3dc16708197370f0fdab971285923f8a32256611dd3079b6058b331a0645d610

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
Size

372KB
MD5

ae1d62145d7347f38507af487c6c3189
SHA1

1ed44592dc7cebaf999077e37d7a7d41670ebf9f
SHA256

3dc16708197370f0fdab971285923f8a32256611dd3079b6058b331a0645d610
SHA512

3039ce69cf58b1d30698b1a7e020cbf41e2f2877325b123fda108b5abd85f32a20399ab75f362771e07ec0f5b739d4505822ac6214f06e7879c5a104f5387e4e
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGQlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001226d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000016d05-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000016d1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000016d1a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d33-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d3b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d33-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d44-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016d33-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d44-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}	{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D70C6E0-7596-425c-86D3-66A1310A1447}	{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11214B3D-77E2-4118-9FF5-2777EE01911E}	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11214B3D-77E2-4118-9FF5-2777EE01911E}\stubpath = "C:\\Windows\\{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe"	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}\stubpath = "C:\\Windows\\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe"	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D70C6E0-7596-425c-86D3-66A1310A1447}\stubpath = "C:\\Windows\\{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe"	{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C1B0C38-07FB-4896-A169-3D969406071C}	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DCD772-998D-40d8-9EB4-59C52736B7F4}	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}\stubpath = "C:\\Windows\\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe"	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}\stubpath = "C:\\Windows\\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe"	{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}\stubpath = "C:\\Windows\\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe"	{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}\stubpath = "C:\\Windows\\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe"	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3205CCA8-A089-4873-990C-CD33E7256DCC}\stubpath = "C:\\Windows\\{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe"	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DCD772-998D-40d8-9EB4-59C52736B7F4}\stubpath = "C:\\Windows\\{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe"	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}	{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3205CCA8-A089-4873-990C-CD33E7256DCC}	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C1B0C38-07FB-4896-A169-3D969406071C}\stubpath = "C:\\Windows\\{7C1B0C38-07FB-4896-A169-3D969406071C}.exe"	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}\stubpath = "C:\\Windows\\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe"	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
744	{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
2964	{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
2252	{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
1732	{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
File created	C:\Windows\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
File created	C:\Windows\{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe	{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
File created	C:\Windows\{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
File created	C:\Windows\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
File created	C:\Windows\{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
File created	C:\Windows\{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
File created	C:\Windows\{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
File created	C:\Windows\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
File created	C:\Windows\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe	{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
File created	C:\Windows\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe	{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
Token: SeIncBasePriorityPrivilege	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
Token: SeIncBasePriorityPrivilege	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
Token: SeIncBasePriorityPrivilege	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
Token: SeIncBasePriorityPrivilege	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
Token: SeIncBasePriorityPrivilege	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
Token: SeIncBasePriorityPrivilege	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
Token: SeIncBasePriorityPrivilege	744	{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
Token: SeIncBasePriorityPrivilege	2964	{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
Token: SeIncBasePriorityPrivilege	2252	{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2568	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	28
PID 1832 wrote to memory of 2568	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	28
PID 1832 wrote to memory of 2568	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	28
PID 1832 wrote to memory of 2568	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	28
PID 1832 wrote to memory of 2616	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	29
PID 1832 wrote to memory of 2616	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	29
PID 1832 wrote to memory of 2616	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	29
PID 1832 wrote to memory of 2616	1832	2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe	29
PID 2568 wrote to memory of 2468	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	30
PID 2568 wrote to memory of 2468	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	30
PID 2568 wrote to memory of 2468	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	30
PID 2568 wrote to memory of 2468	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	30
PID 2568 wrote to memory of 2620	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	31
PID 2568 wrote to memory of 2620	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	31
PID 2568 wrote to memory of 2620	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	31
PID 2568 wrote to memory of 2620	2568	{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe	31
PID 2468 wrote to memory of 2632	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	32
PID 2468 wrote to memory of 2632	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	32
PID 2468 wrote to memory of 2632	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	32
PID 2468 wrote to memory of 2632	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	32
PID 2468 wrote to memory of 2120	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	33
PID 2468 wrote to memory of 2120	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	33
PID 2468 wrote to memory of 2120	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	33
PID 2468 wrote to memory of 2120	2468	{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe	33
PID 2632 wrote to memory of 1020	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	36
PID 2632 wrote to memory of 1020	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	36
PID 2632 wrote to memory of 1020	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	36
PID 2632 wrote to memory of 1020	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	36
PID 2632 wrote to memory of 2528	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	37
PID 2632 wrote to memory of 2528	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	37
PID 2632 wrote to memory of 2528	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	37
PID 2632 wrote to memory of 2528	2632	{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe	37
PID 1020 wrote to memory of 2788	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	38
PID 1020 wrote to memory of 2788	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	38
PID 1020 wrote to memory of 2788	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	38
PID 1020 wrote to memory of 2788	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	38
PID 1020 wrote to memory of 2364	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	39
PID 1020 wrote to memory of 2364	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	39
PID 1020 wrote to memory of 2364	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	39
PID 1020 wrote to memory of 2364	1020	{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe	39
PID 2788 wrote to memory of 1532	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	40
PID 2788 wrote to memory of 1532	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	40
PID 2788 wrote to memory of 1532	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	40
PID 2788 wrote to memory of 1532	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	40
PID 2788 wrote to memory of 2196	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	41
PID 2788 wrote to memory of 2196	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	41
PID 2788 wrote to memory of 2196	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	41
PID 2788 wrote to memory of 2196	2788	{7C1B0C38-07FB-4896-A169-3D969406071C}.exe	41
PID 1532 wrote to memory of 2192	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	42
PID 1532 wrote to memory of 2192	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	42
PID 1532 wrote to memory of 2192	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	42
PID 1532 wrote to memory of 2192	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	42
PID 1532 wrote to memory of 2352	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	43
PID 1532 wrote to memory of 2352	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	43
PID 1532 wrote to memory of 2352	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	43
PID 1532 wrote to memory of 2352	1532	{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe	43
PID 2192 wrote to memory of 744	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	44
PID 2192 wrote to memory of 744	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	44
PID 2192 wrote to memory of 744	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	44
PID 2192 wrote to memory of 744	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	44
PID 2192 wrote to memory of 2828	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	45
PID 2192 wrote to memory of 2828	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	45
PID 2192 wrote to memory of 2828	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	45
PID 2192 wrote to memory of 2828	2192	{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ae1d62145d7347f38507af487c6c3189_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
  C:\Windows\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
    C:\Windows\{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
      C:\Windows\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
        
        C:\Windows\{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
        
        C:\Windows\{7C1B0C38-07FB-4896-A169-3D969406071C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
        
        C:\Windows\{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
        
        C:\Windows\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
        
        C:\Windows\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
        
        C:\Windows\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
        
        C:\Windows\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe
        
        C:\Windows\{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe
        12⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F7C0~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F87~1.EXE > nul
        11⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D169~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8466B~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27DCD~1.EXE > nul
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C1B0~1.EXE > nul
        7⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3205C~1.EXE > nul
        6⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D03D~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11214~1.EXE > nul
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A05~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D03D3B1-D463-4dc5-B69C-92568F3AA7DE}.exe

Filesize
372KB

MD5
c0923fb4ff8a459d1935cd8190dd14f9

SHA1
fcdc88d4e45069565cb1bda318491cd6704cdd72

SHA256
ed1902c03da719a381049b77ab119b7417e23090166e04d338ac6810622a2aef

SHA512
d75ed2eee32cfd26173596400f7bb9e84e0a9b85cc98fd8b656c1d9226c98952a40072eedbcf335b439b8bd37e6cd59e5d28c965db7f66af3e75ad188d151d04

Download Submit
C:\Windows\{11214B3D-77E2-4118-9FF5-2777EE01911E}.exe

Filesize
372KB

MD5
fb99bac1e7c59f844e3533fe39305a85

SHA1
8422d976c27436f59c5ab760c6bd7c0aefe43885

SHA256
7d2df962af818af7ac024afe707acfe2668ba281b31779d4660d0c9049dc2171

SHA512
df4847a074a4825433cf1beaf5431dfe77ca8f23dd60f079aa5821e85528d08f02c6ae84bc3826f348e0a83b6920cb14e4fa8c50f73e1f875bd7ef5253ecacbb

Download Submit
C:\Windows\{27DCD772-998D-40d8-9EB4-59C52736B7F4}.exe

Filesize
372KB

MD5
a9d397ba7b013038a7114a6eef2760e7

SHA1
6dc9102dc67bd791dd5b85a5ed09793ca9f1ffae

SHA256
e61f1b8ffeb7683682d5bb41d643ed67add2b7b1d8c5d2623892a32393690cd2

SHA512
56c0acc01b2eb2f2d37d4732dd77ef9c168e1844f6272f546bcbc7d12330cea1eabc9b727e16777b648819d50ee2ea3019cad0e780ee85d326ccc9a48676b8d6

Download Submit
C:\Windows\{3205CCA8-A089-4873-990C-CD33E7256DCC}.exe

Filesize
372KB

MD5
e6758872322c1e33ca0935eb791f3709

SHA1
d1700fa7b291bc586a8d93d36382ded934f2ca81

SHA256
01a8e811716b74b32523f07631bb04c7e7bea991dc434d88abbdf28062e08e99

SHA512
15eced3cc805947c9a925bf88bf97c42d1d634fb72528ccbdd180b67cd1b785eeb376d8a5fba4aa1aeab8cdf90b3c6b356c0b63596a3078eeeb9f7ee57d35215

Download Submit
C:\Windows\{6F7C0B33-9DF0-410d-97CD-45AEC294197E}.exe

Filesize
372KB

MD5
b274b015c0fde859bcc8efffb89fcaef

SHA1
00ac1ab2306054eb3ace058aeeca762c28ce1d4e

SHA256
99508d42fd4c1090c2138105ccddfee13798296ec544348d123af5c589a59867

SHA512
5e845a263c59bb37465b51c5c967640dc00d95757bfd5e7667ec387674bde6c456288ad8dd4d10cfce8263a80663a43bbe336a308f82658b91940bf5a785b077

Download Submit
C:\Windows\{7C1B0C38-07FB-4896-A169-3D969406071C}.exe

Filesize
372KB

MD5
76944457c39981f2c64810ff26b0cf5a

SHA1
3ebbf8ce2ba0fd3872506de57ae60f8b52505128

SHA256
9f8e9981432e8b4589a2df51c0c6c9c32ab34099d51f544a53b0fca5ea72bfba

SHA512
6a15587f3f2108f9ffc9866520f688d4d484f3cd10b11fed4b85387252f02a5da3880494fedb59071910dd349546f3dd900ade6d39b8e8a619dd4ed859590298

Download Submit
C:\Windows\{8466B47C-92C3-4d71-B5EA-B8AE0BCC75BD}.exe

Filesize
372KB

MD5
38e280a691d6369bc2d5cc3dd69e14bb

SHA1
11c6b7455b78e094b4a73381c5ec96271128598a

SHA256
2dfbcb034b3aa5a9dd5157a5206e96bcdc4332d1ec5de2dbe800ec8a1c950fba

SHA512
dc20561f522c01f30ee8cc7ae5cf7a190f2aa36f762a07593edeb7ff0903ee7868f1e582272b0d2db928a4cfd196c2b9f7f360a37ed158ff3bf3cfaaf9bf1feb

Download Submit
C:\Windows\{9D1693AB-6329-4382-B14A-E33AC0EA8F69}.exe

Filesize
372KB

MD5
5947ca33d1279a2ef788c9c9c337d391

SHA1
9a43b844b817777beaaa1913af76879b79f67b22

SHA256
84cffb00fe58add981204d47388aa19a85ad79d6022e883a50e7d5290f7bbc2b

SHA512
2b0ccdf1194255d418324d38ac14090ba4a004270480dc2cff6432073386bee4522301eaa8d6344e2f2f74e70938875091382185c6e66f26f3fe2e534ece2ef6

Download Submit
C:\Windows\{9D70C6E0-7596-425c-86D3-66A1310A1447}.exe

Filesize
372KB

MD5
e42233524580a5845aaeb1129d47a6c5

SHA1
7bdf462823ac13476421f05d35b4847b6c1727ed

SHA256
4f7045ce4f1ab1ab8969749c4469c3190648026d9cc6d3ec1f25a7823f150b11

SHA512
710c039967d8e9627237ee78ece4a99c4006869ceda4ec37324caafcb93b090d0ae86a60661dc50a4cd1b7c7a873877dd12101368577349815072a47bfe9f5bb

Download Submit
C:\Windows\{A0F87BF2-A44C-42bc-BD4D-1CA66C38D9AE}.exe

Filesize
372KB

MD5
6ede97e91fcab4ae329aad335a644775

SHA1
cac93d6d8e5696f141062027b347bf979e7d8ed1

SHA256
8cede84e159ac0cb0a5345e52b5fbcc94fc4a0b4f647e55d97e21afa392d9f46

SHA512
9d94e39166dc71b3597b122d188fa005c103a4dcf107c574687b35cd0da6d4e135482c20984b33b26031944aa5a3f3c510ebb4d46bd439e2eaa957819cc4266f

Download Submit
C:\Windows\{C2A0513E-41B8-449c-BFAB-07CAEC66FB99}.exe

Filesize
372KB

MD5
4997fca1626d3aac50b440515fb7d518

SHA1
f39b830a686f3a564db9684e0d55274d1c26452c

SHA256
97381a10fee2d537876610c0c5b9a647e20bef6d89bd9d4fe415dce3e6d576e3

SHA512
a13810305d577534bd613462713bf187bb7d3ad879d262ed18e94f7b7ce13bceadc7f66ff045ddb1d349e9eaa182ef885b6560fc66c005f0b79f3bf6acf86c9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads