2b80bb7e550f7e684c8371bdbfa8eb89194427229e5dbcb79fb106249e6db328

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
Size

204KB
MD5

c35bdb14c71df2b3388908bd921e1edc
SHA1

0fe10ff868dff1424ea4e382b563fd4a33d795c8
SHA256

2b80bb7e550f7e684c8371bdbfa8eb89194427229e5dbcb79fb106249e6db328
SHA512

36c9980271136fd41c8b7720bf764e61544f6a9554ff392cebb83acb1190558a10be360cb380e758dcff4f8231ad688781a9e72735a4c7be1dcf7132a579b781
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001472f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014f57-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001472f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001507a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001472f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001472f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001472f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38546830-9BCC-4cb3-B2D3-DED59518198B}\stubpath = "C:\\Windows\\{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe"	{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DCF408-806B-4a6d-A55A-9AE130E146EB}\stubpath = "C:\\Windows\\{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe"	{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4885E1-9287-4199-88E4-D6A61CF2038B}	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38546830-9BCC-4cb3-B2D3-DED59518198B}	{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E07520B2-944E-4215-9679-3E9478DB4D97}\stubpath = "C:\\Windows\\{E07520B2-944E-4215-9679-3E9478DB4D97}.exe"	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DCF408-806B-4a6d-A55A-9AE130E146EB}	{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}\stubpath = "C:\\Windows\\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe"	{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC22DA59-5D8E-45f9-9388-38DCE585430D}\stubpath = "C:\\Windows\\{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe"	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4885E1-9287-4199-88E4-D6A61CF2038B}\stubpath = "C:\\Windows\\{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe"	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}\stubpath = "C:\\Windows\\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe"	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}	{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9E84D0-E17B-4046-BF40-68FD3E314592}	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}\stubpath = "C:\\Windows\\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe"	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E07520B2-944E-4215-9679-3E9478DB4D97}	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}\stubpath = "C:\\Windows\\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe"	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9E84D0-E17B-4046-BF40-68FD3E314592}\stubpath = "C:\\Windows\\{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe"	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC22DA59-5D8E-45f9-9388-38DCE585430D}	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}\stubpath = "C:\\Windows\\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe"	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe
320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
1284	{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
1848	{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
596	{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
1320	{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
File created	C:\Windows\{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe	{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
File created	C:\Windows\{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
File created	C:\Windows\{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
File created	C:\Windows\{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
File created	C:\Windows\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
File created	C:\Windows\{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe	{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
File created	C:\Windows\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe	{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
File created	C:\Windows\{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
File created	C:\Windows\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
File created	C:\Windows\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
Token: SeIncBasePriorityPrivilege	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
Token: SeIncBasePriorityPrivilege	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
Token: SeIncBasePriorityPrivilege	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe
Token: SeIncBasePriorityPrivilege	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
Token: SeIncBasePriorityPrivilege	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
Token: SeIncBasePriorityPrivilege	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
Token: SeIncBasePriorityPrivilege	1284	{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
Token: SeIncBasePriorityPrivilege	1848	{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
Token: SeIncBasePriorityPrivilege	596	{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2476	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	28
PID 2000 wrote to memory of 2476	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	28
PID 2000 wrote to memory of 2476	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	28
PID 2000 wrote to memory of 2476	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	28
PID 2000 wrote to memory of 2572	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	29
PID 2000 wrote to memory of 2572	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	29
PID 2000 wrote to memory of 2572	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	29
PID 2000 wrote to memory of 2572	2000	2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe	29
PID 2476 wrote to memory of 2616	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	30
PID 2476 wrote to memory of 2616	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	30
PID 2476 wrote to memory of 2616	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	30
PID 2476 wrote to memory of 2616	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	30
PID 2476 wrote to memory of 2684	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	31
PID 2476 wrote to memory of 2684	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	31
PID 2476 wrote to memory of 2684	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	31
PID 2476 wrote to memory of 2684	2476	{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe	31
PID 2616 wrote to memory of 2264	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	32
PID 2616 wrote to memory of 2264	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	32
PID 2616 wrote to memory of 2264	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	32
PID 2616 wrote to memory of 2264	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	32
PID 2616 wrote to memory of 2380	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	33
PID 2616 wrote to memory of 2380	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	33
PID 2616 wrote to memory of 2380	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	33
PID 2616 wrote to memory of 2380	2616	{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe	33
PID 2264 wrote to memory of 2548	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	36
PID 2264 wrote to memory of 2548	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	36
PID 2264 wrote to memory of 2548	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	36
PID 2264 wrote to memory of 2548	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	36
PID 2264 wrote to memory of 2680	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	37
PID 2264 wrote to memory of 2680	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	37
PID 2264 wrote to memory of 2680	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	37
PID 2264 wrote to memory of 2680	2264	{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe	37
PID 2548 wrote to memory of 320	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	38
PID 2548 wrote to memory of 320	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	38
PID 2548 wrote to memory of 320	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	38
PID 2548 wrote to memory of 320	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	38
PID 2548 wrote to memory of 2284	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	39
PID 2548 wrote to memory of 2284	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	39
PID 2548 wrote to memory of 2284	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	39
PID 2548 wrote to memory of 2284	2548	{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe	39
PID 320 wrote to memory of 1260	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	40
PID 320 wrote to memory of 1260	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	40
PID 320 wrote to memory of 1260	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	40
PID 320 wrote to memory of 1260	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	40
PID 320 wrote to memory of 1808	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	41
PID 320 wrote to memory of 1808	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	41
PID 320 wrote to memory of 1808	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	41
PID 320 wrote to memory of 1808	320	{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe	41
PID 1260 wrote to memory of 2208	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	42
PID 1260 wrote to memory of 2208	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	42
PID 1260 wrote to memory of 2208	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	42
PID 1260 wrote to memory of 2208	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	42
PID 1260 wrote to memory of 2428	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	43
PID 1260 wrote to memory of 2428	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	43
PID 1260 wrote to memory of 2428	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	43
PID 1260 wrote to memory of 2428	1260	{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe	43
PID 2208 wrote to memory of 1284	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	44
PID 2208 wrote to memory of 1284	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	44
PID 2208 wrote to memory of 1284	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	44
PID 2208 wrote to memory of 1284	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	44
PID 2208 wrote to memory of 1704	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	45
PID 2208 wrote to memory of 1704	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	45
PID 2208 wrote to memory of 1704	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	45
PID 2208 wrote to memory of 1704	2208	{E07520B2-944E-4215-9679-3E9478DB4D97}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_c35bdb14c71df2b3388908bd921e1edc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
  C:\Windows\{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
    C:\Windows\{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
      C:\Windows\{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe
        
        C:\Windows\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
        
        C:\Windows\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
        
        C:\Windows\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
        
        C:\Windows\{E07520B2-944E-4215-9679-3E9478DB4D97}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
        
        C:\Windows\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
        
        C:\Windows\{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
        
        C:\Windows\{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe
        
        C:\Windows\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe
        12⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00DCF~1.EXE > nul
        12⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38546~1.EXE > nul
        11⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB1B2~1.EXE > nul
        10⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0752~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C1F~1.EXE > nul
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1212B~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4525~1.EXE > nul
        6⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C488~1.EXE > nul
        5⤵
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BC22D~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9E8~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00DCF408-806B-4a6d-A55A-9AE130E146EB}.exe

Filesize
204KB

MD5
5e3ae13b3e3c8255a4c0798ba4855e77

SHA1
033409f8daa1c39103d644aecea26643324429c4

SHA256
fff60070a7f15146ac78a06294c75c7980c6a50803425c49758f23e8df3bb73d

SHA512
f9eb6216125ed875d00d5d5b517e8e8c04d6cdf4b4bd061b65cd56be207ccc8ad61a28863564ca8fdcbcc64f5a90bca503605912f3421b39abfbacb4abe1f87e

Download Submit
C:\Windows\{1212B73A-4C23-4525-90BE-D8BC8E375BBD}.exe

Filesize
204KB

MD5
72928ae329fb70fecf2c027554318384

SHA1
8cbb06bf0c91493649218bf2cd911cfb7d2a3121

SHA256
f9e9251b51076fa1cebd33052aebf2912d9218ba77476790252c0d41c2535e00

SHA512
d17b9696f09ab920a0737e15f7d26b3ceb91dcaff972f149b5df23c6a916d1257bf3dd6f670ba3618ea1dafc59f14c5b6622f0a1b4ef64a7a08b640d5183ec3f

Download Submit
C:\Windows\{38546830-9BCC-4cb3-B2D3-DED59518198B}.exe

Filesize
204KB

MD5
c1ac81ac213ca11ceec96f3d49f26dff

SHA1
88de6ecabe577291452c50cd1c8d98b1f4ac953d

SHA256
576bc55044e2c1e2b87a097ec49a865ff375e9888a1374219811b3a723e0ef5a

SHA512
191e4d4564e2376f07eafeb0e5f1b0569af95426e8986863f2b5decf667ebcf3f46e844f3ae62961ae20ba6e1f42b26abf9b66dba9fd5ab7e829b107694d87ba

Download Submit
C:\Windows\{3E329D3D-2DA9-4f86-B9CE-912728D1F9FB}.exe

Filesize
204KB

MD5
18a49b01922b1647cbcf2a32a1ea94e7

SHA1
5017f0ed0a5e50b1147e336102a4230c331b0746

SHA256
8789f28cce648574019d48374297bdda0dbc6beb19042ecf34eb8b98ef70ae62

SHA512
fa2670bf8cf4eeca433bcadf5f75b8e780cf01c112da9e4e27bc2bf4315c2dea971a0d715ecf521efdc750d7293918640ba21e018b44169a25e83985a90b1534

Download Submit
C:\Windows\{98C1F193-1EC5-4827-BC26-B21E2D7ED4D0}.exe

Filesize
204KB

MD5
cf17730422f1c7638f186b3f2adbf5a1

SHA1
d10c07afe3c0f3b016ddb64d0b5c4721df04bffb

SHA256
30219af7477a2505cefcd61956cd05912f288c0a9de7d589ae6ff67ac579d184

SHA512
2c8baae64023de5e0a994f68e12f622715abccfb9f83b216e566bb8ffc197546a326c9a41681de00adc5ace4a0bcc28284508bea2240497926c67ec1014d7752

Download Submit
C:\Windows\{9C4885E1-9287-4199-88E4-D6A61CF2038B}.exe

Filesize
204KB

MD5
b3b579052125202c2d3ea10611e5f1a1

SHA1
f526face7ef7774d347ec67f3d3af8b5f288309f

SHA256
b0750625e79fff723117f274ea7d36c017f5f7edbfb0517354068f1305300963

SHA512
18b8cfce4c67406bf09fc6fead9b7569317294424d6f31f26a6cc805cf813a873f48d68da258d936de02fb94c9964a5d002881c7761222dbe3dd3b50400d0c50

Download Submit
C:\Windows\{BC22DA59-5D8E-45f9-9388-38DCE585430D}.exe

Filesize
204KB

MD5
2c0e053d0c1f3441b30b2870cdfc2c70

SHA1
118dea62615d9eb16a9a0ee76a90f47645431b91

SHA256
ec2322504d1dd0c18f871fe44a0f4e22571c013a93091b47c687d086f69666e3

SHA512
45ce4c24fc61f2ba620dec645e6d5b8a083fc219b753c4746415ad0a643d6066da7f10f680418644ef784f5ddcf29ae045856e99f580ec88299c3f446266a5b4

Download Submit
C:\Windows\{D45250BE-1D48-42f7-A7D9-3FEB8754F34F}.exe

Filesize
204KB

MD5
c93cf586c7656dc046437f11224773c8

SHA1
f7739db0198e1d89d7d706b22a7d5661f64ab28b

SHA256
761aa84e0d67a8be221a7270053761247f8ac0997a33c13a81ded8646eb177d2

SHA512
466667ce69b275f1008150c6387d7e98378fa0ecc1e142d47263bdb1dabee3663983fda5b76d7676080900dc2ddf14886357714987a813565c184b95eca94031

Download Submit
C:\Windows\{DD9E84D0-E17B-4046-BF40-68FD3E314592}.exe

Filesize
204KB

MD5
9c7c33ca5ffa67a4db22fdf87f907752

SHA1
a4eedd06ca8ece25883e0e9688740a1ca1b8b1a3

SHA256
b5904cc0afd6e8726e98e9bc53803076ffd7f470e11b3760ef0f8641a1ea8a89

SHA512
7c5388a39e0f5fd240680f622accc6ccfc3aa591e50a52124b274ff601beef06c1ca3d6e169a58c0c49c8184c9d2b1ddb813b1e72bcdfe46537ce574aed57019

Download Submit
C:\Windows\{E07520B2-944E-4215-9679-3E9478DB4D97}.exe

Filesize
204KB

MD5
95b711f0106f99d3958f08073b58a10f

SHA1
6fe193652d23f9ec6e54eb8f83c64e0f6706b0ba

SHA256
0a130b21b19c9384e9e02d06952664210b877e1f40117436d5b878746d206c65

SHA512
5080d1d70755fb9f7384abef8c7759d6fa462988471b3d50d20e733479db986c39e8d7e5ae28e1f220584d0c44fd96b813980960c284c732b5bda349ae3be61a

Download Submit
C:\Windows\{FB1B223F-BF10-4a35-BE8E-7FB5E6E6BBBC}.exe

Filesize
204KB

MD5
161327a0a12b77d8b8fb37e89156cb3f

SHA1
84bb458471d83bf18015df74745316b88bc1343f

SHA256
94089d79d3cea07bbd77d8ace0cf131df338240d5f08eb93c17a14fa5d096463

SHA512
666f613a54cad18216b1754c85170c5cd6ef92937d0af36568432fed2c519f7ceac3ceb194ebe24c715f027f0f03bf0c2621fd853d1e4b7ab7f74a21785d36c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads