fd29f61518d33f730371b1b1a56e2fb0fe931dbe5d3b1f2e7230361618539a33

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Size

204KB
MD5

9106f3fccf758489a1da37662b2cafd9
SHA1

56f5d45802dd4ffa1fbda16989873c0c4315a7aa
SHA256

fd29f61518d33f730371b1b1a56e2fb0fe931dbe5d3b1f2e7230361618539a33
SHA512

4cf61f30705a674ed056beb7493a5d9a636b68756a8d3a478752f3d0d8320cb06826eff26e263b848de979d6e2d811f476a7497c957ab3f0143c284ae5783e2e
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ovl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012306-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001315b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012306-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012306-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012306-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012306-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}\stubpath = "C:\\Windows\\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe"	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}\stubpath = "C:\\Windows\\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe"	{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}\stubpath = "C:\\Windows\\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe"	{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}\stubpath = "C:\\Windows\\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe"	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1714535-FC72-4013-8888-6A9FC71672D1}	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}\stubpath = "C:\\Windows\\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe"	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C04327-0FA4-4500-B2A8-AE558F5827C0}	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}\stubpath = "C:\\Windows\\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe"	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE40684-E2A0-470f-B287-1D45D914B062}\stubpath = "C:\\Windows\\{0CE40684-E2A0-470f-B287-1D45D914B062}.exe"	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}	{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}	{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}	{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}\stubpath = "C:\\Windows\\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe"	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1714535-FC72-4013-8888-6A9FC71672D1}\stubpath = "C:\\Windows\\{F1714535-FC72-4013-8888-6A9FC71672D1}.exe"	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C04327-0FA4-4500-B2A8-AE558F5827C0}\stubpath = "C:\\Windows\\{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe"	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE40684-E2A0-470f-B287-1D45D914B062}	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}\stubpath = "C:\\Windows\\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe"	{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
1268	{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
2172	{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
384	{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
1172	{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
File created	C:\Windows\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
File created	C:\Windows\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
File created	C:\Windows\{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
File created	C:\Windows\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
File created	C:\Windows\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe	{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
File created	C:\Windows\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe	{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
File created	C:\Windows\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
File created	C:\Windows\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe	{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
File created	C:\Windows\{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
File created	C:\Windows\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
Token: SeIncBasePriorityPrivilege	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
Token: SeIncBasePriorityPrivilege	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
Token: SeIncBasePriorityPrivilege	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
Token: SeIncBasePriorityPrivilege	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
Token: SeIncBasePriorityPrivilege	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
Token: SeIncBasePriorityPrivilege	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
Token: SeIncBasePriorityPrivilege	1268	{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
Token: SeIncBasePriorityPrivilege	2172	{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
Token: SeIncBasePriorityPrivilege	384	{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2488	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	28
PID 2660 wrote to memory of 2488	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	28
PID 2660 wrote to memory of 2488	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	28
PID 2660 wrote to memory of 2488	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	28
PID 2660 wrote to memory of 2584	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	29
PID 2660 wrote to memory of 2584	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	29
PID 2660 wrote to memory of 2584	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	29
PID 2660 wrote to memory of 2584	2660	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	29
PID 2488 wrote to memory of 2496	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	30
PID 2488 wrote to memory of 2496	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	30
PID 2488 wrote to memory of 2496	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	30
PID 2488 wrote to memory of 2496	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	30
PID 2488 wrote to memory of 2632	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	31
PID 2488 wrote to memory of 2632	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	31
PID 2488 wrote to memory of 2632	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	31
PID 2488 wrote to memory of 2632	2488	{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe	31
PID 2496 wrote to memory of 2548	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	32
PID 2496 wrote to memory of 2548	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	32
PID 2496 wrote to memory of 2548	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	32
PID 2496 wrote to memory of 2548	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	32
PID 2496 wrote to memory of 2376	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	33
PID 2496 wrote to memory of 2376	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	33
PID 2496 wrote to memory of 2376	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	33
PID 2496 wrote to memory of 2376	2496	{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe	33
PID 2548 wrote to memory of 1372	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	36
PID 2548 wrote to memory of 1372	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	36
PID 2548 wrote to memory of 1372	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	36
PID 2548 wrote to memory of 1372	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	36
PID 2548 wrote to memory of 1036	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	37
PID 2548 wrote to memory of 1036	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	37
PID 2548 wrote to memory of 1036	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	37
PID 2548 wrote to memory of 1036	2548	{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe	37
PID 1372 wrote to memory of 756	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	38
PID 1372 wrote to memory of 756	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	38
PID 1372 wrote to memory of 756	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	38
PID 1372 wrote to memory of 756	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	38
PID 1372 wrote to memory of 2100	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	39
PID 1372 wrote to memory of 2100	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	39
PID 1372 wrote to memory of 2100	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	39
PID 1372 wrote to memory of 2100	1372	{F1714535-FC72-4013-8888-6A9FC71672D1}.exe	39
PID 756 wrote to memory of 1588	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	40
PID 756 wrote to memory of 1588	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	40
PID 756 wrote to memory of 1588	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	40
PID 756 wrote to memory of 1588	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	40
PID 756 wrote to memory of 1560	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	41
PID 756 wrote to memory of 1560	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	41
PID 756 wrote to memory of 1560	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	41
PID 756 wrote to memory of 1560	756	{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe	41
PID 1588 wrote to memory of 2716	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	42
PID 1588 wrote to memory of 2716	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	42
PID 1588 wrote to memory of 2716	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	42
PID 1588 wrote to memory of 2716	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	42
PID 1588 wrote to memory of 624	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	43
PID 1588 wrote to memory of 624	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	43
PID 1588 wrote to memory of 624	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	43
PID 1588 wrote to memory of 624	1588	{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe	43
PID 2716 wrote to memory of 1268	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	44
PID 2716 wrote to memory of 1268	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	44
PID 2716 wrote to memory of 1268	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	44
PID 2716 wrote to memory of 1268	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	44
PID 2716 wrote to memory of 1688	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	45
PID 2716 wrote to memory of 1688	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	45
PID 2716 wrote to memory of 1688	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	45
PID 2716 wrote to memory of 1688	2716	{0CE40684-E2A0-470f-B287-1D45D914B062}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
  C:\Windows\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
    C:\Windows\{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
      C:\Windows\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
        
        C:\Windows\{F1714535-FC72-4013-8888-6A9FC71672D1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
        
        C:\Windows\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
        
        C:\Windows\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
        
        C:\Windows\{0CE40684-E2A0-470f-B287-1D45D914B062}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
        
        C:\Windows\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
        
        C:\Windows\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
        
        C:\Windows\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe
        
        C:\Windows\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe
        12⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB6A~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E90B~1.EXE > nul
        11⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A04~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE40~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27B36~1.EXE > nul
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BACA~1.EXE > nul
        7⤵
        
        PID:1560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1714~1.EXE > nul
        6⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C50D~1.EXE > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98C04~1.EXE > nul
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F105E~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CE40684-E2A0-470f-B287-1D45D914B062}.exe

Filesize
204KB

MD5
b069d84b05cf23c41ca3b7ad7994e1a9

SHA1
1b6e561b0829d09118576366cb570594c7e4b2be

SHA256
4c6d99ddaeac95f7889b79020b1a8c6fa0b6969235f71328407bcb86549b9af2

SHA512
a40b8d5c572e3a75ce137e24f7c41c8e0f674977634363c3efbbfe38b1d65f1718b36426a2afe75b73947957f9c2084adc30271fee0d8530497cdb658664e305

Download Submit
C:\Windows\{27B36A9A-C74D-4c6d-AD8C-F5C0ED7C2149}.exe

Filesize
204KB

MD5
265e7fb3c4db99eeebc2a076d24eb83c

SHA1
ef2f2d328fe8d861b635abdfb6612217ab976218

SHA256
c34c34bc8192d08786c49543c84e32fa77d6ff3374085a7b30c34e63899019a8

SHA512
839ece8a45377f0ba6f7c0fe91d298ff81ff86a4866f3df13d94dc91d4d8929a0f5b877b3326414afea367fbf79de6c4e48069578dc43a88776846f48f380f49

Download Submit
C:\Windows\{2E90B0FD-7A9B-488a-B4CD-A2E07756E3B3}.exe

Filesize
204KB

MD5
522ab38c541f9ef9fe0a07b01f650633

SHA1
abc31ad5cb7b2d87610504e7ad2e3709881e3f5a

SHA256
6506870db0eba4661f8406a0355c458f28c4fec11449a14ee995cedf7ddeda5e

SHA512
f54d953b5ef6c79937bd4e61e7c8aa8e5caba14f7165ae74e9dcd9a5ceb68813e6d4013f60d5b18e22e09bcd94c21900080829c723d571cba7eabd7c1eefa68b

Download Submit
C:\Windows\{4BACA97E-DF5D-4a20-B276-B5502E36E80E}.exe

Filesize
204KB

MD5
964be33a83f1eafa55d834c10ca0415a

SHA1
3e7a61b7e7468bf339460c914496a728ef0355d1

SHA256
0b5419e147d5a810273311bbbcf2679abd882b9033cb3328d14a44eb0c00c114

SHA512
629191c1263da542e51653f31a149534e74691d3fb50d154739b60df722d01b66fc2bf65ed8a9559a8d7947f412b1de31867c0f0dc631f790b3c1b97c476613e

Download Submit
C:\Windows\{6C50D449-CEFF-49ac-8507-94F51CB02BFB}.exe

Filesize
204KB

MD5
9486ecb1a5f5bde2f482e4376e512603

SHA1
615b65fa15deabac5f2bcb964ef909dbedda4da5

SHA256
f3d07a0487ecef238777371dbb217ae67354a788de87430f6a9ac085763987f5

SHA512
45168bfef9474e3f96a0b8e0aba469edba57b54f3bdff9b5d90f2601fd89a6d95e857cd063c58dee7f71818e0506bd43120d77e16f7b2e5f593f13c5072bbe0d

Download Submit
C:\Windows\{7B022103-D2DA-4c60-A9F4-620020C9C6E6}.exe

Filesize
204KB

MD5
44677c5e1e2a325cf85d10d289f55067

SHA1
caa9c9bc90f392ad1713b98f640ff73c6fd71c17

SHA256
dfe884b5f5a2f1cc1ccbacc41ed816ec468c548426a66890c161b08167e6d000

SHA512
e8241bf7fe04420b2b7f2f773242ea3df172e3dd4ae50c9a769b5b00dc64d3d10681133bd395f6fbe44e5375508213f4b09e4b87375e971d7e6152560e152dc5

Download Submit
C:\Windows\{98C04327-0FA4-4500-B2A8-AE558F5827C0}.exe

Filesize
204KB

MD5
98d24b837099c990bb9a48c6be187354

SHA1
21f6052e594c0a90f34f7d1ad3e766a75569d319

SHA256
e1e8a677aa359606c165d6d1a6d221701354880f847d7742ff19b815bdf0901c

SHA512
f1f2db1ca194c8780ecad6e2d5c19ee2b709ca4d4603365d861c238eb01a5a5b473a8d621bc4db212efca649bf3ca11fd7255639c9c5fe1aa3f8b6d16964ca38

Download Submit
C:\Windows\{9AB6ADE2-29AD-4d82-9E0F-CCF3DC3D26B8}.exe

Filesize
204KB

MD5
4af2161f06389eca831ce89e2c3e85ff

SHA1
51c19139100d2f324ac8328ad5349fd23e05fb76

SHA256
4023a12bc070f7894950d4e66768d1ef26baa71e3557b82356f880d25b9187df

SHA512
96d1b387f66c21e0d061cb70e70c2b15abc40fd50f53784e07aa428d432e438f3f91015700f4cad10963b26ebfcb7387bbbe51f994573da10f26b8347726a45b

Download Submit
C:\Windows\{A6A04F8E-FA25-45ee-8016-562A7D8E6C08}.exe

Filesize
204KB

MD5
6118c7bd3c6dc72db525094f7d8b0159

SHA1
07b39e2fd2a95dad4fafb30a59012efe1891ade7

SHA256
989bbc46f29e64fcfa82fc5a3d064f24c3866142a242ba729925b6db0b18f9be

SHA512
0c6acacc17650880f36b80dad6e19e438f0e4430f7c0853720ae0db7d84b16e94c3b719f44e4313d27beda37464a549a819ee7c7ba6993b2adaf2aea49f326b5

Download Submit
C:\Windows\{F105E3BF-E6A1-461c-B1DB-87043CBA399A}.exe

Filesize
204KB

MD5
fd850f697147a08a6577746b774b0cd0

SHA1
92c21b0912d3831c1a8c31322d8be820a99c25fc

SHA256
2aae315eaa2353499d45ca404c7f35a2ce7ba63d6992a719710ed718e946025a

SHA512
1c63678caa0fc81a78a27d388b74865823f1bf872c69656024ef9c1fd55ee4a44ebdf56893dd3b8ccf052f44e448b6b56839b3811f90c62e40ace28dd0c75820

Download Submit
C:\Windows\{F1714535-FC72-4013-8888-6A9FC71672D1}.exe

Filesize
204KB

MD5
5eceafe889a152aaef324b858669bde1

SHA1
ad911199ee7cb1556437d2abbc7ce1c0c4b4cfa6

SHA256
2856df581ab7bbac0c114162ac71569cd2d4d9db0724c37e85416e62774c210b

SHA512
a27f64b47e9f6d332cc4faf3e69f86ace579bce4b264640b6aed03f8fedd06ab549b458e79d58f68757da040df3b428606582b046296f6e52c2ee3a0e1fa6728

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads