bac3dc51765d9c6b82315c5424934ed12354ce3c40b95b183778fd536953592e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Size

344KB
MD5

d18d30b76493ee5d1827d0eac5e2706f
SHA1

c7148cc22484524ece7848c57ce2e240d5cbdaa8
SHA256

bac3dc51765d9c6b82315c5424934ed12354ce3c40b95b183778fd536953592e
SHA512

db0d19920f1f88520521f9a23500216ccb3de1d70ec5b529a0518958781431bc462666df94594d85a086e3414baf7b7314ce6294bd642e137d735076a9e3898b
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGBlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001269e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003200000001471d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488B21E4-B935-463b-AB94-92F8567787BA}	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6F14F0-A690-4804-8CD0-04027FBA7097}\stubpath = "C:\\Windows\\{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe"	{488B21E4-B935-463b-AB94-92F8567787BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}	{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83208EB9-64A7-47e7-B993-55BA134544F6}\stubpath = "C:\\Windows\\{83208EB9-64A7-47e7-B993-55BA134544F6}.exe"	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}\stubpath = "C:\\Windows\\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe"	{945834D2-3060-429f-A315-A539DFF5C811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488B21E4-B935-463b-AB94-92F8567787BA}\stubpath = "C:\\Windows\\{488B21E4-B935-463b-AB94-92F8567787BA}.exe"	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}	{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}\stubpath = "C:\\Windows\\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe"	{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}\stubpath = "C:\\Windows\\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe"	{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}\stubpath = "C:\\Windows\\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe"	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945834D2-3060-429f-A315-A539DFF5C811}	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945834D2-3060-429f-A315-A539DFF5C811}\stubpath = "C:\\Windows\\{945834D2-3060-429f-A315-A539DFF5C811}.exe"	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83208EB9-64A7-47e7-B993-55BA134544F6}	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}	{945834D2-3060-429f-A315-A539DFF5C811}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6F14F0-A690-4804-8CD0-04027FBA7097}	{488B21E4-B935-463b-AB94-92F8567787BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}\stubpath = "C:\\Windows\\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe"	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}	{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}\stubpath = "C:\\Windows\\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe"	{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}\stubpath = "C:\\Windows\\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe"	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe
1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe
1824	{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
812	{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
2632	{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
1316	{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
File created	C:\Windows\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
File created	C:\Windows\{945834D2-3060-429f-A315-A539DFF5C811}.exe	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
File created	C:\Windows\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe	{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
File created	C:\Windows\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe	{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
File created	C:\Windows\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
File created	C:\Windows\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
File created	C:\Windows\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	{945834D2-3060-429f-A315-A539DFF5C811}.exe
File created	C:\Windows\{488B21E4-B935-463b-AB94-92F8567787BA}.exe	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
File created	C:\Windows\{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe	{488B21E4-B935-463b-AB94-92F8567787BA}.exe
File created	C:\Windows\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe	{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
Token: SeIncBasePriorityPrivilege	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
Token: SeIncBasePriorityPrivilege	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
Token: SeIncBasePriorityPrivilege	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
Token: SeIncBasePriorityPrivilege	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe
Token: SeIncBasePriorityPrivilege	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
Token: SeIncBasePriorityPrivilege	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe
Token: SeIncBasePriorityPrivilege	1824	{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
Token: SeIncBasePriorityPrivilege	812	{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
Token: SeIncBasePriorityPrivilege	2632	{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2740	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	28
PID 2524 wrote to memory of 2740	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	28
PID 2524 wrote to memory of 2740	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	28
PID 2524 wrote to memory of 2740	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	28
PID 2524 wrote to memory of 3060	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	29
PID 2524 wrote to memory of 3060	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	29
PID 2524 wrote to memory of 3060	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	29
PID 2524 wrote to memory of 3060	2524	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	29
PID 2740 wrote to memory of 2568	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	30
PID 2740 wrote to memory of 2568	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	30
PID 2740 wrote to memory of 2568	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	30
PID 2740 wrote to memory of 2568	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	30
PID 2740 wrote to memory of 2732	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	31
PID 2740 wrote to memory of 2732	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	31
PID 2740 wrote to memory of 2732	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	31
PID 2740 wrote to memory of 2732	2740	{83208EB9-64A7-47e7-B993-55BA134544F6}.exe	31
PID 2568 wrote to memory of 2468	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	32
PID 2568 wrote to memory of 2468	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	32
PID 2568 wrote to memory of 2468	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	32
PID 2568 wrote to memory of 2468	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	32
PID 2568 wrote to memory of 2244	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	33
PID 2568 wrote to memory of 2244	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	33
PID 2568 wrote to memory of 2244	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	33
PID 2568 wrote to memory of 2244	2568	{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe	33
PID 2468 wrote to memory of 1708	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	36
PID 2468 wrote to memory of 1708	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	36
PID 2468 wrote to memory of 1708	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	36
PID 2468 wrote to memory of 1708	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	36
PID 2468 wrote to memory of 240	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	37
PID 2468 wrote to memory of 240	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	37
PID 2468 wrote to memory of 240	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	37
PID 2468 wrote to memory of 240	2468	{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe	37
PID 1708 wrote to memory of 2916	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	38
PID 1708 wrote to memory of 2916	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	38
PID 1708 wrote to memory of 2916	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	38
PID 1708 wrote to memory of 2916	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	38
PID 1708 wrote to memory of 2936	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	39
PID 1708 wrote to memory of 2936	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	39
PID 1708 wrote to memory of 2936	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	39
PID 1708 wrote to memory of 2936	1708	{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe	39
PID 2916 wrote to memory of 1204	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	40
PID 2916 wrote to memory of 1204	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	40
PID 2916 wrote to memory of 1204	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	40
PID 2916 wrote to memory of 1204	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	40
PID 2916 wrote to memory of 2176	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	41
PID 2916 wrote to memory of 2176	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	41
PID 2916 wrote to memory of 2176	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	41
PID 2916 wrote to memory of 2176	2916	{945834D2-3060-429f-A315-A539DFF5C811}.exe	41
PID 1204 wrote to memory of 1628	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	42
PID 1204 wrote to memory of 1628	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	42
PID 1204 wrote to memory of 1628	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	42
PID 1204 wrote to memory of 1628	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	42
PID 1204 wrote to memory of 632	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	43
PID 1204 wrote to memory of 632	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	43
PID 1204 wrote to memory of 632	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	43
PID 1204 wrote to memory of 632	1204	{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe	43
PID 1628 wrote to memory of 1824	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	44
PID 1628 wrote to memory of 1824	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	44
PID 1628 wrote to memory of 1824	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	44
PID 1628 wrote to memory of 1824	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	44
PID 1628 wrote to memory of 1312	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	45
PID 1628 wrote to memory of 1312	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	45
PID 1628 wrote to memory of 1312	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	45
PID 1628 wrote to memory of 1312	1628	{488B21E4-B935-463b-AB94-92F8567787BA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
  C:\Windows\{83208EB9-64A7-47e7-B993-55BA134544F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
    C:\Windows\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
      C:\Windows\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
        
        C:\Windows\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\{945834D2-3060-429f-A315-A539DFF5C811}.exe
        
        C:\Windows\{945834D2-3060-429f-A315-A539DFF5C811}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
        
        C:\Windows\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{488B21E4-B935-463b-AB94-92F8567787BA}.exe
        
        C:\Windows\{488B21E4-B935-463b-AB94-92F8567787BA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
        
        C:\Windows\{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
        
        C:\Windows\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
        
        C:\Windows\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe
        
        C:\Windows\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6662B~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE4A~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E6F1~1.EXE > nul
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{488B2~1.EXE > nul
        9⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F406~1.EXE > nul
        8⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94583~1.EXE > nul
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{474EC~1.EXE > nul
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B460~1.EXE > nul
        5⤵
        
        PID:240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{642E2~1.EXE > nul
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83208~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E6F14F0-A690-4804-8CD0-04027FBA7097}.exe

Filesize
344KB

MD5
72a7b72cc08203d1ecf2c5710f280ec5

SHA1
e170f82e256c6ba91118315134b34ed5fabd6ec4

SHA256
8a64ea26bf5659982901dbf07dd781cb077b864f720598069ae5507ef3cd9b95

SHA512
07a291fcef7279913cf1e6e97f749feed56e0c60659726dda6e5da179a9cc86eb0c8f5f6ab5b49726d442ca272bb156a0d001c5fbbf367e4b25436e5406ad00c

Download Submit
C:\Windows\{474EC0A3-AD59-4923-89E7-8B1ECF57EFE3}.exe

Filesize
344KB

MD5
2dbaacb74e0cee89bad9d6e387a5da64

SHA1
d3074f31532a0df68801f3aa1f120d9d246623aa

SHA256
182d8172207c420a215e9d88aa23dea18d95754eaf8ac9f4c47c77e7b8056424

SHA512
8c5443ba1d80abc4dd4ee2c37dbc511643c67fb2eda77aab4086139d321188ac916c17322bab9983987ff6c6e6cab7c2726f21d02b7272e1cf21746dd00d351c

Download Submit
C:\Windows\{488B21E4-B935-463b-AB94-92F8567787BA}.exe

Filesize
344KB

MD5
46e48f9cb8a4fa087d79657dacf1f174

SHA1
59a117d79c739eaf44c2232c3e3b341d469ae8ec

SHA256
c9e491c3e97b3d8e83d3125deb8004f1e0c069bd18f1eb1fb873f9a9c7a9b2c8

SHA512
310d9f249921c8b9080c7c55fba6dea09a3e24d506ca54d3b90d5d45dcd2f7b66cefad689f121ff39174d99f5752d39e0cb2ca91ced0ace1e1977a7e089c2306

Download Submit
C:\Windows\{4B4601A7-31E4-4b06-B870-CBB6F6EB2E50}.exe

Filesize
344KB

MD5
cdfbdc08f6130805a05204186fe60c04

SHA1
a890fddafd6aa6afc972f978e9675d8e5099fc63

SHA256
bf275b950a915b5ff31f5c66dbba8e1145097b0ed7b12fc92c9809fc3a99172e

SHA512
155a4844282e4fd4bf4808fabefdb9ab53d7c85c36da432f997a9cdad12c6595f48313f959c7e6fdf117e193c6f3946921a193fee8b94f9e1a72f3875551a32c

Download Submit
C:\Windows\{642E2ED6-D4DD-407b-AA93-500A0F2BA15B}.exe

Filesize
344KB

MD5
0010abbbe4318b151d33f61c558d74ed

SHA1
501d1404d9508635bc677aab6f69b6dcc8862e8d

SHA256
7afe52264efa0616e41768491013a66f0fd1a31350599d46a396a600957376bf

SHA512
74c4eedff98803404a096ea59864575f97cc7099ccdac1b91a5106ddf73771c71583cf2894c95de2d404e1cfe37200ff6b01972af44214d0628ca13ac067b93f

Download Submit
C:\Windows\{6662BE86-1C18-4dd2-BE9C-EAE5ED9B3444}.exe

Filesize
344KB

MD5
198e385b65590041a51978d9a496220b

SHA1
7a6647fab36a9d290394f385bca05a5716db8557

SHA256
77bad0624ebe61d968ae74fceb2da191d252a89c90f33c6825cd263d22b00ae2

SHA512
d4ee1e93a0e0902efec02bfac6ffba2aa13b34df32c0bd39d9f330930a1e1c3070a37f9523a9dee6573569f17ffd04c49c5601c6ebd374f05847110513fd95bd

Download Submit
C:\Windows\{83208EB9-64A7-47e7-B993-55BA134544F6}.exe

Filesize
344KB

MD5
21bdca1115e22ee6afc566e66aa4019d

SHA1
e67257c0364e38f5a4bc1bcd045514cb52293238

SHA256
44c07355ff0017ebba38702631569bbc680ced778fe0fddc4a00f57500bbfa7a

SHA512
b3c05ad0697278a796e7a08c74ff6c932de7a05b08138324a8a1fb236ba9910757beb8e87f3212be3dc178d1aa7cf0b8b40ef7bd07a04410aea34e258f97eb80

Download Submit
C:\Windows\{8CE4AF61-BBBA-4520-BECA-5C7054EBD938}.exe

Filesize
344KB

MD5
6e9191284c663ab550f430165ae9f2dd

SHA1
fd38d51aa26c92c9bcaea7c3e6c7b772cafd4c2c

SHA256
849cdfdcfabfd04ffe6a320ce196450bebd34d37072762979441df32d9adc037

SHA512
c05cc02781321b430c153f2f0ed81249d7b8e061d8da0410dce889e3d348ad76ae9c1c6d8d597736c944b8528274898030e6e61265d5ee2d1ec96753333091a6

Download Submit
C:\Windows\{945834D2-3060-429f-A315-A539DFF5C811}.exe

Filesize
344KB

MD5
4691e1649d461a123de7e930fd824af1

SHA1
6329631973566fa6cc050abe78cf6814c1611988

SHA256
cd01b698b3b411c44b649fcffac655c899f24aef6510fee3952ddf097f65c5ac

SHA512
67458417f15e33c00fbcee35558926394571f08a7438646629c08f85236a2e4794b53dcbdc84b23b4a2a0e7bf9331893b655879ab56b4bc6da2229aeeb73bb72

Download Submit
C:\Windows\{9F406D7A-3B31-4180-8F6C-3A4AC4DEE07F}.exe

Filesize
344KB

MD5
3e82f748346f37ecef2a222613603417

SHA1
0be0b6ef9f404104ad6a727988dfad74c1265786

SHA256
1e8f3257f1e874c1942845da385dccd84deff7e7b96b1236fc963d44f98a274f

SHA512
c70a6eca3ed24cfcf06d38765faac4865e7940bb9ea83f49fa7cc41f7904368417269d1a2cbaa6a9480b4fab1d70cc5301586f170ae8457d50a475a12fa953d3

Download Submit
C:\Windows\{F209A66D-06D1-4124-9CD5-1C5C233DFB7B}.exe

Filesize
344KB

MD5
3435cbbdf801923071a0532a68ca69ed

SHA1
1adedece48dbf8d61ea9802a819e99ac82105883

SHA256
330f38d4c7c047727c21a5f588335be2845b9e2a7396279293368092d3d5acd2

SHA512
fbad466710953ab19b255901545fdeb4e29a241a792dad8439cedf69345451546c78c75d5eb76f36c95f8fb0ea34004f0070dca4b7a86cc796b31d451a0bd159

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads