78d320e633b10211de023005590ca1979a1df04433a974d2c97ed68075d46d38

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
Size

408KB
MD5

9f13e057abeea18150362726c2f01e98
SHA1

b1202caa194d5b1a59452e51d9021c620a79f45a
SHA256

78d320e633b10211de023005590ca1979a1df04433a974d2c97ed68075d46d38
SHA512

f2239f07c8c511a44bbb9469d72f50e334cfcac1754c4480b10cc56fa7634dded4f62dae14d3b3e4000ae8ca6b69f2f3651e419c937b1b72e4489632c86e95c0
SSDEEP

3072:CEGh0ovl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGBldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015d79-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015f6d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d79-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015d79-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015d79-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015fe9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016117-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015fe9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016117-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284504BF-C292-4b35-A5E5-55ADB3DA6318}	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}\stubpath = "C:\\Windows\\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe"	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3609853-05D9-4d02-880F-761E7549ECAD}\stubpath = "C:\\Windows\\{F3609853-05D9-4d02-880F-761E7549ECAD}.exe"	{1604D001-9B90-43ab-B214-3FEB77243395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}\stubpath = "C:\\Windows\\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe"	{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}\stubpath = "C:\\Windows\\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe"	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}\stubpath = "C:\\Windows\\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe"	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1604D001-9B90-43ab-B214-3FEB77243395}\stubpath = "C:\\Windows\\{1604D001-9B90-43ab-B214-3FEB77243395}.exe"	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}	{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}	{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}\stubpath = "C:\\Windows\\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe"	{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}	{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}\stubpath = "C:\\Windows\\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe"	{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1604D001-9B90-43ab-B214-3FEB77243395}	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3609853-05D9-4d02-880F-761E7549ECAD}	{1604D001-9B90-43ab-B214-3FEB77243395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}\stubpath = "C:\\Windows\\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe"	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284504BF-C292-4b35-A5E5-55ADB3DA6318}\stubpath = "C:\\Windows\\{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe"	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}\stubpath = "C:\\Windows\\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe"	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe
2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe
1400	{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
2992	{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
2692	{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
2684	{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
File created	C:\Windows\{1604D001-9B90-43ab-B214-3FEB77243395}.exe	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
File created	C:\Windows\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe	{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
File created	C:\Windows\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe	{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
File created	C:\Windows\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
File created	C:\Windows\{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
File created	C:\Windows\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
File created	C:\Windows\{F3609853-05D9-4d02-880F-761E7549ECAD}.exe	{1604D001-9B90-43ab-B214-3FEB77243395}.exe
File created	C:\Windows\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe	{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
File created	C:\Windows\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
File created	C:\Windows\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
Token: SeIncBasePriorityPrivilege	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe
Token: SeIncBasePriorityPrivilege	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
Token: SeIncBasePriorityPrivilege	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
Token: SeIncBasePriorityPrivilege	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
Token: SeIncBasePriorityPrivilege	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
Token: SeIncBasePriorityPrivilege	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe
Token: SeIncBasePriorityPrivilege	1400	{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
Token: SeIncBasePriorityPrivilege	2992	{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
Token: SeIncBasePriorityPrivilege	2692	{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1200	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	28
PID 2008 wrote to memory of 1200	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	28
PID 2008 wrote to memory of 1200	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	28
PID 2008 wrote to memory of 1200	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	28
PID 2008 wrote to memory of 2540	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	29
PID 2008 wrote to memory of 2540	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	29
PID 2008 wrote to memory of 2540	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	29
PID 2008 wrote to memory of 2540	2008	2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe	29
PID 1200 wrote to memory of 2612	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	30
PID 1200 wrote to memory of 2612	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	30
PID 1200 wrote to memory of 2612	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	30
PID 1200 wrote to memory of 2612	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	30
PID 1200 wrote to memory of 2596	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	31
PID 1200 wrote to memory of 2596	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	31
PID 1200 wrote to memory of 2596	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	31
PID 1200 wrote to memory of 2596	1200	{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe	31
PID 2612 wrote to memory of 2516	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	32
PID 2612 wrote to memory of 2516	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	32
PID 2612 wrote to memory of 2516	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	32
PID 2612 wrote to memory of 2516	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	32
PID 2612 wrote to memory of 2348	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	33
PID 2612 wrote to memory of 2348	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	33
PID 2612 wrote to memory of 2348	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	33
PID 2612 wrote to memory of 2348	2612	{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe	33
PID 2516 wrote to memory of 2216	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	36
PID 2516 wrote to memory of 2216	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	36
PID 2516 wrote to memory of 2216	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	36
PID 2516 wrote to memory of 2216	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	36
PID 2516 wrote to memory of 1476	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	37
PID 2516 wrote to memory of 1476	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	37
PID 2516 wrote to memory of 1476	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	37
PID 2516 wrote to memory of 1476	2516	{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe	37
PID 2216 wrote to memory of 768	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	38
PID 2216 wrote to memory of 768	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	38
PID 2216 wrote to memory of 768	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	38
PID 2216 wrote to memory of 768	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	38
PID 2216 wrote to memory of 1496	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	39
PID 2216 wrote to memory of 1496	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	39
PID 2216 wrote to memory of 1496	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	39
PID 2216 wrote to memory of 1496	2216	{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe	39
PID 768 wrote to memory of 1612	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	40
PID 768 wrote to memory of 1612	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	40
PID 768 wrote to memory of 1612	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	40
PID 768 wrote to memory of 1612	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	40
PID 768 wrote to memory of 620	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	41
PID 768 wrote to memory of 620	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	41
PID 768 wrote to memory of 620	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	41
PID 768 wrote to memory of 620	768	{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe	41
PID 1612 wrote to memory of 680	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	42
PID 1612 wrote to memory of 680	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	42
PID 1612 wrote to memory of 680	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	42
PID 1612 wrote to memory of 680	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	42
PID 1612 wrote to memory of 532	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	43
PID 1612 wrote to memory of 532	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	43
PID 1612 wrote to memory of 532	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	43
PID 1612 wrote to memory of 532	1612	{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe	43
PID 680 wrote to memory of 1400	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	44
PID 680 wrote to memory of 1400	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	44
PID 680 wrote to memory of 1400	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	44
PID 680 wrote to memory of 1400	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	44
PID 680 wrote to memory of 1780	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	45
PID 680 wrote to memory of 1780	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	45
PID 680 wrote to memory of 1780	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	45
PID 680 wrote to memory of 1780	680	{1604D001-9B90-43ab-B214-3FEB77243395}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_9f13e057abeea18150362726c2f01e98_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
  C:\Windows\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe
    C:\Windows\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
      C:\Windows\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
        
        C:\Windows\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
        
        C:\Windows\{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
        
        C:\Windows\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{1604D001-9B90-43ab-B214-3FEB77243395}.exe
        
        C:\Windows\{1604D001-9B90-43ab-B214-3FEB77243395}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
        
        C:\Windows\{F3609853-05D9-4d02-880F-761E7549ECAD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
        
        C:\Windows\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
        
        C:\Windows\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe
        
        C:\Windows\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BFD~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52493~1.EXE > nul
        11⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3609~1.EXE > nul
        10⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1604D~1.EXE > nul
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A039~1.EXE > nul
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28450~1.EXE > nul
        7⤵
        
        PID:620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BF6~1.EXE > nul
        6⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7626~1.EXE > nul
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54B13~1.EXE > nul
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CDCCD~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A039694-8D89-4ab8-A6A5-DEE93188D37D}.exe

Filesize
408KB

MD5
3ef1064d86faa0c91bda17ab3bdbec93

SHA1
b09848da756267551d6b39af29e9a5881f3ac72a

SHA256
842a1b2ce77508aef7c55b37a4b9f8303962148a3d27f939532c1845fbed2508

SHA512
2b05edafa280fbb1f54981b3e621a184bdcaf5e39e1bf12d16d93ba5740e30bd9a433e4b0207171a92775c58be27c78f76461f5e5f06c88cf55348fea55bd15e

Download Submit
C:\Windows\{1604D001-9B90-43ab-B214-3FEB77243395}.exe

Filesize
408KB

MD5
40591d7f00a4155b3bcc2c1beac3f23d

SHA1
aa13a9f3707c6fcb6109052efcdc7ddd9a8c451b

SHA256
8b7bc62cc1903c8cf3b9ee61b7e6b2936e19d31c3df2b7559ef73ec05e8df41a

SHA512
c356ee8398c284b539633e7a581d2522ba24a51415c30662f9914fc50d109b11a233f5e5c1b148e6f4aee30961d22d69d5027670ed8a4c42345d3555554c7f6d

Download Submit
C:\Windows\{284504BF-C292-4b35-A5E5-55ADB3DA6318}.exe

Filesize
408KB

MD5
878f48c8a9c8353dcb57f1294c9f1899

SHA1
35293b2c9af4af2647b658e36417a06a7dcbd902

SHA256
e65d37439ed5c5215f16d45e647b0abc763360c7b6861cad70ec465b40b9360c

SHA512
b798547b1242eb86ed448482afef82e836c3144561f29ee807a524cc352a75686fbf991789e41b48da1d4e18bce6d45af7ac90033232c30a619c2ac1c45fd82e

Download Submit
C:\Windows\{52493BDD-A003-4509-B342-6E4D5FDBD1DC}.exe

Filesize
408KB

MD5
b7ae55970efec48f51570a69c1bca81a

SHA1
5d9a73d5cc69c4eb4b49df1cc7a21ba54c1cb96f

SHA256
b28796a0617637245a7b3e7caa578a224bb54cba5c7dac3f96f270c92a48516d

SHA512
9297441a621fd73cca2d62bb7bd591d15e810628c7e655a3f5ead261dd970af83e17643a3535d2de687cec46d68747c4e34771f0eaa31c7c75ccd5b084e51c81

Download Submit
C:\Windows\{54B1379E-84C6-47e8-A2FC-6DEADA85D7DB}.exe

Filesize
408KB

MD5
3ed8ef7a0caa9e7e517ef3a7172b9d6e

SHA1
a3e333df68b7f55cbde071a55b8eae605ad3055c

SHA256
9aea8481571a101c3fb7bd3179a9b8b0b06ac889b1f4221764ea5dc04af74183

SHA512
64293776085a43b7e28595cc1df76aea7a97e1467ffb7eddbf20f38a6f3ec93675169c91f56cc78c036cb22102ad54d0dfc4fd1ad95e61908a17424d1fa7aaf5

Download Submit
C:\Windows\{C2BFDACF-5051-4975-8522-F7E1D63CCB2A}.exe

Filesize
408KB

MD5
c6c8773048b134a940db02fa812d43fa

SHA1
5a50f6b4a33d1cbd75f4e98588c8f607bbcdbeca

SHA256
5c9f90f67dabcdd405b07fa3e5ecf2915dfbac92da93ebbbfdc8c0a098fe6290

SHA512
37f81dac45556c5504f70457c76de38f57ca0ba699558a410a256d1759682b5dd0eec3c1e458592a72d85c06ebf2cc7c8f2af703dce71edd29bd29641f3e66a1

Download Submit
C:\Windows\{CDCCDB17-C28D-4aa8-AAC3-547CED65143E}.exe

Filesize
408KB

MD5
1c87bfa027d2b45bc8195ff3692aa8ed

SHA1
0b0a792e93fc248965a4497f65251749dd049a10

SHA256
fbb405e46706c4ef115d9475ca1ceccaa1dc00d1309a778b7c1cb461c4d5ffbd

SHA512
dd443e1bb00d61ba57933049b423fce04d2cc2d5234868c1563f09be158a547d52cd249f793d29f23cc7ab25ebb4f9e4be48b45c6660615015870d26a4249922

Download Submit
C:\Windows\{D2BF6B8E-785A-4be2-9183-86E602B30E8A}.exe

Filesize
408KB

MD5
13cab9c7647cb876b892520fad995ed4

SHA1
4938c1d8b1c4b4adfb53d1a91c0273ee7a8d108b

SHA256
c65890105f304ab63b6c48a05f4458ef734f7e3d3896ae549563aed8bab4761c

SHA512
1ee253840a5615991d50c02884a6e05321b1ff70b0f612ccb111d7a8839dac244c607f911d3852028a727282cafc4c0d4cb3edbf0a5d0af1ab8c9e1435236af6

Download Submit
C:\Windows\{E7626FDC-A7A0-4dd0-8404-A9EE7C9EC7F0}.exe

Filesize
408KB

MD5
7b650d82fc52c0bad0d25831f383e14e

SHA1
d2835a421536d7d38c24614f137c75e899ffeee7

SHA256
8f7ef15d70eea0dba192237e52ae94c70868f21651f96c3895c765a921620ed8

SHA512
c99ceda9e64d26b71bafee0d5e30a0daab7b962fc1b1539aa43b6e6a0dff0f9c63b1a9e010083e7e699b3b1199250feb3cf75ed6131b8004c9f3d83eb20ac29c

Download Submit
C:\Windows\{F1CD9D97-6FF3-4f73-BA66-E17226F078F1}.exe

Filesize
408KB

MD5
68143a29f274dabdd90d5256ba6ce06b

SHA1
4be30cdf1961ab8e8cbbe89efa7db1e93d154f96

SHA256
ba97cd9a67160e91c5f75c5e3a5478208b693daf002b76bede555e2ddf9f9e74

SHA512
f7e1630361582c1dff951776e7a70d80d16f50db052831ddc90b6f911f0e39f87ab04fd2961f8f24884107ec2ca30d430981e6cfedae1d02e14cfb1dfe047b83

Download Submit
C:\Windows\{F3609853-05D9-4d02-880F-761E7549ECAD}.exe

Filesize
408KB

MD5
82eaff680c7236727bd47775db500686

SHA1
971c89ed3fcd7dc0c7d7b6383d8e534b221f58d9

SHA256
5922cc9c6037321c590ad381dbb91ca02964431c2b5ee1ae6daf57a7bae68d38

SHA512
320bf80fac0590741b5bc5ec74214278ba759a516cb9d2c8a417f706454a892ac8de464733a2e830ec57e5bdcc7f5c2f5801ce95c17c0e435a8aa4c0180500cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads