fd93e81efba7a7c29fa9486f7424a8c114e044756270d8499de5c4e9119470cf

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
Size

180KB
MD5

13f639db9fa7c146634bc40e71d69059
SHA1

65a43f9ffbc8108ee776b8a1970deac84b51bd33
SHA256

fd93e81efba7a7c29fa9486f7424a8c114e044756270d8499de5c4e9119470cf
SHA512

e2a4a068efebf52b7ffef2817103502c66f808d5fbd888686e76c40e0f097f2e6d2bea9ac6ac6509b42af5d6251555e8a46a85b40b5bb45c0b04d184e57e09d3
SSDEEP

3072:jEGh0oWlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGAl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012286-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d12-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015d3b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d53-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d3b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d53-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015d7b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015d83-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d7b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d83-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}\stubpath = "C:\\Windows\\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe"	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E230BC7A-73BC-4b7f-887F-54BD9764653F}\stubpath = "C:\\Windows\\{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe"	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}	{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}\stubpath = "C:\\Windows\\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe"	{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8764E9A4-74C0-4568-BD37-4748DE39E841}	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E401B604-8454-4bec-A422-3D43B73E9E9E}	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}	{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}\stubpath = "C:\\Windows\\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe"	{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}\stubpath = "C:\\Windows\\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe"	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8764E9A4-74C0-4568-BD37-4748DE39E841}\stubpath = "C:\\Windows\\{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe"	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}\stubpath = "C:\\Windows\\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe"	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407B4D55-2AB7-4576-B28B-58B91934FAAA}	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E401B604-8454-4bec-A422-3D43B73E9E9E}\stubpath = "C:\\Windows\\{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe"	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D48C68AF-ED46-4164-80B4-889F2D31BD18}	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D48C68AF-ED46-4164-80B4-889F2D31BD18}\stubpath = "C:\\Windows\\{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe"	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E230BC7A-73BC-4b7f-887F-54BD9764653F}	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407B4D55-2AB7-4576-B28B-58B91934FAAA}\stubpath = "C:\\Windows\\{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe"	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}\stubpath = "C:\\Windows\\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe"	{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}	{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
1128	{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
2940	{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
2896	{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
1104	{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe	{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
File created	C:\Windows\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
File created	C:\Windows\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
File created	C:\Windows\{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
File created	C:\Windows\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe	{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
File created	C:\Windows\{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
File created	C:\Windows\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe	{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
File created	C:\Windows\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
File created	C:\Windows\{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
File created	C:\Windows\{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
File created	C:\Windows\{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
Token: SeIncBasePriorityPrivilege	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
Token: SeIncBasePriorityPrivilege	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
Token: SeIncBasePriorityPrivilege	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
Token: SeIncBasePriorityPrivilege	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
Token: SeIncBasePriorityPrivilege	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
Token: SeIncBasePriorityPrivilege	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
Token: SeIncBasePriorityPrivilege	1128	{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
Token: SeIncBasePriorityPrivilege	2940	{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
Token: SeIncBasePriorityPrivilege	2896	{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2080	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	28
PID 2132 wrote to memory of 2080	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	28
PID 2132 wrote to memory of 2080	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	28
PID 2132 wrote to memory of 2080	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	28
PID 2132 wrote to memory of 2384	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	29
PID 2132 wrote to memory of 2384	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	29
PID 2132 wrote to memory of 2384	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	29
PID 2132 wrote to memory of 2384	2132	2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe	29
PID 2080 wrote to memory of 2792	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	30
PID 2080 wrote to memory of 2792	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	30
PID 2080 wrote to memory of 2792	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	30
PID 2080 wrote to memory of 2792	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	30
PID 2080 wrote to memory of 2672	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	31
PID 2080 wrote to memory of 2672	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	31
PID 2080 wrote to memory of 2672	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	31
PID 2080 wrote to memory of 2672	2080	{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe	31
PID 2792 wrote to memory of 2708	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	32
PID 2792 wrote to memory of 2708	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	32
PID 2792 wrote to memory of 2708	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	32
PID 2792 wrote to memory of 2708	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	32
PID 2792 wrote to memory of 2704	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	33
PID 2792 wrote to memory of 2704	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	33
PID 2792 wrote to memory of 2704	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	33
PID 2792 wrote to memory of 2704	2792	{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe	33
PID 2708 wrote to memory of 2952	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	36
PID 2708 wrote to memory of 2952	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	36
PID 2708 wrote to memory of 2952	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	36
PID 2708 wrote to memory of 2952	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	36
PID 2708 wrote to memory of 2304	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	37
PID 2708 wrote to memory of 2304	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	37
PID 2708 wrote to memory of 2304	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	37
PID 2708 wrote to memory of 2304	2708	{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe	37
PID 2952 wrote to memory of 560	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	38
PID 2952 wrote to memory of 560	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	38
PID 2952 wrote to memory of 560	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	38
PID 2952 wrote to memory of 560	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	38
PID 2952 wrote to memory of 1836	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	39
PID 2952 wrote to memory of 1836	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	39
PID 2952 wrote to memory of 1836	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	39
PID 2952 wrote to memory of 1836	2952	{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe	39
PID 560 wrote to memory of 2720	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	40
PID 560 wrote to memory of 2720	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	40
PID 560 wrote to memory of 2720	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	40
PID 560 wrote to memory of 2720	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	40
PID 560 wrote to memory of 336	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	41
PID 560 wrote to memory of 336	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	41
PID 560 wrote to memory of 336	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	41
PID 560 wrote to memory of 336	560	{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe	41
PID 2720 wrote to memory of 2420	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	42
PID 2720 wrote to memory of 2420	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	42
PID 2720 wrote to memory of 2420	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	42
PID 2720 wrote to memory of 2420	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	42
PID 2720 wrote to memory of 2432	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	43
PID 2720 wrote to memory of 2432	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	43
PID 2720 wrote to memory of 2432	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	43
PID 2720 wrote to memory of 2432	2720	{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe	43
PID 2420 wrote to memory of 1128	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	44
PID 2420 wrote to memory of 1128	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	44
PID 2420 wrote to memory of 1128	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	44
PID 2420 wrote to memory of 1128	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	44
PID 2420 wrote to memory of 2808	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	45
PID 2420 wrote to memory of 2808	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	45
PID 2420 wrote to memory of 2808	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	45
PID 2420 wrote to memory of 2808	2420	{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_13f639db9fa7c146634bc40e71d69059_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
  C:\Windows\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
    C:\Windows\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
      C:\Windows\{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
        
        C:\Windows\{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
        
        C:\Windows\{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
        
        C:\Windows\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
        
        C:\Windows\{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
        
        C:\Windows\{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
        
        C:\Windows\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
        
        C:\Windows\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe
        
        C:\Windows\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEAF~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB85F~1.EXE > nul
        11⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E401B~1.EXE > nul
        10⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{407B4~1.EXE > nul
        9⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12ACC~1.EXE > nul
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E230B~1.EXE > nul
        7⤵
        
        PID:336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8764E~1.EXE > nul
        6⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D48C6~1.EXE > nul
        5⤵
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B62B7~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4F8~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12ACCC47-FEC5-4f35-961D-66A5E241E0F8}.exe

Filesize
180KB

MD5
4de5f25251c93525e460de7ad1435476

SHA1
8917d7912bf12ee0bf5ebb72c2a93090d896d23a

SHA256
a05fa587a4b30ce63a1f034661c5415e753dd6b5a91aa07e78e0094dbb824e09

SHA512
87e5e3966c49c361fea17d23d360752e9995e9c3fafad60afd030a3f11e1eadd2e09272e5936545f0a944bfdc9d5221bd8981563bd8414847acb8308580604e5

Download Submit
C:\Windows\{1630D3CA-5478-4aa8-B326-3DDA2F6FD3AD}.exe

Filesize
180KB

MD5
55a5a601278218ac6b14f242e1ada60a

SHA1
9d2238e7717a02d40c0f6e0de71f27ebade5493d

SHA256
8837251a4d155ceb2ed90744ffab5b35c1950766a4fc3af1a7b9178b068a7f86

SHA512
f9e3a12daecf57934c4434314a984700c52e710523ecd7f62f32a8dbb0f36494ffd9205e91ebb6474abbef36543f69c970bcba2195f5f45f0d67a642f7a93ba6

Download Submit
C:\Windows\{1AEAFBBF-8E6E-4f24-A503-F1FF608BB80D}.exe

Filesize
180KB

MD5
6cbc66cb69c67d47dca7d55696fa55f0

SHA1
d7354d6b16e9de6bd599dbdc502f2a9871def7db

SHA256
de9d6c7754c4e35044030b6ecb418945eeb20b9a63a4bd0922382976adfa9b38

SHA512
855556d893f45d192e2cc7875a4b24506748d641e515a73f015945711d84d9e2ba8ddc56fa6c8b8cba4c884363a26b8e114e60b44d7763611b279b0eb27ac7a4

Download Submit
C:\Windows\{407B4D55-2AB7-4576-B28B-58B91934FAAA}.exe

Filesize
180KB

MD5
f69cdf203621e240a0665dcab09fbc02

SHA1
893f5415ade71cf5e8fa45fb139ef7b1e7c37fee

SHA256
3b9f151ef9d5217d4792add49a31ef8c1b2fe304d8f51d514355ba373a8b37a6

SHA512
8bb933f74299429fc2bdc86170cf31d76d28fbb518a9a00d34d2e2cb7141be4cb1d81389a7928bd3f4fff8a87aae7a7c7612522c8353ee19be37e90f87f75f93

Download Submit
C:\Windows\{7A4F8AFD-757D-43fb-9E7D-4A819DAF3FD2}.exe

Filesize
180KB

MD5
1d0d01fe233fad5e3671ae5377625b1d

SHA1
f3b3551128a6a0ad6521e04a58c0ae692f6f95ae

SHA256
0d8dbc57a5f7b199b7d09a7c54dda7972ac92e002175c154d018ea4dbd917a04

SHA512
93e2e76c72e5627bf3de46dd220217b26e3adcbb2fd409a2b1c57639f1a73736bcff870f7074b2b4e894b94c8b20b8fe744f945ce97ecd1620fd045bc89e4131

Download Submit
C:\Windows\{8764E9A4-74C0-4568-BD37-4748DE39E841}.exe

Filesize
180KB

MD5
4572963247344ca19677df13b7f3209d

SHA1
8e0164eda0189693f80cd1fc0f36a559b9f3ea63

SHA256
4c3b7a23e0ac542bbabfae3e0072f2c337d7da06805471ba32533e03186563ff

SHA512
01d0236beea4bf3d0ee7f9530738f3704111430e75f7f2f80a3c198dd38a2cbfbbb3405eef3b6653e1e1625b6a9fe2f8b4b9820f8bd8fa6d55d0e6a16f9f6e2a

Download Submit
C:\Windows\{AB85FE4F-909F-437c-BCAF-3ACF08AC0815}.exe

Filesize
180KB

MD5
942108d472bbae3820521d1703271168

SHA1
d571b6191f453bf826bdd2d9d004bc16b7b717de

SHA256
9e3376bbc7d30c993b39be2000758b0d17a88def4e8758248f7c87caf256f5d8

SHA512
9cec6faa7d1c03c1e5ed56f019b3d3748241174d214a412b23926fe283e05e9a2a6840fc409511d6a6b9828f2f48ce0c9c4a592a30dd79c7fe13dd2a66268bac

Download Submit
C:\Windows\{B62B7039-3286-4a9d-AE0B-FAF04688EE6C}.exe

Filesize
180KB

MD5
ef2c2817807cb2f54a23681b7994b3c8

SHA1
a8c4cbfb793ca0d76336fc4d34c0d64fc4d90a1a

SHA256
a1a43598fa047baabf081835d04aa4b99aeddab47be3445e800614ff7b236d2c

SHA512
ed0c1273c30f9abd28877fc0a9c39a6dc4847b2739c0fbeb910a08052114fa51a02f2409cc24b1295417bd23dffc7f87e997862ab874a4a5b1acd4418a091eca

Download Submit
C:\Windows\{D48C68AF-ED46-4164-80B4-889F2D31BD18}.exe

Filesize
180KB

MD5
ef58d68228441184e0f78559a7e002e5

SHA1
76c47f31c38bbcccccbe0b96f73a42f0a9201646

SHA256
089d4969930b6a2545b03b90fa905e611a0c3fac3a5f027aa49e1125d941c8e5

SHA512
c31eb8e2dcac23fa040045e9f852b70622eae817717146b2ea1eb8de842e4fbd8a1c1652c2ec31f334fcb57aa9a3c5d0af82a79bb25330e67a642d2aa60d02d9

Download Submit
C:\Windows\{E230BC7A-73BC-4b7f-887F-54BD9764653F}.exe

Filesize
180KB

MD5
7817bfcaced68429db5016d9b76a8a70

SHA1
e8077043a77a2dfefef10960a3d1d5030410abc6

SHA256
1177f9a136f0b64908c37fe9ebca4112615511a2c0a6a7352026a086171c10d2

SHA512
2811576988809b9c3e8acb7ce10ff842b899f881487fee996ae434aa294a134b6ecec6701b96e3c4e98f15a3bbbeec7ca4d0d5b40d8caccd53c2a37936c9aa4f

Download Submit
C:\Windows\{E401B604-8454-4bec-A422-3D43B73E9E9E}.exe

Filesize
180KB

MD5
b9b46e71f9c4192c5d752c2defc774a2

SHA1
7740eaa7d143dacf3c61256b6b46ba78aacba49f

SHA256
643095f368ee372d2eba078a10abb7d236221c42d105866217c4ef51f1c5e550

SHA512
756c8e559df0fab122ca6749de5cb63da261679f3520dfdcb6dc9aae3f61d03f63dcad4cff3288c5fb89b19b8f73e5aaabee8c2d22e954e84befec943d2e7dd0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads