b0a4eee8a510c7ce3e8a6f2fe8bfd34603aa4a3ebda202dab0b1713ff304afc6

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Size

168KB
MD5

49adaccbd3f7a4876fbead1ed11df86a
SHA1

72bbe67c17d3385f16b55975be8e2e95151e5a4f
SHA256

b0a4eee8a510c7ce3e8a6f2fe8bfd34603aa4a3ebda202dab0b1713ff304afc6
SHA512

8063f07fc550aba0cd2301c691332265dfdb06558e446e729266f6f3093779be6e3067134d2fb71a3e39037d3a7ab782631e6c5834b95d24288197d1bc3a565e
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000013309-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a0000000139f1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013309-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000013a3f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013309-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000013309-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000013309-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}\stubpath = "C:\\Windows\\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe"	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9706356-8D26-4ba4-A26F-F6A088443282}	{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F257A46E-64EF-4b13-BF37-325C1E9810AD}\stubpath = "C:\\Windows\\{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe"	{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}\stubpath = "C:\\Windows\\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe"	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}\stubpath = "C:\\Windows\\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe"	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}\stubpath = "C:\\Windows\\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe"	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37062D06-E139-4b1f-93A9-977D9D8C23F5}\stubpath = "C:\\Windows\\{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe"	{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F257A46E-64EF-4b13-BF37-325C1E9810AD}	{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}\stubpath = "C:\\Windows\\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe"	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EAE6D91-C165-408a-97D4-B63D71B26387}\stubpath = "C:\\Windows\\{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe"	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EAE6D91-C165-408a-97D4-B63D71B26387}	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}\stubpath = "C:\\Windows\\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe"	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}\stubpath = "C:\\Windows\\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe"	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37062D06-E139-4b1f-93A9-977D9D8C23F5}	{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9706356-8D26-4ba4-A26F-F6A088443282}\stubpath = "C:\\Windows\\{B9706356-8D26-4ba4-A26F-F6A088443282}.exe"	{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe

Executes dropped EXE 11 IoCs

pid	Process
2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
2740	{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
1764	{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
2848	{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
1168	{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
File created	C:\Windows\{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe	{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
File created	C:\Windows\{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
File created	C:\Windows\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
File created	C:\Windows\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
File created	C:\Windows\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
File created	C:\Windows\{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe	{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
File created	C:\Windows\{B9706356-8D26-4ba4-A26F-F6A088443282}.exe	{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
File created	C:\Windows\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
File created	C:\Windows\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
File created	C:\Windows\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
Token: SeIncBasePriorityPrivilege	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
Token: SeIncBasePriorityPrivilege	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
Token: SeIncBasePriorityPrivilege	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
Token: SeIncBasePriorityPrivilege	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
Token: SeIncBasePriorityPrivilege	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
Token: SeIncBasePriorityPrivilege	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
Token: SeIncBasePriorityPrivilege	2740	{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
Token: SeIncBasePriorityPrivilege	1764	{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
Token: SeIncBasePriorityPrivilege	2848	{B9706356-8D26-4ba4-A26F-F6A088443282}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2144	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	28
PID 2036 wrote to memory of 2144	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	28
PID 2036 wrote to memory of 2144	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	28
PID 2036 wrote to memory of 2144	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	28
PID 2036 wrote to memory of 2592	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	29
PID 2036 wrote to memory of 2592	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	29
PID 2036 wrote to memory of 2592	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	29
PID 2036 wrote to memory of 2592	2036	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	29
PID 2144 wrote to memory of 2700	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	30
PID 2144 wrote to memory of 2700	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	30
PID 2144 wrote to memory of 2700	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	30
PID 2144 wrote to memory of 2700	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	30
PID 2144 wrote to memory of 2508	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	31
PID 2144 wrote to memory of 2508	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	31
PID 2144 wrote to memory of 2508	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	31
PID 2144 wrote to memory of 2508	2144	{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe	31
PID 2700 wrote to memory of 2708	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	32
PID 2700 wrote to memory of 2708	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	32
PID 2700 wrote to memory of 2708	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	32
PID 2700 wrote to memory of 2708	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	32
PID 2700 wrote to memory of 2728	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	33
PID 2700 wrote to memory of 2728	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	33
PID 2700 wrote to memory of 2728	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	33
PID 2700 wrote to memory of 2728	2700	{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe	33
PID 2708 wrote to memory of 2924	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	36
PID 2708 wrote to memory of 2924	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	36
PID 2708 wrote to memory of 2924	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	36
PID 2708 wrote to memory of 2924	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	36
PID 2708 wrote to memory of 2968	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	37
PID 2708 wrote to memory of 2968	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	37
PID 2708 wrote to memory of 2968	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	37
PID 2708 wrote to memory of 2968	2708	{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe	37
PID 2924 wrote to memory of 2796	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	38
PID 2924 wrote to memory of 2796	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	38
PID 2924 wrote to memory of 2796	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	38
PID 2924 wrote to memory of 2796	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	38
PID 2924 wrote to memory of 2928	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	39
PID 2924 wrote to memory of 2928	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	39
PID 2924 wrote to memory of 2928	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	39
PID 2924 wrote to memory of 2928	2924	{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe	39
PID 2796 wrote to memory of 1988	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	40
PID 2796 wrote to memory of 1988	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	40
PID 2796 wrote to memory of 1988	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	40
PID 2796 wrote to memory of 1988	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	40
PID 2796 wrote to memory of 1972	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	41
PID 2796 wrote to memory of 1972	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	41
PID 2796 wrote to memory of 1972	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	41
PID 2796 wrote to memory of 1972	2796	{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe	41
PID 1988 wrote to memory of 1752	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	42
PID 1988 wrote to memory of 1752	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	42
PID 1988 wrote to memory of 1752	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	42
PID 1988 wrote to memory of 1752	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	42
PID 1988 wrote to memory of 2460	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	43
PID 1988 wrote to memory of 2460	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	43
PID 1988 wrote to memory of 2460	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	43
PID 1988 wrote to memory of 2460	1988	{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe	43
PID 1752 wrote to memory of 2740	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	44
PID 1752 wrote to memory of 2740	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	44
PID 1752 wrote to memory of 2740	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	44
PID 1752 wrote to memory of 2740	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	44
PID 1752 wrote to memory of 1688	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	45
PID 1752 wrote to memory of 1688	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	45
PID 1752 wrote to memory of 1688	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	45
PID 1752 wrote to memory of 1688	1752	{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
  C:\Windows\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
    C:\Windows\{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
      C:\Windows\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
        
        C:\Windows\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
        
        C:\Windows\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
        
        C:\Windows\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
        
        C:\Windows\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
        
        C:\Windows\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
        
        C:\Windows\{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
        
        C:\Windows\{B9706356-8D26-4ba4-A26F-F6A088443282}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe
        
        C:\Windows\{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9706~1.EXE > nul
        12⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37062~1.EXE > nul
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C94B~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{603D7~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CE41~1.EXE > nul
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB43~1.EXE > nul
        7⤵
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37957~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E85~1.EXE > nul
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0EAE6~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6086F~1.EXE > nul
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EAE6D91-C165-408a-97D4-B63D71B26387}.exe

Filesize
168KB

MD5
c495cf759f01f5e2fbdec32eb833be78

SHA1
e799fcf45037c6968ef2ae7c8d8b447310339c88

SHA256
7f1ab6e0ab6ae9c830f997a47a37c61021983171145859ec44744a729df8a6b7

SHA512
90ea56f8380cfcdfdb14f75a4829691d8abad7d1ff648f9a4dd9a40d631f917cead84d7d01ebc112ce8ba56b5a054c7d63a3762f343ea8877a12b4b16b9ec76b

Download Submit
C:\Windows\{1CE4165C-7FB2-4ce0-856C-8724345D82B7}.exe

Filesize
168KB

MD5
da01ac7e96990a127dc638a838262d49

SHA1
f15bd3f75227c5bc9a128cc00c6aa65b0a311f5a

SHA256
2192ea57535e50780f0c3c53d11aaaacba84fad5a623d3a7b67a976218b46dd5

SHA512
fc14398404490b4e5f461bc0af85e66e56c3553a737f9ae866c67fa39eed408b44db0207c31f9770ecd4b8764e5daffc46010440eef8d0d5338313eaf5242e91

Download Submit
C:\Windows\{37062D06-E139-4b1f-93A9-977D9D8C23F5}.exe

Filesize
168KB

MD5
854a6cebf176ecdbd0c8391f5318d7a3

SHA1
6abc26ca4b9a9e6a307c4db8cfd66d5486fd6f03

SHA256
6277500ae4d61bd3438db30a46241cf532851bcf976152946fd8a7d183cc0f81

SHA512
2f9b16f737528084850462fc71256bf8347e617351930ec6c2b9bf4a64bcda1817ed745c80798341e9cd161ba87dc185911d40c7164aa239a5fd3dcd26df01d0

Download Submit
C:\Windows\{37957606-DE86-4f59-9FA4-0E995F6F8BB9}.exe

Filesize
168KB

MD5
b32b14c87162ce261f948ba6dc341042

SHA1
20e9237899cba077ac43f6ccd6df81e7c2dbec99

SHA256
5489bd35757528a2a18f44472ffb035a3fd65e3623a9eda7a1a241433de4da84

SHA512
7a47f420a5723e85baa4d9e6aeeb630f35fe8bd614c34483b9aaefbfadcd939fe478eeddb8c0dbf72403bbfc0e8a0040f798f97310c8b75bb6f6fd0366a21abb

Download Submit
C:\Windows\{5DB43E79-A9DC-43a7-8D21-E4D67CD3402C}.exe

Filesize
168KB

MD5
e4dc2ac00972d45ff229622e2f33e4e4

SHA1
4bff34dd31d6fc831b7e111aa5c748ea56b1b73c

SHA256
93c49042f4a14db140c97999946fad1eceeb0b2a8182b14276a70ada04fbfca1

SHA512
10c57320bc87a08a88ea02e64b6e824dcf59c6f2c3dfc7246e0deb77100ee75ef4ee7e004b128113474d7df51809c9da196c82a380f6a46d10b4b09b003e404a

Download Submit
C:\Windows\{603D7DD2-6C09-4c35-9A1B-17995A27F50D}.exe

Filesize
168KB

MD5
c0e7726fa1d6ada25c6be941e031f07d

SHA1
585de18bcb2c311f8508fd2fd9ae158c294cfd14

SHA256
4fa4d844d92f14cc91742d55fadce88f4953f23da5deb9461288763b234aeb11

SHA512
2788f179b20b4e3dbc48964325388df6407afda8fbd1006bce4845e3d1069b244f98f24a7ee46b0232c0e230d4ca0010c29e14b81d409fedba7b8b38430ae080

Download Submit
C:\Windows\{6086FE6C-37BF-4ffe-A353-B77ED4FE6A4E}.exe

Filesize
168KB

MD5
2341ba1250cbd54ad28159fa025f642c

SHA1
f257696f10c3e3b78424940e76b32031a4dc1025

SHA256
bf2402c758714bfe656fe18a9a5502e86a7c6351a53798940e900908a711a77c

SHA512
341eef4f0c95e7b6e5cf9d4c2f42e4000a2e992ca5a555bb38726d8beae35b9ef528a0703a81057a2428d67e77cc3ae2639a879955ca4fcbf8dde509bb49d509

Download Submit
C:\Windows\{6C94B9C7-5BDE-45e8-BC71-E1C704860269}.exe

Filesize
168KB

MD5
f0e347060b265569d06ab92cbc6ab685

SHA1
6a6ac3cc562c77581c9bd21348dc249d5c73fbcf

SHA256
469818937e050f17e633797eedc575af62c860d9b224439b86e46bb3d411a933

SHA512
eb567e464992323732491779f7e4e61a5bcf1c81701eedafcfd52a3d898d9c0f3e7021de0637e720dfb9871fbd0755f716e00fda2e0c3113d72ade40da74603d

Download Submit
C:\Windows\{B9706356-8D26-4ba4-A26F-F6A088443282}.exe

Filesize
168KB

MD5
6eb5653c84f221e437537c542f543914

SHA1
c54c2148de9a232306e0f5656c3a8ddeeaaa7a3d

SHA256
bcec7ff26ece04501b35e03eb124db1479002625b3a1e9d02428b8b5084faca4

SHA512
053d906f6a01139386aee56af269ce37eb5dbc2d3b19ba63d11546ff5c009b53367f8364efc91b22c381bec5a58707ee5afa0105392e63e17c476deac5e6d665

Download Submit
C:\Windows\{F0E85AB8-729B-4f34-9EC5-CD0506E3AB45}.exe

Filesize
168KB

MD5
e0e8a976e617cc77ec18ef234b52d62c

SHA1
0b78e191270a02f40207acab52a6a41b657f7607

SHA256
cd50ae9879c46c518dc249d0968caf0551a9e6fa775a30fb1d91699bdde72af8

SHA512
79ff0352bca806525fe9e64e0216732f8edad019e0d47a425251d3ea3a9e624db6ade6ceeb9d7de1af343ceb7fb44283492d0465ea7765b46cda2294507856b2

Download Submit
C:\Windows\{F257A46E-64EF-4b13-BF37-325C1E9810AD}.exe

Filesize
168KB

MD5
2fb185fc5d86350c28f4b82b188218b1

SHA1
f3aa3a5a8bcf4376287f5de05c62f0f4d0076d00

SHA256
c9e6a6197a2676452b37f14c5c9e841eeb4ed36c5e46f9afe231056de0361af6

SHA512
c4e99a228539c8ee9f6af0a6228e2ff783a63ff91fd170e8c21730535844709b9b2c78b01033f342a0415577e249208f458e2043e6daf4d1c1a32f36c2c68b68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads