458578e99b42b726429e0a0ef5cf7
SHA1

7cf6e46f4f927613ac3d5f7ecf0c13aa39da2ab6
SHA256

0c5a7b45a8dd167245ed4d3bdc1df004ebfa7ee4d2f1b87571c053cc200f5896
SHA512

75485b70d14f29b9054ead86a8d0c463b2b2c73603342a5d9453d17b56fc8ccb6afdc21d30bf1e859eacbb5ad69551cfcacec3b58a8e605a9806e30b635b86a2
SSDEEP

1536:1EGh0oQl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oQl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016c90-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016c90-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016c90-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016c90-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016c90-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016c90-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC688AF-355D-4810-993B-649A8D1E3E18}	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA72388-4722-4208-981D-295277892921}	{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA72388-4722-4208-981D-295277892921}\stubpath = "C:\\Windows\\{9CA72388-4722-4208-981D-295277892921}.exe"	{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}\stubpath = "C:\\Windows\\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe"	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A51E6FE-A8A5-4870-94EC-76825626AA82}\stubpath = "C:\\Windows\\{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe"	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}\stubpath = "C:\\Windows\\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe"	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}\stubpath = "C:\\Windows\\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe"	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}	{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}\stubpath = "C:\\Windows\\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe"	{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A51E6FE-A8A5-4870-94EC-76825626AA82}	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC688AF-355D-4810-993B-649A8D1E3E18}\stubpath = "C:\\Windows\\{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe"	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}\stubpath = "C:\\Windows\\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe"	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}\stubpath = "C:\\Windows\\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe"	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5982EAE7-9F4F-48e1-8053-1C0202A26492}	{9CA72388-4722-4208-981D-295277892921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}\stubpath = "C:\\Windows\\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe"	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5982EAE7-9F4F-48e1-8053-1C0202A26492}\stubpath = "C:\\Windows\\{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe"	{9CA72388-4722-4208-981D-295277892921}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
2336	{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
268	{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
2684	{9CA72388-4722-4208-981D-295277892921}.exe
2484	{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
File created	C:\Windows\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
File created	C:\Windows\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
File created	C:\Windows\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe	{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
File created	C:\Windows\{9CA72388-4722-4208-981D-295277892921}.exe	{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
File created	C:\Windows\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
File created	C:\Windows\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
File created	C:\Windows\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
File created	C:\Windows\{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe	{9CA72388-4722-4208-981D-295277892921}.exe
File created	C:\Windows\{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
File created	C:\Windows\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
Token: SeIncBasePriorityPrivilege	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
Token: SeIncBasePriorityPrivilege	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
Token: SeIncBasePriorityPrivilege	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
Token: SeIncBasePriorityPrivilege	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
Token: SeIncBasePriorityPrivilege	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
Token: SeIncBasePriorityPrivilege	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
Token: SeIncBasePriorityPrivilege	2336	{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
Token: SeIncBasePriorityPrivilege	268	{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
Token: SeIncBasePriorityPrivilege	2684	{9CA72388-4722-4208-981D-295277892921}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2296	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	28
PID 2292 wrote to memory of 2296	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	28
PID 2292 wrote to memory of 2296	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	28
PID 2292 wrote to memory of 2296	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	28
PID 2292 wrote to memory of 2816	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	29
PID 2292 wrote to memory of 2816	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	29
PID 2292 wrote to memory of 2816	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	29
PID 2292 wrote to memory of 2816	2292	2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe	29
PID 2296 wrote to memory of 1808	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	32
PID 2296 wrote to memory of 1808	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	32
PID 2296 wrote to memory of 1808	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	32
PID 2296 wrote to memory of 1808	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	32
PID 2296 wrote to memory of 2528	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	33
PID 2296 wrote to memory of 2528	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	33
PID 2296 wrote to memory of 2528	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	33
PID 2296 wrote to memory of 2528	2296	{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe	33
PID 1808 wrote to memory of 2540	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	34
PID 1808 wrote to memory of 2540	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	34
PID 1808 wrote to memory of 2540	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	34
PID 1808 wrote to memory of 2540	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	34
PID 1808 wrote to memory of 2388	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	35
PID 1808 wrote to memory of 2388	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	35
PID 1808 wrote to memory of 2388	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	35
PID 1808 wrote to memory of 2388	1808	{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe	35
PID 2540 wrote to memory of 2668	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	36
PID 2540 wrote to memory of 2668	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	36
PID 2540 wrote to memory of 2668	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	36
PID 2540 wrote to memory of 2668	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	36
PID 2540 wrote to memory of 1296	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	37
PID 2540 wrote to memory of 1296	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	37
PID 2540 wrote to memory of 1296	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	37
PID 2540 wrote to memory of 1296	2540	{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe	37
PID 2668 wrote to memory of 940	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	38
PID 2668 wrote to memory of 940	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	38
PID 2668 wrote to memory of 940	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	38
PID 2668 wrote to memory of 940	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	38
PID 2668 wrote to memory of 2460	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	39
PID 2668 wrote to memory of 2460	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	39
PID 2668 wrote to memory of 2460	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	39
PID 2668 wrote to memory of 2460	2668	{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe	39
PID 940 wrote to memory of 1940	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	40
PID 940 wrote to memory of 1940	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	40
PID 940 wrote to memory of 1940	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	40
PID 940 wrote to memory of 1940	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	40
PID 940 wrote to memory of 2360	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	41
PID 940 wrote to memory of 2360	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	41
PID 940 wrote to memory of 2360	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	41
PID 940 wrote to memory of 2360	940	{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe	41
PID 1940 wrote to memory of 1892	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	42
PID 1940 wrote to memory of 1892	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	42
PID 1940 wrote to memory of 1892	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	42
PID 1940 wrote to memory of 1892	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	42
PID 1940 wrote to memory of 2016	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	43
PID 1940 wrote to memory of 2016	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	43
PID 1940 wrote to memory of 2016	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	43
PID 1940 wrote to memory of 2016	1940	{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe	43
PID 1892 wrote to memory of 2336	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	44
PID 1892 wrote to memory of 2336	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	44
PID 1892 wrote to memory of 2336	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	44
PID 1892 wrote to memory of 2336	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	44
PID 1892 wrote to memory of 1348	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	45
PID 1892 wrote to memory of 1348	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	45
PID 1892 wrote to memory of 1348	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	45
PID 1892 wrote to memory of 1348	1892	{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_bc6458578e99b42b726429e0a0ef5cf7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
  C:\Windows\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
    C:\Windows\{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
      C:\Windows\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
        
        C:\Windows\{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
        
        C:\Windows\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
        
        C:\Windows\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
        
        C:\Windows\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
        
        C:\Windows\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
        
        C:\Windows\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{9CA72388-4722-4208-981D-295277892921}.exe
        
        C:\Windows\{9CA72388-4722-4208-981D-295277892921}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe
        
        C:\Windows\{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe
        12⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA72~1.EXE > nul
        12⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB3A~1.EXE > nul
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{549AB~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35F63~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CE7~1.EXE > nul
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F973~1.EXE > nul
        7⤵
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC68~1.EXE > nul
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F6A5~1.EXE > nul
        5⤵
        
        PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A51E~1.EXE > nul
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA38~1.EXE > nul
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A51E6FE-A8A5-4870-94EC-76825626AA82}.exe

Filesize
204KB

MD5
17aae6055aea2d68dc9a9fccf7935dcc

SHA1
a25390d5c540e3d2084b26be1f2e06d65a79f060

SHA256
e0f634ff489579646f45251bf8334bdbd4abb9bbe5ea75caa091baaac62bc561

SHA512
769f7dcb34de03b73d02837646aac1985bda48a7dfc7624a48b856137f1537dbdcf0f35f5e79b7f1c48f5b278ca54cb63089946a91279265df2d4070c81ebcdf

Download Submit
C:\Windows\{35F63239-A684-4b37-BC28-9DBD5BDDD6F7}.exe

Filesize
204KB

MD5
9616d7d5c35fcee325a406de9e2cc725

SHA1
39fdb1aacafb6ffb25ab47de8ec8910233a2714a

SHA256
956c0ec78bb20850a348abc06ebf48833d0811e3c4326704dbf1963526ae9427

SHA512
a67dd329fdff1d2993b44fd723679538adc6923dc2203b83414d0165dfb985a6d19aa7606333330a22e377d63e4d655d1be7348e10f37140daa0f66bf3063370

Download Submit
C:\Windows\{3DB3A0C7-1774-4e31-B0D0-0C3DB5016126}.exe

Filesize
204KB

MD5
6892865ce7218bc9a61c44382111ab6f

SHA1
008639917340f3fc7b78f621dcbaad7a54291290

SHA256
e980c761651819c1f4066e799892969783c5a7b3942e01350a5abfdc8aa8705e

SHA512
60021afb99647548466d56bc05deb55f7dee0ba6523d141e1e23445a98a20d394afccf99b388890977e317cce1ba7d9317ab2a4aa983aa27131e9dd9bc56851d

Download Submit
C:\Windows\{3F6A56B8-F044-44d3-AB1E-005C58A741AB}.exe

Filesize
204KB

MD5
d7ba1268697a1e253b558cf79093b2ce

SHA1
323a10bd95aa44c7bff2960fe30cf0c875758698

SHA256
86233c745aeafcc0cecfecf74ada10bc3ff7a2bdf843e80460da7f90c2af03bc

SHA512
652cda1a960538ed47f70930d53891adf19cc0835eb263b2822dd69d11badfecf49c9ca67b350e7a3b0ea14f789eaf4745726fe1a9dc71084c8902870795b028

Download Submit
C:\Windows\{549AB8B4-D682-46dc-B0BC-F4D5C676A517}.exe

Filesize
204KB

MD5
d90b3c9bcc50d2e97678086c8ba5c179

SHA1
eaa876853e630f5ca643dbcfac9921d0e8ed221c

SHA256
ec2ac634aa659441789db7fd705b632f1650fc5fa7e893747036be7c466728ba

SHA512
9b4ff06eb66da259b7f9f0dd7e6d6ef318abacf5cce88cfc37bb7eed76d85f39303e863eab185a89807339dcb9d33ea3208ac06b70f7d01dfbfde3cdcbb1131b

Download Submit
C:\Windows\{5982EAE7-9F4F-48e1-8053-1C0202A26492}.exe

Filesize
204KB

MD5
9f4b5728d5c98776686043f15401b63e

SHA1
f5a20c9e9ce1d592e7c0532f77fe7178d30a806d

SHA256
1411736c52b3dc8d65ec388f9f3efabd75a41ae86766a241dc3e133539e354d9

SHA512
63c5fedf20b36ce67c26f46a1393c528e3d91c3cb06f7695bab0d5470581736d0037cfc347b77e159f5f678640edf3008fb1fc6c86454ac6e38cdd45b012f536

Download Submit
C:\Windows\{7F973137-DD82-4bad-9EF2-5483B0C8E38D}.exe

Filesize
204KB

MD5
96d82388782e691b58a9b676006f5945

SHA1
81b12828574769d589a90da83cdfdd7a1c9a6390

SHA256
253449e1849df5362ba18b88095fffaa7eb79da3246976c19ad268082a7c3e62

SHA512
f0a2f469decae9ccea071a812c77e9bd5f00e8d4fdf0746366bffb3af7ea6f7761cbc837f12f455b7104ac8627fc26196e8df0150282fcea810336a123e4e3f0

Download Submit
C:\Windows\{8DA38A4B-8F92-4860-BEFD-DF5A5255D563}.exe

Filesize
204KB

MD5
972b86e5703ee979921f9afa637b43c5

SHA1
cc99def0d4251d6afb38a3dae90d1fb74d7cfded

SHA256
fd8ff46b7e82eb8d200a6b4f9ee2e0c12f891a18874adb4150a00987f7a637b9

SHA512
99f361ce9e39e281dbcf878b5dbe2dd251b34fbb19e457241e8865e9188a5dee99cc7e3bd8e3a07493ac5a3b0ef36ec407612c4b2a98661b7cff355d0d371a06

Download Submit
C:\Windows\{9CA72388-4722-4208-981D-295277892921}.exe

Filesize
204KB

MD5
7ed522bd917eaf1fea3842a6881e31a0

SHA1
280a9144b8b49e0972a94ac35a212c4ac2ea0c5e

SHA256
0546a19082ebcc60b6d55e15c124559b2d9fd893b9b44aa52af37a086c2bd259

SHA512
d0ed2463fe401e7a034e019d7812142e81fd482cc50735aa5bbe45214d6fe361cf7ab5a062bef89512042b411937c15713458313c78f6ceed4f538a972c5c655

Download Submit
C:\Windows\{D7CE7CCD-EA34-4818-A29F-5BB4140E00A5}.exe

Filesize
204KB

MD5
8030f561ea3e47ee1a57216bd416324a

SHA1
05e345747898f3130f5dc365e4ecaae1bbba11d3

SHA256
ed65b9d609e0151f2b6b07a72181380dad2de1bd2357a894a56673d41bf80d60

SHA512
98ca58277315917eef3abf784b8606aea6d3f898912de4646be62f21b44be6fc62358a480f15db9cccb275da7313a79a53a7e09d160e40104960f2a544a71d63

Download Submit
C:\Windows\{EEC688AF-355D-4810-993B-649A8D1E3E18}.exe

Filesize
204KB

MD5
ef298dd0b632df60d2ebd2a13f93fe7a

SHA1
3e1984ea05de1ea696ae545406e9b1a8ab03f262

SHA256
cca2587762aba9205f998f2da6054a6dd59ba05120e80aeccb3a0b33e18ab5b9

SHA512
7860c5b6168860062d1f769d6b67423e7adfc9f0c7dee7150cd3391d95def75c606a5ff3c52f6d2bf38fdd70ebe6e0caf871e3f5d43d08211711df0d9611dc9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads