eb1e24422cd0f0a9cd01a3b603c345ef45a0ccdb98ecbcf35ec3d07ea0b945ac

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Size

408KB
MD5

4196b372f59b0b37088c30655ac6c6b5
SHA1

3edf03d75127c32995b1914601af564acb3ee2ab
SHA256

eb1e24422cd0f0a9cd01a3b603c345ef45a0ccdb98ecbcf35ec3d07ea0b945ac
SHA512

2743d99fc7a9b6c2ad0bc490272e72e77400fbfaa78ffebde27bfa5c418edc58f1b886869449d8b281fec277a9b43067533da93e0a5f8ad3185dad9fb2f37be5
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGSldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014abe-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014abe-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155ed-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014abe-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014abe-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014abe-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F47F34-5693-4a72-936B-70C34B6C398D}	{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B1521C-FF0A-444a-AC57-087AED84E183}\stubpath = "C:\\Windows\\{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe"	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}\stubpath = "C:\\Windows\\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe"	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}\stubpath = "C:\\Windows\\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe"	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FCD248-84E2-4b2a-98F9-8850D22117D0}	{B3975136-17EA-473f-8633-4883709CF8FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27642980-4B6F-4b08-A91C-B5B9598023EA}	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B1521C-FF0A-444a-AC57-087AED84E183}	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}\stubpath = "C:\\Windows\\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe"	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE8BBEE-6FAC-4085-B922-889459B50E88}	{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F47F34-5693-4a72-936B-70C34B6C398D}\stubpath = "C:\\Windows\\{43F47F34-5693-4a72-936B-70C34B6C398D}.exe"	{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}\stubpath = "C:\\Windows\\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe"	{43F47F34-5693-4a72-936B-70C34B6C398D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27642980-4B6F-4b08-A91C-B5B9598023EA}\stubpath = "C:\\Windows\\{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe"	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3975136-17EA-473f-8633-4883709CF8FD}	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3975136-17EA-473f-8633-4883709CF8FD}\stubpath = "C:\\Windows\\{B3975136-17EA-473f-8633-4883709CF8FD}.exe"	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FCD248-84E2-4b2a-98F9-8850D22117D0}\stubpath = "C:\\Windows\\{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe"	{B3975136-17EA-473f-8633-4883709CF8FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}\stubpath = "C:\\Windows\\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe"	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE8BBEE-6FAC-4085-B922-889459B50E88}\stubpath = "C:\\Windows\\{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe"	{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}	{43F47F34-5693-4a72-936B-70C34B6C398D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe
2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
2376	{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
2532	{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
2228	{43F47F34-5693-4a72-936B-70C34B6C398D}.exe
1472	{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
File created	C:\Windows\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
File created	C:\Windows\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
File created	C:\Windows\{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	{B3975136-17EA-473f-8633-4883709CF8FD}.exe
File created	C:\Windows\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
File created	C:\Windows\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
File created	C:\Windows\{B3975136-17EA-473f-8633-4883709CF8FD}.exe	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
File created	C:\Windows\{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
File created	C:\Windows\{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe	{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
File created	C:\Windows\{43F47F34-5693-4a72-936B-70C34B6C398D}.exe	{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
File created	C:\Windows\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe	{43F47F34-5693-4a72-936B-70C34B6C398D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
Token: SeIncBasePriorityPrivilege	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
Token: SeIncBasePriorityPrivilege	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
Token: SeIncBasePriorityPrivilege	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe
Token: SeIncBasePriorityPrivilege	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
Token: SeIncBasePriorityPrivilege	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
Token: SeIncBasePriorityPrivilege	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
Token: SeIncBasePriorityPrivilege	2376	{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
Token: SeIncBasePriorityPrivilege	2532	{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
Token: SeIncBasePriorityPrivilege	2228	{43F47F34-5693-4a72-936B-70C34B6C398D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1276	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	28
PID 1848 wrote to memory of 1276	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	28
PID 1848 wrote to memory of 1276	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	28
PID 1848 wrote to memory of 1276	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	28
PID 1848 wrote to memory of 2704	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	29
PID 1848 wrote to memory of 2704	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	29
PID 1848 wrote to memory of 2704	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	29
PID 1848 wrote to memory of 2704	1848	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	29
PID 1276 wrote to memory of 2540	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	30
PID 1276 wrote to memory of 2540	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	30
PID 1276 wrote to memory of 2540	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	30
PID 1276 wrote to memory of 2540	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	30
PID 1276 wrote to memory of 2624	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	31
PID 1276 wrote to memory of 2624	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	31
PID 1276 wrote to memory of 2624	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	31
PID 1276 wrote to memory of 2624	1276	{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe	31
PID 2540 wrote to memory of 2676	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	32
PID 2540 wrote to memory of 2676	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	32
PID 2540 wrote to memory of 2676	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	32
PID 2540 wrote to memory of 2676	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	32
PID 2540 wrote to memory of 2440	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	33
PID 2540 wrote to memory of 2440	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	33
PID 2540 wrote to memory of 2440	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	33
PID 2540 wrote to memory of 2440	2540	{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe	33
PID 2676 wrote to memory of 2464	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	36
PID 2676 wrote to memory of 2464	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	36
PID 2676 wrote to memory of 2464	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	36
PID 2676 wrote to memory of 2464	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	36
PID 2676 wrote to memory of 2732	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	37
PID 2676 wrote to memory of 2732	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	37
PID 2676 wrote to memory of 2732	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	37
PID 2676 wrote to memory of 2732	2676	{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe	37
PID 2464 wrote to memory of 2868	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	38
PID 2464 wrote to memory of 2868	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	38
PID 2464 wrote to memory of 2868	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	38
PID 2464 wrote to memory of 2868	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	38
PID 2464 wrote to memory of 1604	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	39
PID 2464 wrote to memory of 1604	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	39
PID 2464 wrote to memory of 1604	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	39
PID 2464 wrote to memory of 1604	2464	{B3975136-17EA-473f-8633-4883709CF8FD}.exe	39
PID 2868 wrote to memory of 1736	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	40
PID 2868 wrote to memory of 1736	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	40
PID 2868 wrote to memory of 1736	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	40
PID 2868 wrote to memory of 1736	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	40
PID 2868 wrote to memory of 2192	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	41
PID 2868 wrote to memory of 2192	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	41
PID 2868 wrote to memory of 2192	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	41
PID 2868 wrote to memory of 2192	2868	{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe	41
PID 1736 wrote to memory of 1644	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	42
PID 1736 wrote to memory of 1644	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	42
PID 1736 wrote to memory of 1644	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	42
PID 1736 wrote to memory of 1644	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	42
PID 1736 wrote to memory of 936	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	43
PID 1736 wrote to memory of 936	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	43
PID 1736 wrote to memory of 936	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	43
PID 1736 wrote to memory of 936	1736	{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe	43
PID 1644 wrote to memory of 2376	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	44
PID 1644 wrote to memory of 2376	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	44
PID 1644 wrote to memory of 2376	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	44
PID 1644 wrote to memory of 2376	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	44
PID 1644 wrote to memory of 1512	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	45
PID 1644 wrote to memory of 1512	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	45
PID 1644 wrote to memory of 1512	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	45
PID 1644 wrote to memory of 1512	1644	{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
  C:\Windows\{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
    C:\Windows\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
      C:\Windows\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{B3975136-17EA-473f-8633-4883709CF8FD}.exe
        
        C:\Windows\{B3975136-17EA-473f-8633-4883709CF8FD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
        
        C:\Windows\{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
        
        C:\Windows\{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
        
        C:\Windows\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
        
        C:\Windows\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
        
        C:\Windows\{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{43F47F34-5693-4a72-936B-70C34B6C398D}.exe
        
        C:\Windows\{43F47F34-5693-4a72-936B-70C34B6C398D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe
        
        C:\Windows\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F47~1.EXE > nul
        12⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE8B~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B1B~1.EXE > nul
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A98C3~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27642~1.EXE > nul
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FCD~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3975~1.EXE > nul
        6⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E0C~1.EXE > nul
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE1B~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B15~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EE8BBEE-6FAC-4085-B922-889459B50E88}.exe

Filesize
408KB

MD5
df6ecef7a3f058ebb0573b2778e16502

SHA1
cd8b133fa6d58dbdce784ee3d05c399aa03cecf4

SHA256
f1b2118e9d2c039930e5924d77899704dc1c2f2b6ff16193091310719f17ad49

SHA512
fa36f8bbb30fc2c501b65ca33d73161f9a31c73d2ba3fcc9d17267762c5171dafe4a551d3d1840deda0af0d8f54d341f92fcd16e0e84e5bbcef84227aeed4321

Download Submit
C:\Windows\{27642980-4B6F-4b08-A91C-B5B9598023EA}.exe

Filesize
408KB

MD5
124241cf162ae6a7ccb7a50dcf9b8232

SHA1
e1ad2d23d567669283e7c1d7fd2384340de11592

SHA256
8c4f5291fa068e295bd063940bc290b55c398a204de335337363fb69f965c9bc

SHA512
082564d10470a6e20175459be75cde43af6f8468da6820bb78e218fbe2696599814c43828b0be64eb5a7845333d3441dda9c703bdf18d5cb786635dc22700cd6

Download Submit
C:\Windows\{2DE1BB20-B43B-4c0b-A7F5-D125C303275E}.exe

Filesize
408KB

MD5
b1c7f51cb234a30dbe563c5c435afc91

SHA1
7b1d8aa76a5a851c67cb2b79ac4bf94698fb289a

SHA256
2b81e7c85e2f84df551f80c4649bdc543701715eb2980146cf1b49d16b1a8bc5

SHA512
5d6c4b2c4e20ba6afe793a513b7ae129cc2f1faaa232e796de1e8779f43392fb33229880aadeaee2ffabc69c3d29d8d986328418c917962c779fb489e54d0035

Download Submit
C:\Windows\{43F47F34-5693-4a72-936B-70C34B6C398D}.exe

Filesize
408KB

MD5
9e971d6092e76b01e7ec60807a2e22df

SHA1
fd6f9185b8c875141c0b51e51dc05ed6a144e490

SHA256
4a80371702503f808cf8c25474961fdfc0c32f22873b861728a2199719063c14

SHA512
87c8cfb842229e4dc2b748eb8de937c991472f53bafe9271f0d372e240e9570bfb5a98c823eda9d2cea2ebc2cfaf1485f5f3e625ea8eb6322eb825a103dbe5a2

Download Submit
C:\Windows\{45B1BED7-0C4A-48c3-9BF8-3A362F7E7538}.exe

Filesize
408KB

MD5
ea318ab51445a5653e65d2c4784af1d2

SHA1
ef459b6b8e4aa38afe63554e5900b79d23910819

SHA256
15432a6e2b82fb3fae74aea167a762bbc3fc8e59b45189754c6a401f9adab4f2

SHA512
a54d935dee890960d23acbfc6e9dee07d77661d7c64f329082c177977d1fdb02e6e3c670567e7f42948d450c0ea970b620d4f18a02713e0306457467d03d73ab

Download Submit
C:\Windows\{60FCD248-84E2-4b2a-98F9-8850D22117D0}.exe

Filesize
408KB

MD5
957c4c1e2bcb3e4260be1b994992411c

SHA1
4bf9dfd77fb753968ac30ea722e1495fdb1c452f

SHA256
2585333bbe4791331adc1f37b29d192b5bceaf3c375b2860e850345740095fa5

SHA512
f5961fb6bdc5946b6cb693653359b4e04b93bd372d5b57dad94b596895ea03995ae5b5e23544d4a8be7bb46104fe0fb29e40f3f91d75997929561b871ca047bb

Download Submit
C:\Windows\{96A50F55-8E6F-4f84-95D7-086EDA3F02B1}.exe

Filesize
408KB

MD5
178aa314458bb318a0b98908f028d5bb

SHA1
738030dd0d4695e58d63d0f7bc1823424576a304

SHA256
5498c7754198d6b0b0730b62fb4be5ed894ec2f7bbc64dcf7a049596fb8548a1

SHA512
991f7c130253de97dde7cdc0965dec8b3113f441455d5b8c3a4dcfc6279a25ab7cd9b1eafbc659bba1c43e67b8042a8bef70ec1562bfcf6b993dcaa10281b743

Download Submit
C:\Windows\{A98C3E53-A8AA-4bed-95E8-E927AB17FD76}.exe

Filesize
408KB

MD5
038b48681f717d0ecfb5cb0c6d70f9d2

SHA1
1011fee70fa1f6c45fb86d6d5c0b19217f30463e

SHA256
64ed2c497e9dc6956391174e423eb142a402e2aeaef4e9fa45d3b3bdd380361f

SHA512
06c9d0f8a1f006d778cdce05057d6711295cca0596f99d548390c910b36d5dab2affed8106ed77ac15909cb570514267159d2deb2463e3fb964d7ca80f53832a

Download Submit
C:\Windows\{B3975136-17EA-473f-8633-4883709CF8FD}.exe

Filesize
408KB

MD5
8ac9bf21f6168566d112522264b98682

SHA1
946cb31c818e85e08f10e1902be2796e8e5991fd

SHA256
b6e0f6ac0fc927400ad7547097b890a0f76b68a537af8fce466cd4c687a03937

SHA512
d5772bbb82f9cd6da025efc8173234784c06f34f6f5a714c5baace111f713819540e9c1f6e5af9b0e4ab084efa106a8d9eba096242ed26227ad2716bcd79872d

Download Submit
C:\Windows\{B8B1521C-FF0A-444a-AC57-087AED84E183}.exe

Filesize
408KB

MD5
e73e98f7da9dee0594f0654e25da64ec

SHA1
f8569ae9f075fc6a221d218f40cc3a8fde0af9bd

SHA256
301966ed648a1c6890c1369293c78a2329bdfd8bc793e146d943f22e93e06428

SHA512
7e842ff95394cd77c8e4bb127832d96a3a56385d33a4310a1474b1b346071864187b00fed57b21605f1515c2607463db5c819e11f91d38824a8ee3bd4114fcf7

Download Submit
C:\Windows\{D0E0C0FC-24C2-447c-8FA7-9DC1CD1DF27D}.exe

Filesize
408KB

MD5
85d7dc1313eba0cfb14a537c39af1135

SHA1
cb1dc8de3629101eec996b6c675413075ff57128

SHA256
51d1dc91fbcf47b55b27961fd7b5fa4975775ca5736b9e81b58644a6b7e97df2

SHA512
09d9a4d263826e97f71debd810d5f0a82850e00ef148c524e5efd73d3a4edf634ab073a1a7cdbd46e873a7709691b93ccc3656aec66030cd41055ddf8200b96a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads