a538068d22d9e3a30a06501f8753d1a48e2712115410f60fe58987a65e2d04b5

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
Size

204KB
MD5

73a5d0a94e8d9f326219913e377da757
SHA1

fab200cce19bb3fb48daf53d5195637488ed9fb5
SHA256

a538068d22d9e3a30a06501f8753d1a48e2712115410f60fe58987a65e2d04b5
SHA512

abef2f635346258edbf236e4bcb2f41fc84e484b8e6b333b0858454435f06aec6acc0b0c10f2fba6a125c756efde91c2062c5f67d6ad427450537da731d5cafc
SSDEEP

1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014826-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014ac0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014826-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001560b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014826-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014826-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014826-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014826-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87DAF6F6-8437-46d1-8360-D4566335E1F4}\stubpath = "C:\\Windows\\{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe"	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C63556-138E-444e-A20A-9F835AA83CB6}\stubpath = "C:\\Windows\\{19C63556-138E-444e-A20A-9F835AA83CB6}.exe"	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF95C57-3D5D-4501-941A-C6E32441210C}\stubpath = "C:\\Windows\\{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe"	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A42B03D-367E-4755-A510-6F264C3D2D4D}	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E92771-52AD-4fac-8E2C-6A0C2153418A}	{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F751DCB-AF85-4965-937E-8DDAE085CE28}	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C5E520-EC35-4015-92FF-3DA588C19FA7}	{0760C855-886C-4e90-B43A-3082229D2481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52B97BA7-9596-4fcd-92E2-D3CC69121494}	{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF95C57-3D5D-4501-941A-C6E32441210C}	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}\stubpath = "C:\\Windows\\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe"	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0760C855-886C-4e90-B43A-3082229D2481}	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E92771-52AD-4fac-8E2C-6A0C2153418A}\stubpath = "C:\\Windows\\{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe"	{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0760C855-886C-4e90-B43A-3082229D2481}\stubpath = "C:\\Windows\\{0760C855-886C-4e90-B43A-3082229D2481}.exe"	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C5E520-EC35-4015-92FF-3DA588C19FA7}\stubpath = "C:\\Windows\\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe"	{0760C855-886C-4e90-B43A-3082229D2481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52B97BA7-9596-4fcd-92E2-D3CC69121494}\stubpath = "C:\\Windows\\{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe"	{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87DAF6F6-8437-46d1-8360-D4566335E1F4}	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F751DCB-AF85-4965-937E-8DDAE085CE28}\stubpath = "C:\\Windows\\{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe"	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}\stubpath = "C:\\Windows\\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe"	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C63556-138E-444e-A20A-9F835AA83CB6}	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A42B03D-367E-4755-A510-6F264C3D2D4D}\stubpath = "C:\\Windows\\{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe"	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
1648	{0760C855-886C-4e90-B43A-3082229D2481}.exe
1104	{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
608	{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
1936	{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
File created	C:\Windows\{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
File created	C:\Windows\{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
File created	C:\Windows\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
File created	C:\Windows\{0760C855-886C-4e90-B43A-3082229D2481}.exe	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
File created	C:\Windows\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe	{0760C855-886C-4e90-B43A-3082229D2481}.exe
File created	C:\Windows\{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
File created	C:\Windows\{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
File created	C:\Windows\{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe	{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
File created	C:\Windows\{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe	{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
File created	C:\Windows\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
Token: SeIncBasePriorityPrivilege	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
Token: SeIncBasePriorityPrivilege	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
Token: SeIncBasePriorityPrivilege	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
Token: SeIncBasePriorityPrivilege	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
Token: SeIncBasePriorityPrivilege	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
Token: SeIncBasePriorityPrivilege	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
Token: SeIncBasePriorityPrivilege	1648	{0760C855-886C-4e90-B43A-3082229D2481}.exe
Token: SeIncBasePriorityPrivilege	1104	{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
Token: SeIncBasePriorityPrivilege	608	{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2240	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	28
PID 2356 wrote to memory of 2240	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	28
PID 2356 wrote to memory of 2240	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	28
PID 2356 wrote to memory of 2240	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	28
PID 2356 wrote to memory of 2160	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	29
PID 2356 wrote to memory of 2160	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	29
PID 2356 wrote to memory of 2160	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	29
PID 2356 wrote to memory of 2160	2356	2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe	29
PID 2240 wrote to memory of 2656	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	30
PID 2240 wrote to memory of 2656	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	30
PID 2240 wrote to memory of 2656	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	30
PID 2240 wrote to memory of 2656	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	30
PID 2240 wrote to memory of 2848	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	31
PID 2240 wrote to memory of 2848	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	31
PID 2240 wrote to memory of 2848	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	31
PID 2240 wrote to memory of 2848	2240	{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe	31
PID 2656 wrote to memory of 2700	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	33
PID 2656 wrote to memory of 2700	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	33
PID 2656 wrote to memory of 2700	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	33
PID 2656 wrote to memory of 2700	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	33
PID 2656 wrote to memory of 1468	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	32
PID 2656 wrote to memory of 1468	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	32
PID 2656 wrote to memory of 1468	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	32
PID 2656 wrote to memory of 1468	2656	{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe	32
PID 2700 wrote to memory of 3020	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	37
PID 2700 wrote to memory of 3020	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	37
PID 2700 wrote to memory of 3020	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	37
PID 2700 wrote to memory of 3020	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	37
PID 2700 wrote to memory of 2076	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	36
PID 2700 wrote to memory of 2076	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	36
PID 2700 wrote to memory of 2076	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	36
PID 2700 wrote to memory of 2076	2700	{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe	36
PID 3020 wrote to memory of 2756	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	38
PID 3020 wrote to memory of 2756	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	38
PID 3020 wrote to memory of 2756	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	38
PID 3020 wrote to memory of 2756	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	38
PID 3020 wrote to memory of 1172	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	39
PID 3020 wrote to memory of 1172	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	39
PID 3020 wrote to memory of 1172	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	39
PID 3020 wrote to memory of 1172	3020	{19C63556-138E-444e-A20A-9F835AA83CB6}.exe	39
PID 2756 wrote to memory of 2760	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	41
PID 2756 wrote to memory of 2760	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	41
PID 2756 wrote to memory of 2760	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	41
PID 2756 wrote to memory of 2760	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	41
PID 2756 wrote to memory of 2176	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	40
PID 2756 wrote to memory of 2176	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	40
PID 2756 wrote to memory of 2176	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	40
PID 2756 wrote to memory of 2176	2756	{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe	40
PID 2760 wrote to memory of 2816	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	42
PID 2760 wrote to memory of 2816	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	42
PID 2760 wrote to memory of 2816	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	42
PID 2760 wrote to memory of 2816	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	42
PID 2760 wrote to memory of 2812	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	43
PID 2760 wrote to memory of 2812	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	43
PID 2760 wrote to memory of 2812	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	43
PID 2760 wrote to memory of 2812	2760	{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe	43
PID 2816 wrote to memory of 1648	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	44
PID 2816 wrote to memory of 1648	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	44
PID 2816 wrote to memory of 1648	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	44
PID 2816 wrote to memory of 1648	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	44
PID 2816 wrote to memory of 1800	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	45
PID 2816 wrote to memory of 1800	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	45
PID 2816 wrote to memory of 1800	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	45
PID 2816 wrote to memory of 1800	2816	{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_73a5d0a94e8d9f326219913e377da757_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
  C:\Windows\{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
    C:\Windows\{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F751~1.EXE > nul
      4⤵
      PID:1468
  - - C:\Windows\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
      C:\Windows\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBB4~1.EXE > nul
        5⤵
        
        PID:2076
    - - C:\Windows\{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
        
        C:\Windows\{19C63556-138E-444e-A20A-9F835AA83CB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
        
        C:\Windows\{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF95~1.EXE > nul
        7⤵
        
        PID:2176
        
        C:\Windows\{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
        
        C:\Windows\{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
        
        C:\Windows\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{0760C855-886C-4e90-B43A-3082229D2481}.exe
        
        C:\Windows\{0760C855-886C-4e90-B43A-3082229D2481}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
        
        C:\Windows\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
        
        C:\Windows\{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe
        
        C:\Windows\{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe
        12⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67E92~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60C5E~1.EXE > nul
        11⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0760C~1.EXE > nul
        10⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C08F~1.EXE > nul
        9⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A42B~1.EXE > nul
        8⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19C63~1.EXE > nul
        6⤵
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87DAF~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0760C855-886C-4e90-B43A-3082229D2481}.exe

Filesize
204KB

MD5
a279a6d809d130f97d160f372d65d141

SHA1
83bac389638fa2309e3615660a843b5d2506d278

SHA256
0aab631db963f82e27fbbb3ef6c16479573cb88a6576460e686b71c75bd35f04

SHA512
a9e7e60a9fd8f617e9e3d34bbfbb5e7d378bc596eca739763326222dfb09339c6c04d07f16a9d2bd2ffa4dfd2b245408cdb16da5ef413fef22cf9afd920c8193

Download Submit
C:\Windows\{0760C855-886C-4e90-B43A-3082229D2481}.exe

Filesize
4KB

MD5
80b01e1a5a0bb8eb29baeaaeaa0f861a

SHA1
1e5147c37d8f4f28b32546e9ea2d326f84fba033

SHA256
a65ae810b7ee64c2cb48c779364fa6cf4c809c235518886933c19fb982cfca1f

SHA512
80c363db62e0edd6b12e7447147b95cfd087d3ef966b4a006d4855b4348130d3d4477eeb198c67092742afe99fb67138a2b6fc71c8317ec4c22b06c357a0a1c8

Download Submit
C:\Windows\{19C63556-138E-444e-A20A-9F835AA83CB6}.exe

Filesize
204KB

MD5
8b0b86be12087d307d6414ec18a86fa6

SHA1
3b072e7ac0ba56ccb847c47ff899fb9ef5f93f59

SHA256
2dea7c10ecd8440bcfd1e88f77a2828b8a4d6b6a9d13cc8c6290bb52241f3a72

SHA512
21edf6444caf3579d6f482937834ac40cc8b8f259c8076c8608c2b5df0abb33e7155e4822982d3297190235d23de79e783c0b344d50f9e25ef9cc6714ba0f90e

Download Submit
C:\Windows\{1A42B03D-367E-4755-A510-6F264C3D2D4D}.exe

Filesize
204KB

MD5
eb5db033d7a91c9d446067de13394dcc

SHA1
07fb70bbd2e552cc302b51bee32baf71aab8ad09

SHA256
27f55505f3d42a0533ce1357a0e2cbb3bb4e2563837a5e7b2a85c75de532aab9

SHA512
b91222e884b6d2317b8f68ac8e6e2f48a4a5da7dcecf6102e431ec6b56d7899b475f191603c61a82c28e1e512053d77dd30b32b79b5b55c02d24af1e1801f526

Download Submit
C:\Windows\{3F751DCB-AF85-4965-937E-8DDAE085CE28}.exe

Filesize
204KB

MD5
ce66ef7966d15113ac85320837ea7f58

SHA1
506450d2dae3e9481f7003e01c9767265c2c4999

SHA256
f5e0e5e8dab2c7f9fb8d28d711d6e6b010b9ee7b2c50ad855ccc1ee199f6d4db

SHA512
487ec4b1321c4d09664c3fa86087183ff83616992b77ce62d54a7af6b306d609f848b606a9243bb5c9521c543eb677a59e0219dda056f7a8f0fc22c93c4a2ad5

Download Submit
C:\Windows\{52B97BA7-9596-4fcd-92E2-D3CC69121494}.exe

Filesize
204KB

MD5
a5ea5c29be3f852084d07b46a38924fa

SHA1
e49b90d8f38b74dd671e0e640b872c5f264aacbb

SHA256
8d1af7c744fa7c69d054be450e7ff9691329ca005dbe0472ac51e3dd0adf8ffa

SHA512
bbb755fba14b92c769a1e68c29e8bf561a2ba1f3d315fcb7113dca31c1f7dc27cc427a5790aad69452f1a6d741a5da8c1387b63374b30ef554fbb811285aa910

Download Submit
C:\Windows\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe

Filesize
22KB

MD5
743bc9bf5a447e8730a00f12c2624998

SHA1
91e341e8d8dbb8d2f83d29cad9b19a975433de34

SHA256
505c5532c8212279c576b3a0b78154228698063148f4c5ab6bb42d1d5b72a495

SHA512
2e7c93b195909c49b7194e40c03005272243d2a5c6f95c292d0930c74ce2bade2c6795d0793954875146f59c9c6fe811b74b03522c67123490601ec09f9e2493

Download Submit
C:\Windows\{60C5E520-EC35-4015-92FF-3DA588C19FA7}.exe

Filesize
204KB

MD5
720621df336edab8a25d8ee84e762b20

SHA1
c02b22bf6851bfe1fdbeef77c9a792d8ec3e465e

SHA256
3180a879e19f138853a7155f3d4c03212d6a7f169eebca0102b812ff4e24a95b

SHA512
3127b630456256c01161cd4cd107827a647af2f2a9d44d8c84483c483a115ab992aec4221d3bcc22fd23f8c2c440969a74ea3f02c94ae728b6eeaafc0e915491

Download Submit
C:\Windows\{67E92771-52AD-4fac-8E2C-6A0C2153418A}.exe

Filesize
204KB

MD5
dec813c75303b3745f2b5cc634b9c582

SHA1
1dcbb2710df1a76061902edef6f0f38ce9526887

SHA256
5f65574735284adfa802e0a002ac73308b4f557108aeaf0d3a6ee6b3596fca95

SHA512
a5b9c9b5cc46bc934f52924841e6c52089a76ddf21f664679e2f2b1f18d900088b3f4d596a494941942a230ea059daa4bb3481f9effad42d88bf37a2428bf757

Download Submit
C:\Windows\{6CF95C57-3D5D-4501-941A-C6E32441210C}.exe

Filesize
204KB

MD5
a7da90da5359bdc2c09240fc2799335e

SHA1
43ad16a6733d15241499ec2125237ed321b3b836

SHA256
73b89550fb2fd3d0536072f5425024a2338ca9e434716ec7712bf462a7fcbcf5

SHA512
e280e85ba67f7077a2f86bf63eb3434745495ff866843a1aaf932185e34dea1b91ee5d6dbc1aa349080d329cf95eaba55946285af42172273f1fe501bb599a51

Download Submit
C:\Windows\{7DBB48E0-A325-42cd-A42F-C474CB8A467A}.exe

Filesize
204KB

MD5
99e138d964e7a7e1e115261ff5273560

SHA1
ff43f7a95b68a479bef6419c1143860d61bbbe8c

SHA256
f8fc4713396d8333dc71ef1d3429b250e3ce9825795d916e77334a2aad12995b

SHA512
e7639301c3ebf5947075122a1199d49731e3a92ef9d0978c8f4facd1cdcd93616de0ca1373f1f7196586731f84fce70de90f33e2c8d80abebc839a2cc11f1302

Download Submit
C:\Windows\{87DAF6F6-8437-46d1-8360-D4566335E1F4}.exe

Filesize
204KB

MD5
2c03d630b6b16e90430d78419883a06a

SHA1
77c7751652e12ba6fe83283a84d00acfa29d262d

SHA256
4c0853f64596516031211ff392cb93636747eeba27c49ce81dcfafbc7c190455

SHA512
fd37347e8c5b77972b59806756c8457239776e7c18b48965d6c8bc4a063e3b936467ea95fbaa369827da60a76073ba242cad9d57a346be1b2885a7a3b39f9bf6

Download Submit
C:\Windows\{8C08FE2F-4BB5-465c-84F5-B8D6A5569B77}.exe

Filesize
204KB

MD5
8d93d901c6a97056be29ee566b99aa9f

SHA1
d2aa49de882355fc962ce57c67c9d0c99205e93e

SHA256
f046ab82a7ba1e75213ff9fdeaf70e6a88d802cab840e5b8b7732c0473e2d07c

SHA512
e0860883ec833b03b52e4f1f3e7affc3d1fd3a5f8c3a1751e38f99ed1609cd37f65f932080bffc58f40c3b221f076d66ec58268d9c7be74817deb9caf3aa5ad9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads