a5c12aa57d0a54471df45aa9c3c039d0a8d12bac883a6707e0dd00de35c6f153

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe
Size

372KB
MD5

e7f1c3896573ef34cb8235b21598ade3
SHA1

e244c0c421a946734209cbd6d1de048234ed482c
SHA256

a5c12aa57d0a54471df45aa9c3c039d0a8d12bac883a6707e0dd00de35c6f153
SHA512

755733376d21f3477935a15a76edea258301e4b42794b4549ba0282dfda2ed7c7e64c19f55fe5d06953ea59d7b789bb13d4ed6dbc0acb07dda048e018d59e4ce
SSDEEP

3072:CEGh0oElMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGSlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013417-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000013a53-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59142D8C-720B-42c5-8B94-F5FECF0C018D}	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C42701C-0366-46d9-8087-2817FF3A6EF5}\stubpath = "C:\\Windows\\{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe"	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAE73A6-2E16-4246-84BF-CA42A8713647}	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7579578B-EB6A-455c-94F4-414A0739515C}	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}	{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}\stubpath = "C:\\Windows\\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe"	{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}\stubpath = "C:\\Windows\\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe"	{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C42701C-0366-46d9-8087-2817FF3A6EF5}	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59142D8C-720B-42c5-8B94-F5FECF0C018D}\stubpath = "C:\\Windows\\{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe"	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}\stubpath = "C:\\Windows\\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe"	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7579578B-EB6A-455c-94F4-414A0739515C}\stubpath = "C:\\Windows\\{7579578B-EB6A-455c-94F4-414A0739515C}.exe"	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}	{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B46FC66E-1383-4703-8C49-B0765B249D08}\stubpath = "C:\\Windows\\{B46FC66E-1383-4703-8C49-B0765B249D08}.exe"	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}\stubpath = "C:\\Windows\\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe"	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B46FC66E-1383-4703-8C49-B0765B249D08}	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}\stubpath = "C:\\Windows\\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe"	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAE73A6-2E16-4246-84BF-CA42A8713647}\stubpath = "C:\\Windows\\{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe"	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}	{7579578B-EB6A-455c-94F4-414A0739515C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}\stubpath = "C:\\Windows\\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe"	{7579578B-EB6A-455c-94F4-414A0739515C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
2764	{7579578B-EB6A-455c-94F4-414A0739515C}.exe
1760	{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
2876	{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
1252	{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
File created	C:\Windows\{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
File created	C:\Windows\{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
File created	C:\Windows\{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
File created	C:\Windows\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe	{7579578B-EB6A-455c-94F4-414A0739515C}.exe
File created	C:\Windows\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe	{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
File created	C:\Windows\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe
File created	C:\Windows\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
File created	C:\Windows\{7579578B-EB6A-455c-94F4-414A0739515C}.exe	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
File created	C:\Windows\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe	{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
File created	C:\Windows\{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
Token: SeIncBasePriorityPrivilege	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
Token: SeIncBasePriorityPrivilege	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
Token: SeIncBasePriorityPrivilege	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
Token: SeIncBasePriorityPrivilege	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
Token: SeIncBasePriorityPrivilege	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
Token: SeIncBasePriorityPrivilege	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
Token: SeIncBasePriorityPrivilege	2764	{7579578B-EB6A-455c-94F4-414A0739515C}.exe
Token: SeIncBasePriorityPrivilege	1760	{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
Token: SeIncBasePriorityPrivilege	2876	{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2344	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	28
PID 2176 wrote to memory of 2344	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	28
PID 2176 wrote to memory of 2344	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	28
PID 2176 wrote to memory of 2344	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	28
PID 2176 wrote to memory of 1720	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	29
PID 2176 wrote to memory of 1720	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	29
PID 2176 wrote to memory of 1720	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	29
PID 2176 wrote to memory of 1720	2176	2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe	29
PID 2344 wrote to memory of 2632	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	30
PID 2344 wrote to memory of 2632	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	30
PID 2344 wrote to memory of 2632	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	30
PID 2344 wrote to memory of 2632	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	30
PID 2344 wrote to memory of 2868	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	31
PID 2344 wrote to memory of 2868	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	31
PID 2344 wrote to memory of 2868	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	31
PID 2344 wrote to memory of 2868	2344	{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe	31
PID 2632 wrote to memory of 2576	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	32
PID 2632 wrote to memory of 2576	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	32
PID 2632 wrote to memory of 2576	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	32
PID 2632 wrote to memory of 2576	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	32
PID 2632 wrote to memory of 2800	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	33
PID 2632 wrote to memory of 2800	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	33
PID 2632 wrote to memory of 2800	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	33
PID 2632 wrote to memory of 2800	2632	{B46FC66E-1383-4703-8C49-B0765B249D08}.exe	33
PID 2576 wrote to memory of 2948	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	36
PID 2576 wrote to memory of 2948	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	36
PID 2576 wrote to memory of 2948	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	36
PID 2576 wrote to memory of 2948	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	36
PID 2576 wrote to memory of 1724	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	37
PID 2576 wrote to memory of 1724	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	37
PID 2576 wrote to memory of 1724	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	37
PID 2576 wrote to memory of 1724	2576	{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe	37
PID 2948 wrote to memory of 2816	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	38
PID 2948 wrote to memory of 2816	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	38
PID 2948 wrote to memory of 2816	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	38
PID 2948 wrote to memory of 2816	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	38
PID 2948 wrote to memory of 2472	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	39
PID 2948 wrote to memory of 2472	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	39
PID 2948 wrote to memory of 2472	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	39
PID 2948 wrote to memory of 2472	2948	{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe	39
PID 2816 wrote to memory of 1636	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	40
PID 2816 wrote to memory of 1636	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	40
PID 2816 wrote to memory of 1636	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	40
PID 2816 wrote to memory of 1636	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	40
PID 2816 wrote to memory of 1916	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	41
PID 2816 wrote to memory of 1916	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	41
PID 2816 wrote to memory of 1916	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	41
PID 2816 wrote to memory of 1916	2816	{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe	41
PID 1636 wrote to memory of 2152	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	42
PID 1636 wrote to memory of 2152	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	42
PID 1636 wrote to memory of 2152	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	42
PID 1636 wrote to memory of 2152	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	42
PID 1636 wrote to memory of 1520	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	43
PID 1636 wrote to memory of 1520	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	43
PID 1636 wrote to memory of 1520	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	43
PID 1636 wrote to memory of 1520	1636	{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe	43
PID 2152 wrote to memory of 2764	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	44
PID 2152 wrote to memory of 2764	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	44
PID 2152 wrote to memory of 2764	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	44
PID 2152 wrote to memory of 2764	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	44
PID 2152 wrote to memory of 1004	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	45
PID 2152 wrote to memory of 1004	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	45
PID 2152 wrote to memory of 1004	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	45
PID 2152 wrote to memory of 1004	2152	{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_e7f1c3896573ef34cb8235b21598ade3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
  C:\Windows\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
    C:\Windows\{B46FC66E-1383-4703-8C49-B0765B249D08}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
      C:\Windows\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
        
        C:\Windows\{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
        
        C:\Windows\{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
        
        C:\Windows\{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
        
        C:\Windows\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{7579578B-EB6A-455c-94F4-414A0739515C}.exe
        
        C:\Windows\{7579578B-EB6A-455c-94F4-414A0739515C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
        
        C:\Windows\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
        
        C:\Windows\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe
        
        C:\Windows\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DFC8~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C7AE~1.EXE > nul
        11⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75795~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A510~1.EXE > nul
        9⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BAE7~1.EXE > nul
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C427~1.EXE > nul
        7⤵
        
        PID:1916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59142~1.EXE > nul
        6⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D8E7~1.EXE > nul
        5⤵
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B46FC~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B6EC~1.EXE > nul
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3BAE73A6-2E16-4246-84BF-CA42A8713647}.exe

Filesize
372KB

MD5
940f9fffa02bc12bea6bb9c8a407fce3

SHA1
86afd5f02da1efbbe3683378262c633d9a78d35a

SHA256
f90e1de0a7265309a5d5cb267410be5c311d7e4e3ddbb95668ddba7b56945b88

SHA512
454aa5a28f514ad21c18cd28c1ad04e2c28d02a4aab3c298f8c2047b3b41fb000825445668ef456e96b2f33a28e6c16fb678b627836c110c8bc175ce46d70425

Download Submit
C:\Windows\{3C42701C-0366-46d9-8087-2817FF3A6EF5}.exe

Filesize
372KB

MD5
65a2c449fd880fa8ab33ae2134298fd7

SHA1
29c4b29c5eec92a153bbdf2fa9ad327301b36f9a

SHA256
b3f4bd93ddc4aeddcfce52b89b41bba97125664fc45e63c4d292818943fd1c7f

SHA512
94a2446844bbc01273ba0d6d9412454adf024121056ba9c267f89ecc918b9f8b1356160039ac4e426e75518903e8c5b4b3d0c4076e915ca41e66b69754a3af6f

Download Submit
C:\Windows\{59142D8C-720B-42c5-8B94-F5FECF0C018D}.exe

Filesize
372KB

MD5
891fe483c55c445a45309df477320296

SHA1
f51ed22a0687dd412a2010d12c77384bb62daf06

SHA256
01b338f06727da5fc0d141c8d79cc036216ccb6cb9054ce178b3aad09ccf95b6

SHA512
0ee05e305b8995cc2280b9d61adbdff0bd3e2a1c878ee5225115245125cb00c2e6c89e22511af9c5ad51ac0c5b673fe785bf968427423a84e7c6b1263a0eb55c

Download Submit
C:\Windows\{5DFC85AF-8D77-4b33-8F88-82947A161EC5}.exe

Filesize
372KB

MD5
d29d9f92b6a0247eeefb9c5e3bf4b8ed

SHA1
3782c1757a319e7ad180f206394d79bdfd7ca2f9

SHA256
c901c6ba35f18c90f8a89b9473779c7e4e5dfe10ccca2f0e9657c3b1444422de

SHA512
98b7056db86b9f9d08fa04a5a3136469132d903876558f5979466e7fb856c7e9220fa7206cacf044c611e8b4fddeb76cd60804fa4b06db64eb9728a49de24bb8

Download Submit
C:\Windows\{7579578B-EB6A-455c-94F4-414A0739515C}.exe

Filesize
372KB

MD5
2910037c83ca6f279a695a72b85d6661

SHA1
81625780930f805698b642d8448a6407763feb0d

SHA256
ce60558d20f5dbc3094280525c922bb2809b250c5280e0d0e670c459916a3a0d

SHA512
bf0804dbce543d8bd1f9e30218f8a3bc465a5ad17e3316b2ad910d47ec3afe6440bf97782db68a59c6d5e6681df95e075fcb37b94dd5906d7f73f20ca4f473dc

Download Submit
C:\Windows\{7B6ECC5D-DA78-4779-B462-EABEB28C814B}.exe

Filesize
372KB

MD5
0a41b278f56b0e77a4968b8164934a94

SHA1
641842871ca02b9b8bfb4a1d00ec8293bc17bf35

SHA256
9b4e316a13dbe646d3608c5e0f0c6a2c0d962fd6255c2708607579e198778651

SHA512
54c8274671bf8d17a0cccd7ce839fe71e3acda33e17c952b95215dd017829f2136c771a85a9c9cf92c3ddd75bd0ec99ab15a1d35581059f08a1b7a3cac984c33

Download Submit
C:\Windows\{8A5108FA-53B1-4e38-A6BD-22E9BD5AA826}.exe

Filesize
372KB

MD5
adb63d78c43a0ba3551c7d169b69f2c6

SHA1
b9f5a4f42b8a35c1bc3f53e66730066710477ad2

SHA256
5bd64c2773757968d9db3f849619b2317e04851d402f23abcb207656c44a3aca

SHA512
19be7c340f18c0f8cce87a97adaf537b60c95dfa2ebbe632e2c939ea718e1bf5ca87ed4d6cca16465fd8666de1daccdb88461e916b0f98a445694403a7147637

Download Submit
C:\Windows\{8D8E7CEB-1CFB-4bbd-9655-D143346199D0}.exe

Filesize
372KB

MD5
9b45b2a50df955d38b57d5a1e1ddcc3f

SHA1
c7d1fe5f4cf2e0b2b51b365f560098a063aac294

SHA256
a330e1d19829ef3f5fcc79d4477b060ddbeb4a05fafea3698f923992032c0fb0

SHA512
bcd1ded1c2a379392f0f24eb581b86b454e287b9bf5afa4c5dfe3940ae3ac936862fc0e6bd42862cf3570ef8c37950aedaf9f9bf1dcdd0e71e7a9d57bc425b0a

Download Submit
C:\Windows\{9C7AEAB4-CA65-401d-998C-57FFD27240B3}.exe

Filesize
372KB

MD5
39162b6bb68fed1e68243fd0d5b013de

SHA1
a64c76e4c101b1a9f5dcbea639277112717c241c

SHA256
a5649be19e17dd909dfe183c7d8bfc3230a7d79348492414c31c2172941945d2

SHA512
fb2606652f547562a72f540fcf69518f26cc6381e3c8b95eb7d287b5d6e59c5fff107660f4a974021de71885e36a2a23754f7dd32114a22dc966937a4bf6a5ac

Download Submit
C:\Windows\{B46FC66E-1383-4703-8C49-B0765B249D08}.exe

Filesize
372KB

MD5
9a838b439132f01c58ba26ccfa5b6bde

SHA1
8584a88022019b5193fd0046fbee69ed74177498

SHA256
a223028005ae94560b76276c3136315b0771a35362f8df816e0fa24261dd98eb

SHA512
14b643094f8ca02ac5f75fb9b090ec95d888b5b1136cf79ebc5ffc6b48909a715c739b1942051a4f8f1f14d51e2da288483f16a51e5a324d1cd449dbc4c8a968

Download Submit
C:\Windows\{E0320BE3-D8A7-4af4-9AC9-3040E76BC9DF}.exe

Filesize
372KB

MD5
d6b6288ae03fce68cfbe62888529b7a4

SHA1
e89322dd096a72aaa01c1b53613d9524cce6b992

SHA256
1ab773a26008374f1807a7b9da44504f8de707117ab87deda6afbf82e0518e40

SHA512
a44fc1d2e286dcfd1a360e3119ea9d0a20df757b8e4e19706922a0443dcaaf586ac229bb2d088495d69d28d1cd2e88324b4f82e9e553dd37caeb6d0d2ba75285

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads