c7f7a7ddc0c84f60366206b41c11ec34c73094fc8718a3c358dadec33ba5a837

Resubmissions

17/10/2024, 23:31

241017-3h5elssfqg 8

31/05/2024, 04:49

240531-ffsxgagf35 10

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
Size

180KB
MD5

325ad5cab02211ba043f6a1ec096bc26
SHA1

50d54c83f2a838652bef7e12981a8576527d2113
SHA256

c7f7a7ddc0c84f60366206b41c11ec34c73094fc8718a3c358dadec33ba5a837
SHA512

e08b85acb7fcf1845d5b2194db1591c3ebf1c98fad8c174fa7e86807407a382dc8a876fe990eff7e35d762e6e69ab71d1c5604d0402934339a2678fddc816ab1
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012334-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f0000000146e6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012334-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014708-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012334-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012334-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012334-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFE8B0C3-1F92-48df-B386-3334C629C343}	{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFE8B0C3-1F92-48df-B386-3334C629C343}\stubpath = "C:\\Windows\\{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe"	{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211AB361-D8C4-43eb-AB21-07A40F13A24B}	{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5569C590-4980-4aa6-B5F0-EF211587C7FC}	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D82D8819-BFFD-4410-A635-76841B1853BA}\stubpath = "C:\\Windows\\{D82D8819-BFFD-4410-A635-76841B1853BA}.exe"	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5569C590-4980-4aa6-B5F0-EF211587C7FC}\stubpath = "C:\\Windows\\{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe"	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}\stubpath = "C:\\Windows\\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe"	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}\stubpath = "C:\\Windows\\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe"	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}\stubpath = "C:\\Windows\\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe"	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}\stubpath = "C:\\Windows\\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe"	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7479B23-535D-4d12-B7B4-985145370CC4}	{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211AB361-D8C4-43eb-AB21-07A40F13A24B}\stubpath = "C:\\Windows\\{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe"	{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53575BB0-E7C9-442f-B42A-306D2DF049CF}	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53575BB0-E7C9-442f-B42A-306D2DF049CF}\stubpath = "C:\\Windows\\{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe"	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13336EBD-9B9D-455c-8F0C-277B79098DCB}\stubpath = "C:\\Windows\\{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe"	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D82D8819-BFFD-4410-A635-76841B1853BA}	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7479B23-535D-4d12-B7B4-985145370CC4}\stubpath = "C:\\Windows\\{B7479B23-535D-4d12-B7B4-985145370CC4}.exe"	{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13336EBD-9B9D-455c-8F0C-277B79098DCB}	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe
2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
2228	{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
2392	{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
2824	{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
1168	{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe	{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
File created	C:\Windows\{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
File created	C:\Windows\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
File created	C:\Windows\{B7479B23-535D-4d12-B7B4-985145370CC4}.exe	{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
File created	C:\Windows\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
File created	C:\Windows\{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
File created	C:\Windows\{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
File created	C:\Windows\{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe	{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
File created	C:\Windows\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
File created	C:\Windows\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
File created	C:\Windows\{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
Token: SeIncBasePriorityPrivilege	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe
Token: SeIncBasePriorityPrivilege	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
Token: SeIncBasePriorityPrivilege	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
Token: SeIncBasePriorityPrivilege	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
Token: SeIncBasePriorityPrivilege	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
Token: SeIncBasePriorityPrivilege	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
Token: SeIncBasePriorityPrivilege	2228	{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
Token: SeIncBasePriorityPrivilege	2392	{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
Token: SeIncBasePriorityPrivilege	2824	{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2188	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	28
PID 1984 wrote to memory of 2188	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	28
PID 1984 wrote to memory of 2188	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	28
PID 1984 wrote to memory of 2188	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	28
PID 1984 wrote to memory of 2932	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	29
PID 1984 wrote to memory of 2932	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	29
PID 1984 wrote to memory of 2932	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	29
PID 1984 wrote to memory of 2932	1984	2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe	29
PID 2188 wrote to memory of 2644	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	30
PID 2188 wrote to memory of 2644	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	30
PID 2188 wrote to memory of 2644	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	30
PID 2188 wrote to memory of 2644	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	30
PID 2188 wrote to memory of 2684	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	31
PID 2188 wrote to memory of 2684	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	31
PID 2188 wrote to memory of 2684	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	31
PID 2188 wrote to memory of 2684	2188	{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe	31
PID 2644 wrote to memory of 2736	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	32
PID 2644 wrote to memory of 2736	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	32
PID 2644 wrote to memory of 2736	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	32
PID 2644 wrote to memory of 2736	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	32
PID 2644 wrote to memory of 2588	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	33
PID 2644 wrote to memory of 2588	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	33
PID 2644 wrote to memory of 2588	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	33
PID 2644 wrote to memory of 2588	2644	{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe	33
PID 2736 wrote to memory of 2868	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	36
PID 2736 wrote to memory of 2868	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	36
PID 2736 wrote to memory of 2868	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	36
PID 2736 wrote to memory of 2868	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	36
PID 2736 wrote to memory of 776	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	37
PID 2736 wrote to memory of 776	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	37
PID 2736 wrote to memory of 776	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	37
PID 2736 wrote to memory of 776	2736	{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe	37
PID 2868 wrote to memory of 1504	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	38
PID 2868 wrote to memory of 1504	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	38
PID 2868 wrote to memory of 1504	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	38
PID 2868 wrote to memory of 1504	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	38
PID 2868 wrote to memory of 2744	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	39
PID 2868 wrote to memory of 2744	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	39
PID 2868 wrote to memory of 2744	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	39
PID 2868 wrote to memory of 2744	2868	{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe	39
PID 1504 wrote to memory of 2260	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	40
PID 1504 wrote to memory of 2260	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	40
PID 1504 wrote to memory of 2260	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	40
PID 1504 wrote to memory of 2260	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	40
PID 1504 wrote to memory of 1512	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	41
PID 1504 wrote to memory of 1512	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	41
PID 1504 wrote to memory of 1512	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	41
PID 1504 wrote to memory of 1512	1504	{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe	41
PID 2260 wrote to memory of 1704	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	42
PID 2260 wrote to memory of 1704	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	42
PID 2260 wrote to memory of 1704	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	42
PID 2260 wrote to memory of 1704	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	42
PID 2260 wrote to memory of 1964	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	43
PID 2260 wrote to memory of 1964	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	43
PID 2260 wrote to memory of 1964	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	43
PID 2260 wrote to memory of 1964	2260	{D82D8819-BFFD-4410-A635-76841B1853BA}.exe	43
PID 1704 wrote to memory of 2228	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	44
PID 1704 wrote to memory of 2228	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	44
PID 1704 wrote to memory of 2228	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	44
PID 1704 wrote to memory of 2228	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	44
PID 1704 wrote to memory of 1408	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	45
PID 1704 wrote to memory of 1408	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	45
PID 1704 wrote to memory of 1408	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	45
PID 1704 wrote to memory of 1408	1704	{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
  C:\Windows\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe
    C:\Windows\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
      C:\Windows\{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
        
        C:\Windows\{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
        
        C:\Windows\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
        
        C:\Windows\{D82D8819-BFFD-4410-A635-76841B1853BA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
        
        C:\Windows\{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
        
        C:\Windows\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
        
        C:\Windows\{B7479B23-535D-4d12-B7B4-985145370CC4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
        
        C:\Windows\{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe
        
        C:\Windows\{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE8B~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7479~1.EXE > nul
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA16E~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5569C~1.EXE > nul
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D82D8~1.EXE > nul
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BF2~1.EXE > nul
        7⤵
        
        PID:1512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53575~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13336~1.EXE > nul
        5⤵
        
        PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{394BB~1.EXE > nul
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2DE0~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13336EBD-9B9D-455c-8F0C-277B79098DCB}.exe

Filesize
180KB

MD5
ce351e97364f46a6397a925cc23413c1

SHA1
5cb8bea5e91579f69e4dc0f73a45895fb1fe218f

SHA256
2503ee16f08fa0fefe711efc28116090faabaa444bf6662d14f3fdf33becdd42

SHA512
e738ff8fd6a0d6e0be8a73048e463f3cf8f090e16dfb2afc5bf8f133e92c1cf0303e6fae8f91b38c59cad81c23b7821869a5483b2e4fc87733cb627c79f0b5e7

Download Submit
C:\Windows\{211AB361-D8C4-43eb-AB21-07A40F13A24B}.exe

Filesize
180KB

MD5
1135f158945ec8f86da9fbd6b1eb4f24

SHA1
53f5623c3eb7c7dd588bf0b8ab5066b14adb4ba1

SHA256
ca55409380a422bdd0dad1dd65bd3ed863c376a32c1ce6ab102816916ef2fe8a

SHA512
1e3cd92fd217b03a398b01367c90960dc478bd5cd99199064e5c5a60c60bcd0bf3b40089772b106009e2d1dd38daf2b11385be6e0adb11de3f151f02a39cfc9f

Download Submit
C:\Windows\{394BBD2A-4CFD-4546-87F0-11FEEA85A503}.exe

Filesize
180KB

MD5
43f83e64037577852409f20c2fe0f5db

SHA1
003c003ee5e91298d74d7dcc93bc602a369766c4

SHA256
47daf9db6591dce0021785ae04e0f11397dfba9f5192b5e7b66a03e8df13efc0

SHA512
097b219c7e9ed4b54b0af16ec25e10c39e91e3a67d70c7b7f1cc1cda1a17a8366c0efee6d6614cdbb22059e807092a9cd39e410f67440ac9363f2815a4d8b1f5

Download Submit
C:\Windows\{53575BB0-E7C9-442f-B42A-306D2DF049CF}.exe

Filesize
180KB

MD5
c878cbdc15886105c47c717c036f9b3a

SHA1
79aa41a189d58b97efecbd2fb4cc337f190330ee

SHA256
0c16804676c7fb71dacf258fdfb7d4d7174de77f72f313f216400c4e720327e1

SHA512
14451b667c3b2269a34147895d6bec053bce096e6f955cec3f021c65478981b17c07511e30ed9edb3b48cf7a0f15340202ca0db8a09995e19e9e9f62105455b9

Download Submit
C:\Windows\{5569C590-4980-4aa6-B5F0-EF211587C7FC}.exe

Filesize
180KB

MD5
a11cf092d1c134aca8043d8ae1ce7008

SHA1
1c089dd88cb8dac5ab0aaab09e9092d554aa3a3f

SHA256
b406634bf35fb18d5e408c424c84add7d2c9c245fd72a05e90519e1a239135e2

SHA512
2ea0a73c3786fcb0c9ba9da1636bd2f06dafafb05d8a0738485249aadb0327e11434c81c75482db98adbeec0d39aa185f6f0cfd5f1f2c1fe66c1d018132effda

Download Submit
C:\Windows\{B2DE0362-DBC7-4106-97C2-7246E4B7CF7C}.exe

Filesize
180KB

MD5
da618fccfb80700019a1ecf7a01aa3da

SHA1
665aa7969291c7e0a9d7e20a479b29f8c4071fd8

SHA256
97708364fe9b416c3ee2eb26acbb737dbc68992a09322048d550a699b883a69b

SHA512
122ad7b83c2197bef2680ec23dfe5ff6a481268f1585ec976701a7302aef4801f3ffaaa4770fa5b60e1f88c5a9f78093d8fe2f8d34c10ff595ae7655d37ed46e

Download Submit
C:\Windows\{B7479B23-535D-4d12-B7B4-985145370CC4}.exe

Filesize
180KB

MD5
4f0250c8b333ad5e7335e6c95a45d5b9

SHA1
83167f7738ef5fe499ab87bb58afcc0edd98907b

SHA256
9d72dea5d645e5330c25cb1360c688a7a928479c33c9d36276b93097f0d65d6f

SHA512
9d35367eec7d4f412623f9033b2718947296f4f648713490abe646c4252d7470431572c12de6da21b7d9ac0b9a5c495369cd35998875316adc3833b7391dcb76

Download Submit
C:\Windows\{C4BF27DD-98BB-49b8-B81D-2E34C3D779A9}.exe

Filesize
180KB

MD5
017a1f98cd197a1bb9a1eb92ecb06b19

SHA1
1ac9baadf721541a6304d5cb68b974de08def019

SHA256
2e68b4cee066f2db85ba676c77906a2cae79473b1dde036342fccbe6a11459a7

SHA512
83a57013d6cf78be6cb80b69d9933a9b7ead5508ef21966b2503c9416e2c5092f381f24e14e214ee658b2e0565f2dc749e1d494bfa486337250e2b2a203d2eae

Download Submit
C:\Windows\{CFE8B0C3-1F92-48df-B386-3334C629C343}.exe

Filesize
180KB

MD5
bf2cd85b0cc4dfdf49ebdc4c43a34e9a

SHA1
4ef095b7e27ae3dfdd6a2746716fb8e7bc7a6518

SHA256
ed33c273283e0dfabddd77a5cd12645bcc1b361cf1d26970de32071792386517

SHA512
f9a10b4787a5afe3aeb493d8b391a29f93c59f83c866ba116b894ea3bc5b15c41bacb4f3b5bb24eec777bd9a4d2b312ecca2385babcf429503908641e98b9641

Download Submit
C:\Windows\{D82D8819-BFFD-4410-A635-76841B1853BA}.exe

Filesize
180KB

MD5
3517c862f73b3a9290f874f0a456577e

SHA1
8f477e709bee9953c82871c5e6c4ac51279fb6df

SHA256
a2b8238ee0014bd4ff48ea42906c652a5b0926f4e30dca9756048e3a6d334343

SHA512
1456ee2079468b7a45e9e5e7a65ea3b2650e94837ec638478602758c3a8076f983f231264adbe52345abc87e80ae21701239ce8393421cbc63de30befc9709d0

Download Submit
C:\Windows\{FA16ED63-E8F3-4b7e-B5C7-7FCADFD8FF19}.exe

Filesize
180KB

MD5
1c5dda107ffc6634ac7bcafcd634ddca

SHA1
8a372d13eec26f995bb79edd7714c84c8c3e8972

SHA256
0934eafcf4d3cdea1eddc80c1bf87dbafdd12237a8c5aa817d2755f398a4124c

SHA512
4a817ec41d75e52be22360594740018be80915c26ccfc8f7804c9150c1a41845c8880ada4b9fa9969ca24faae603effcb1a5271a9dbfca51b86ff6a6c579c97c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads