53f4753fec1757b46c33fa866398d1a1b59e407337df5276bda8c65676bd0bf8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 13:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
Size

168KB
MD5

8537c79c4b637ae1b29336c822b03c74
SHA1

b10d14a936f86e244cab3065a8c0d51cb604baea
SHA256

53f4753fec1757b46c33fa866398d1a1b59e407337df5276bda8c65676bd0bf8
SHA512

c45bf7feb6a0fd73967b02ced5b88155e9dba01c79eab87139fcbfc078756cfaec330b94bf3ca5a55df17ae5b6a2ba13616a5a9bdb57d3e960e2e36fff71a51d
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014665-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001232e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000014701-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001232e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001232e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001232e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAD116D8-124B-440c-BAAB-42F77DC10386}	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}	{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184765EE-9EAF-4ca7-8E65-22158D959222}\stubpath = "C:\\Windows\\{184765EE-9EAF-4ca7-8E65-22158D959222}.exe"	{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}\stubpath = "C:\\Windows\\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe"	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}\stubpath = "C:\\Windows\\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe"	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7576E380-9E27-48d5-9BFC-24220A590F4B}	{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}\stubpath = "C:\\Windows\\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe"	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184765EE-9EAF-4ca7-8E65-22158D959222}	{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7576E380-9E27-48d5-9BFC-24220A590F4B}\stubpath = "C:\\Windows\\{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe"	{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}\stubpath = "C:\\Windows\\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe"	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}\stubpath = "C:\\Windows\\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe"	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAD116D8-124B-440c-BAAB-42F77DC10386}\stubpath = "C:\\Windows\\{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe"	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}\stubpath = "C:\\Windows\\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe"	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}\stubpath = "C:\\Windows\\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe"	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}\stubpath = "C:\\Windows\\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe"	{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
2852	{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe
832	{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
2356	{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
504	{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
File created	C:\Windows\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
File created	C:\Windows\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
File created	C:\Windows\{184765EE-9EAF-4ca7-8E65-22158D959222}.exe	{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
File created	C:\Windows\{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe	{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
File created	C:\Windows\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
File created	C:\Windows\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
File created	C:\Windows\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
File created	C:\Windows\{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
File created	C:\Windows\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
File created	C:\Windows\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe	{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
Token: SeIncBasePriorityPrivilege	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
Token: SeIncBasePriorityPrivilege	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
Token: SeIncBasePriorityPrivilege	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
Token: SeIncBasePriorityPrivilege	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
Token: SeIncBasePriorityPrivilege	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
Token: SeIncBasePriorityPrivilege	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
Token: SeIncBasePriorityPrivilege	2852	{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe
Token: SeIncBasePriorityPrivilege	832	{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
Token: SeIncBasePriorityPrivilege	2356	{184765EE-9EAF-4ca7-8E65-22158D959222}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3060	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	28
PID 2880 wrote to memory of 3060	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	28
PID 2880 wrote to memory of 3060	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	28
PID 2880 wrote to memory of 3060	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	28
PID 2880 wrote to memory of 2872	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	29
PID 2880 wrote to memory of 2872	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	29
PID 2880 wrote to memory of 2872	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	29
PID 2880 wrote to memory of 2872	2880	2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe	29
PID 3060 wrote to memory of 2640	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	30
PID 3060 wrote to memory of 2640	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	30
PID 3060 wrote to memory of 2640	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	30
PID 3060 wrote to memory of 2640	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	30
PID 3060 wrote to memory of 2688	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	31
PID 3060 wrote to memory of 2688	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	31
PID 3060 wrote to memory of 2688	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	31
PID 3060 wrote to memory of 2688	3060	{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe	31
PID 2640 wrote to memory of 2696	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	32
PID 2640 wrote to memory of 2696	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	32
PID 2640 wrote to memory of 2696	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	32
PID 2640 wrote to memory of 2696	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	32
PID 2640 wrote to memory of 2588	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	33
PID 2640 wrote to memory of 2588	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	33
PID 2640 wrote to memory of 2588	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	33
PID 2640 wrote to memory of 2588	2640	{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe	33
PID 2696 wrote to memory of 2980	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	36
PID 2696 wrote to memory of 2980	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	36
PID 2696 wrote to memory of 2980	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	36
PID 2696 wrote to memory of 2980	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	36
PID 2696 wrote to memory of 1260	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	37
PID 2696 wrote to memory of 1260	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	37
PID 2696 wrote to memory of 1260	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	37
PID 2696 wrote to memory of 1260	2696	{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe	37
PID 2980 wrote to memory of 2864	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	38
PID 2980 wrote to memory of 2864	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	38
PID 2980 wrote to memory of 2864	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	38
PID 2980 wrote to memory of 2864	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	38
PID 2980 wrote to memory of 2964	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	39
PID 2980 wrote to memory of 2964	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	39
PID 2980 wrote to memory of 2964	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	39
PID 2980 wrote to memory of 2964	2980	{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe	39
PID 2864 wrote to memory of 2604	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	40
PID 2864 wrote to memory of 2604	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	40
PID 2864 wrote to memory of 2604	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	40
PID 2864 wrote to memory of 2604	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	40
PID 2864 wrote to memory of 2116	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	41
PID 2864 wrote to memory of 2116	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	41
PID 2864 wrote to memory of 2116	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	41
PID 2864 wrote to memory of 2116	2864	{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe	41
PID 2604 wrote to memory of 1584	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	42
PID 2604 wrote to memory of 1584	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	42
PID 2604 wrote to memory of 1584	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	42
PID 2604 wrote to memory of 1584	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	42
PID 2604 wrote to memory of 2624	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	43
PID 2604 wrote to memory of 2624	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	43
PID 2604 wrote to memory of 2624	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	43
PID 2604 wrote to memory of 2624	2604	{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe	43
PID 1584 wrote to memory of 2852	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	44
PID 1584 wrote to memory of 2852	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	44
PID 1584 wrote to memory of 2852	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	44
PID 1584 wrote to memory of 2852	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	44
PID 1584 wrote to memory of 1704	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	45
PID 1584 wrote to memory of 1704	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	45
PID 1584 wrote to memory of 1704	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	45
PID 1584 wrote to memory of 1704	1584	{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_8537c79c4b637ae1b29336c822b03c74_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
  C:\Windows\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
    C:\Windows\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
      C:\Windows\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
        
        C:\Windows\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
        
        C:\Windows\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
        
        C:\Windows\{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
        
        C:\Windows\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe
        
        C:\Windows\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
        
        C:\Windows\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
        
        C:\Windows\{184765EE-9EAF-4ca7-8E65-22158D959222}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe
        
        C:\Windows\{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe
        12⤵
        Executes dropped EXE
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18476~1.EXE > nul
        12⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87390~1.EXE > nul
        11⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9C95~1.EXE > nul
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFA8F~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAD11~1.EXE > nul
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5399B~1.EXE > nul
        7⤵
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC1D~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{520EA~1.EXE > nul
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB82C~1.EXE > nul
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA6F~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{184765EE-9EAF-4ca7-8E65-22158D959222}.exe

Filesize
168KB

MD5
265cd07739384b5966e847cb7e639273

SHA1
b40484f8340bdef13cb763bd2012a59f6e0dd197

SHA256
08d61c394603121c71d3bdc59ad6a998ec9c8165e6942d949bbab06764f8468d

SHA512
3a6a277ad032f53a637eae81d77645d41327ef0d489641f7f802882bdbc67589a8b8f80b760ecc69fd2d89c712c9c45160bf10f102b271498c2a9705e9f97030

Download Submit
C:\Windows\{3BC1D400-8088-4eb3-9A73-550CAA2901DD}.exe

Filesize
168KB

MD5
74aae58dbf859fd75e5a2afa2c9bd3f8

SHA1
3e601ec38cffb81edb0e947ab090ba81dde8acbe

SHA256
63bd92c4eeb5f5ff8c0943f04ee3e84b4db6f113078fd31636fa085cee3a16c5

SHA512
32f813e505baa943fe4672e259e48c05295642b3dd510ab0637653cacf504ff50eab6fe10ded36f538fca25a72ce6832390b8fbbcb9b27714e2b25f17a050d0f

Download Submit
C:\Windows\{520EADE7-E2AB-4fd9-9D10-5EE8A836BB15}.exe

Filesize
168KB

MD5
18e1822eb89eb1456146ad9abd0a0fa8

SHA1
5437b15925a200d057ecc0ae2f19d82b52673f21

SHA256
a50ce045a6919f6b27ecb79fd79f3d340e6bd7d316e5de00736aec13ed5bda34

SHA512
01a3fbb45e53a63d4a403792b433a9a5193589d89ffbc4c38b65b177f55d0b09d057d044ff7e16a0d968bcb751dfd0069454a7b81c2deae64d041617ff39c308

Download Submit
C:\Windows\{5399BAD7-D4AE-4dad-950E-12F1B949D42D}.exe

Filesize
168KB

MD5
7fd4e3cba8fbb7c520334b0273545b64

SHA1
78d5ec2a84b42e4d9f967ddaef940838cf292a66

SHA256
cd0065ed33c4b34da7703258975c96408a38085c4608df3812241040e377cb08

SHA512
cceb1fc4d1b9d64b23a46a5b07828f8244419d5ec4a3ceea4e4142a83b686ac3e6653b23257d33462d21ae2f8ea78eaeddfd175cfea16054d9c4770906dee114

Download Submit
C:\Windows\{7576E380-9E27-48d5-9BFC-24220A590F4B}.exe

Filesize
168KB

MD5
e6e3c17ff1434d3be5d9dccf53605371

SHA1
ac046f5bdd245919ea2ca20868d62229602449f1

SHA256
9c0224a28a2209bcf1829850b59c1aab8e73c22779d1a5adba4d5b59c5d09114

SHA512
da272aa5d9650c024f1af42a9c407b56257cc54ccc6d1a018f912ff90b127e17957df796e9be502b2523df1b756843ba7a0bb67ad203148fe1c806a5a7d859b1

Download Submit
C:\Windows\{7DA6FA82-2A17-420e-B106-EEAAC776F6B5}.exe

Filesize
168KB

MD5
c46ad1642f173f8520c53694427d75a5

SHA1
67dbb65cef440e752abe357165a734d76f86fb9c

SHA256
42dc92f49c3632b62a15aaab1b376f829e77290e469eebd7c306c695ff710944

SHA512
b9d034946753829c58bf401936337d861e6ec66ff87a848a11b03478e303659c391f37df3574725aee52cb90fa7497a7acb18d5eaf936ff63c02a3301109fcc7

Download Submit
C:\Windows\{873904DE-749E-4516-9FBC-78D3C2BC6AB3}.exe

Filesize
168KB

MD5
edb5256d069cad30cf97f017ad96497d

SHA1
4586231b2accc8cea6dd144d20802d368b61516d

SHA256
05bc0dd1af04a2e039a9bc98d8c13ee35d6e88b321c50ac319c7503410654c4e

SHA512
76f1744484da608f4fba0f83835597d3dc1e406ef055326cc1a3e1eb2752abfd9408dfda515eba8674d176ff02ffb1a8063814acb2a7dda6e9bdf7c0df556a4e

Download Submit
C:\Windows\{A9C9519F-C820-4ef7-B508-B7F10F93B1CA}.exe

Filesize
168KB

MD5
243b398bfcdc30aedfe936aa6568ea73

SHA1
dc6c034b0e27d418cfe75a68840b72c576131874

SHA256
240403237185a737b75f5f4b5e3be87171b47b48c4383816c2c6098b11997a6c

SHA512
530f61b5b07741cac5aef5bfa7f177e8aeedfce0b2b6641faf12cafff673123fe6c0177ad6652cbf62ca1dc148e6b798c0c14cef238d5b64add8a165d5c9e67f

Download Submit
C:\Windows\{BAD116D8-124B-440c-BAAB-42F77DC10386}.exe

Filesize
168KB

MD5
99dcb3ed9d67c354746ca3ecb8fe05fc

SHA1
13b1b61f76ab7dd87777bd99d727cb5f1cfa4520

SHA256
a930377b7caaca84fdcccc4c81e2f7371147a72ca6ebc3b4e6a243d49414d5a7

SHA512
d2b861356b4c662b1da00cadcb1a5c8e0610dc5b364c39ce20c3f2869d0b68872c3340ab2809714004bb3eb6af45963fcae24be5ffbe9755bf506b85fb502e38

Download Submit
C:\Windows\{BFA8F8E3-7727-41b7-8F42-D8CF23987B3F}.exe

Filesize
168KB

MD5
6c517ec7684f8cd9fd2a3dec61d2fe84

SHA1
0dc384ee2cea9ac545ff148e1d758e08cfed0393

SHA256
7868d3c5697eb006b5f2f79d2e1195d60939d88ea45f5bb8fe7177a78b6957f0

SHA512
1c031d920d03e0e3ca94d65fec057ef61fd0bf4f2976970d74b97a88a91e42e66e055d09f38e8b3d670161efd81768d1d667a120ef97e53d91fa21b04f8ff5e8

Download Submit
C:\Windows\{EB82CD9D-5E03-4959-94AF-9935FBA8FECE}.exe

Filesize
168KB

MD5
62bca71cb55eead2e393be7264e1f51e

SHA1
3a9802abd6c811246834262fa3a2c50247439ead

SHA256
8be78d11be2b529eb3e94e21b903360dae99becce035955f7c2d389e64404482

SHA512
fbf911229d66cf8a2b99e82134d5cf8bbb7b8430c38273080c2c2471e1188549627967a3b5d333f17d64e642c2f04ac3efb68dfb36b465f6da2dc768bfb0b26c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads