9a647e5b0bb718eaa0cc31ce66893338d382dd5f38922ab7bb4b6935f94e5f7d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
Size

204KB
MD5

656aab3e44fee907b231df2610bdaad0
SHA1

2d44bca005d0bc61d220b07358cc9ddc1b760ee7
SHA256

9a647e5b0bb718eaa0cc31ce66893338d382dd5f38922ab7bb4b6935f94e5f7d
SHA512

6a9a38841757a05dd2eb62cf43ad8c21ff7b2f390711318ecfacaead0df9e58bfe0aac09817a3908526f6bf3ab1830be87f14af5bc492092d3e7709564bd3f47
SSDEEP

1536:1EGh0o0l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o0l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014284-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000144e1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014284-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000144e9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014284-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014284-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014284-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A93B06F-44B2-4879-8023-B6032EE06603}	{2586FFC4-8919-489b-9902-29D0CC956500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7989AE7C-5118-4972-B0D0-5872942F662C}\stubpath = "C:\\Windows\\{7989AE7C-5118-4972-B0D0-5872942F662C}.exe"	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}\stubpath = "C:\\Windows\\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe"	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2899013-BEEB-416c-9482-5EB070D4E77E}\stubpath = "C:\\Windows\\{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe"	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2899013-BEEB-416c-9482-5EB070D4E77E}	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2586FFC4-8919-489b-9902-29D0CC956500}	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2586FFC4-8919-489b-9902-29D0CC956500}\stubpath = "C:\\Windows\\{2586FFC4-8919-489b-9902-29D0CC956500}.exe"	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A93B06F-44B2-4879-8023-B6032EE06603}\stubpath = "C:\\Windows\\{4A93B06F-44B2-4879-8023-B6032EE06603}.exe"	{2586FFC4-8919-489b-9902-29D0CC956500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}	{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E533021D-42EB-4ccd-8B0E-311548BC7A49}\stubpath = "C:\\Windows\\{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe"	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071D6FE4-8123-4d2e-AF75-265893D2DE28}	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7989AE7C-5118-4972-B0D0-5872942F662C}	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}	{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}\stubpath = "C:\\Windows\\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe"	{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}\stubpath = "C:\\Windows\\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe"	{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E533021D-42EB-4ccd-8B0E-311548BC7A49}	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071D6FE4-8123-4d2e-AF75-265893D2DE28}\stubpath = "C:\\Windows\\{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe"	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}	{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}\stubpath = "C:\\Windows\\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe"	{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}\stubpath = "C:\\Windows\\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe"	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe
1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe
1432	{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
2120	{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
2036	{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
592	{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
File created	C:\Windows\{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
File created	C:\Windows\{2586FFC4-8919-489b-9902-29D0CC956500}.exe	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
File created	C:\Windows\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe	{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
File created	C:\Windows\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe	{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
File created	C:\Windows\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe	{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
File created	C:\Windows\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
File created	C:\Windows\{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
File created	C:\Windows\{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	{2586FFC4-8919-489b-9902-29D0CC956500}.exe
File created	C:\Windows\{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
File created	C:\Windows\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
Token: SeIncBasePriorityPrivilege	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
Token: SeIncBasePriorityPrivilege	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
Token: SeIncBasePriorityPrivilege	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
Token: SeIncBasePriorityPrivilege	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe
Token: SeIncBasePriorityPrivilege	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
Token: SeIncBasePriorityPrivilege	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe
Token: SeIncBasePriorityPrivilege	1432	{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
Token: SeIncBasePriorityPrivilege	2120	{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
Token: SeIncBasePriorityPrivilege	2036	{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2904	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	28
PID 3024 wrote to memory of 2904	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	28
PID 3024 wrote to memory of 2904	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	28
PID 3024 wrote to memory of 2904	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	28
PID 3024 wrote to memory of 2736	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	29
PID 3024 wrote to memory of 2736	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	29
PID 3024 wrote to memory of 2736	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	29
PID 3024 wrote to memory of 2736	3024	2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe	29
PID 2904 wrote to memory of 2692	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	30
PID 2904 wrote to memory of 2692	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	30
PID 2904 wrote to memory of 2692	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	30
PID 2904 wrote to memory of 2692	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	30
PID 2904 wrote to memory of 2544	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	31
PID 2904 wrote to memory of 2544	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	31
PID 2904 wrote to memory of 2544	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	31
PID 2904 wrote to memory of 2544	2904	{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe	31
PID 2692 wrote to memory of 2708	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	32
PID 2692 wrote to memory of 2708	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	32
PID 2692 wrote to memory of 2708	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	32
PID 2692 wrote to memory of 2708	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	32
PID 2692 wrote to memory of 2756	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	33
PID 2692 wrote to memory of 2756	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	33
PID 2692 wrote to memory of 2756	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	33
PID 2692 wrote to memory of 2756	2692	{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe	33
PID 2708 wrote to memory of 3032	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	36
PID 2708 wrote to memory of 3032	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	36
PID 2708 wrote to memory of 3032	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	36
PID 2708 wrote to memory of 3032	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	36
PID 2708 wrote to memory of 2360	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	37
PID 2708 wrote to memory of 2360	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	37
PID 2708 wrote to memory of 2360	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	37
PID 2708 wrote to memory of 2360	2708	{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe	37
PID 3032 wrote to memory of 2676	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	38
PID 3032 wrote to memory of 2676	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	38
PID 3032 wrote to memory of 2676	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	38
PID 3032 wrote to memory of 2676	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	38
PID 3032 wrote to memory of 2628	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	39
PID 3032 wrote to memory of 2628	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	39
PID 3032 wrote to memory of 2628	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	39
PID 3032 wrote to memory of 2628	3032	{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe	39
PID 2676 wrote to memory of 1824	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	40
PID 2676 wrote to memory of 1824	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	40
PID 2676 wrote to memory of 1824	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	40
PID 2676 wrote to memory of 1824	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	40
PID 2676 wrote to memory of 1040	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	41
PID 2676 wrote to memory of 1040	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	41
PID 2676 wrote to memory of 1040	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	41
PID 2676 wrote to memory of 1040	2676	{2586FFC4-8919-489b-9902-29D0CC956500}.exe	41
PID 1824 wrote to memory of 2180	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	42
PID 1824 wrote to memory of 2180	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	42
PID 1824 wrote to memory of 2180	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	42
PID 1824 wrote to memory of 2180	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	42
PID 1824 wrote to memory of 900	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	43
PID 1824 wrote to memory of 900	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	43
PID 1824 wrote to memory of 900	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	43
PID 1824 wrote to memory of 900	1824	{4A93B06F-44B2-4879-8023-B6032EE06603}.exe	43
PID 2180 wrote to memory of 1432	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	44
PID 2180 wrote to memory of 1432	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	44
PID 2180 wrote to memory of 1432	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	44
PID 2180 wrote to memory of 1432	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	44
PID 2180 wrote to memory of 1876	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	45
PID 2180 wrote to memory of 1876	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	45
PID 2180 wrote to memory of 1876	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	45
PID 2180 wrote to memory of 1876	2180	{7989AE7C-5118-4972-B0D0-5872942F662C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_656aab3e44fee907b231df2610bdaad0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
  C:\Windows\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
    C:\Windows\{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
      C:\Windows\{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
        
        C:\Windows\{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{2586FFC4-8919-489b-9902-29D0CC956500}.exe
        
        C:\Windows\{2586FFC4-8919-489b-9902-29D0CC956500}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
        
        C:\Windows\{4A93B06F-44B2-4879-8023-B6032EE06603}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{7989AE7C-5118-4972-B0D0-5872942F662C}.exe
        
        C:\Windows\{7989AE7C-5118-4972-B0D0-5872942F662C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
        
        C:\Windows\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
        
        C:\Windows\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
        
        C:\Windows\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe
        
        C:\Windows\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe
        12⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED329~1.EXE > nul
        12⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FCBA~1.EXE > nul
        11⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{987D8~1.EXE > nul
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7989A~1.EXE > nul
        9⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A93B~1.EXE > nul
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2586F~1.EXE > nul
        7⤵
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2899~1.EXE > nul
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{071D6~1.EXE > nul
        5⤵
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5330~1.EXE > nul
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3EFFC~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071D6FE4-8123-4d2e-AF75-265893D2DE28}.exe

Filesize
204KB

MD5
8aa62a0feb08151e93f7b5c86481a6bc

SHA1
b17729c2327752f9ec6f9dffd981f7f71725b99e

SHA256
8424d229dbee8e661a574a1fa192499fdca5fff1faad299d168ba1dc3ce0583c

SHA512
b9387a04719085fc8002a3549a3871c00aaf2734ddcf42ff1394345cccb63da84b1c0513c94c431c7d4ff12fb7ed883ae174c1e8afcbdc392c49b4f4d82e0fd4

Download Submit
C:\Windows\{2586FFC4-8919-489b-9902-29D0CC956500}.exe

Filesize
204KB

MD5
f41e0c0e90692339780461ca25ac726a

SHA1
34f15e3b4c1b7326acdcfff22d349a6e4fea3e81

SHA256
958d52fec9fbcb03bceba4d95d5573af187cd454a0d54d3f7060e3cd35b07a2b

SHA512
dba9169195eccb45239d145e21f981cc9d7d76765f03a35c34b1acffab275cee2af8816ef450b3425bd07322be558d1bec4e23070c130e54116da4731576f9b6

Download Submit
C:\Windows\{2FCBA47D-7E22-46ed-B0B5-3B39E7DDFB28}.exe

Filesize
204KB

MD5
d28d10144b8f8bc8aa2241989f05cd1b

SHA1
8c0342dfd33b8eba690a63e2abd3b58445c8ea06

SHA256
87e24e4b5807e26d232769d189b0cdbbf524a55a6eff444740aca7ebe1a0f2bf

SHA512
46a4dd67a17e95f21c032e770fc72531967c3a5884fe642dd544053b7c9daac24131e20a51f7735be7efb3c7ad91594e66f36109db0327da27b4cd3c16ebe588

Download Submit
C:\Windows\{3EFFCCAD-647E-4649-ADA1-6F09D16EA039}.exe

Filesize
204KB

MD5
0203a695812fe88a336ae19098de034a

SHA1
3935775aa82d91dcf32b5486572ae66f22745426

SHA256
c1c6e83ac10dfd791e7aa0154e6fd478b71190d4d9814daafbc1d038424e1db2

SHA512
70e1c80ae7d3df729e47413c1bfdc537abefc3d9020d6f0913168b9a95e0cead01d491f5823a9a6b91acb1a462e4616ed119edf2fec67c602600877f18e0796c

Download Submit
C:\Windows\{4A93B06F-44B2-4879-8023-B6032EE06603}.exe

Filesize
204KB

MD5
fa62bd6bba3f312ea761b2c0442be2d0

SHA1
53048483041a0321b69484157ad889775a576c95

SHA256
25bee7172cc8bf68abfe4382da16f7f6ae2400e9572fe2273f6eb321aa062b92

SHA512
20e2df858635262c53760671572b793eddc32baf1157cd34d31746b07e14f6c4cf48075a33219aca880f514658756ae8e7df82eb239b92002150f1665711c602

Download Submit
C:\Windows\{6AE0E17B-4BA9-414a-A482-9EF07D4B1E29}.exe

Filesize
204KB

MD5
e184d879414989e8b2958145c0120fd3

SHA1
656c3b53d4cda21162268242323b5fb9a5ee4eff

SHA256
4ee2c4e64e53aa689f6e1603fec0a82e9f1e9bea1f6dd6408252e6ba81a09bf7

SHA512
9156c7750e7f9839e326e887daada1333a4418f50ace387b1295cf04c10c364360e8f54b56d2aa570900ccbc71ab1ceb62ae8131a1fdfe6c06d8398e8172a245

Download Submit
C:\Windows\{7989AE7C-5118-4972-B0D0-5872942F662C}.exe

Filesize
204KB

MD5
45d29b57ec26777d269e8865588a1259

SHA1
36e8a9e89db43ca6c92ae843ed1aa7bc26912473

SHA256
5b8dd21dfea735147941cf898e4ebb15ff9ed356cb6fe6aa9b19f81cb412e323

SHA512
5e9133e1cf3e73b58b934708ed991e4fded32579ff577f3ab832c114fabc8adabd8ce86ed75dc1cb47566145fa4a95dce80c3d8852e8e7014d3360008e0626b2

Download Submit
C:\Windows\{987D863D-4ED2-44f6-9399-8847ADF6CBD5}.exe

Filesize
204KB

MD5
1a4ecb91f5166fe106c53d508533d21e

SHA1
d0732d426943a2015736e16bdf79c506a2e887e7

SHA256
93961f31d65c1bf437a649c1db54c7bd574c563cc71289223741ad1fc884f354

SHA512
8a85cc7d803229c84a667f4332e7154940ffe05b27da03331be89cfe0efa4dfab3a2bcc315f2f07baefdd1a527c7cccfd69f503da0c39ef887c0852dfbaf086d

Download Submit
C:\Windows\{C2899013-BEEB-416c-9482-5EB070D4E77E}.exe

Filesize
204KB

MD5
245d8c7df80bae30a6529882323f3213

SHA1
591ad9a92fff9b90350ea255ca131f1c12eae69e

SHA256
2ecf051dbc5c5cd5d4ca02fccbe58029aaffa3895cc72d18561458ce4971001e

SHA512
a191ceb40779e84eceaf645fe767092a4a429c04e7187f37981d4b3e193683c19c59f79660664736d5cb624e64429c3c58fd8d27f548aedb7221e4ddef88d846

Download Submit
C:\Windows\{E533021D-42EB-4ccd-8B0E-311548BC7A49}.exe

Filesize
204KB

MD5
4ff0f2e2f93de43ec35468ae5818dcf3

SHA1
71563d7a7b89665eacb3330a67556138709406d2

SHA256
85de93e742261367bc0c90e3b5de6853a671ce2a7023aad364b1e8b8bc457860

SHA512
254fb1dc2636c85be6f06d17f3fd3a44175782610f691c56e00f3a3113c70a2e6bca37ec47cf65013f5a593e2f8368f873323267342fc1c4bc5d2b2d44dc7aa4

Download Submit
C:\Windows\{ED32947B-2B0E-4ebd-92E4-AF1DF3D29455}.exe

Filesize
204KB

MD5
31a2af59e1ab00087af984e69accde2c

SHA1
dac14b7d26ddad9958e9a5a58d7a80bb99706a2b

SHA256
788a40afd5aa5b94286cc126e582bad6c51af7e6288ad20892641eb1c020abc0

SHA512
6492f933559598c875c78b1c5ff53c10c1726867f3a159753bccc92b4e908c130644b402ef66a88a2904b31476df785b60f962dcea036cb21df4e398905e987f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads