6785e5448df4114c11ce961df33622545e4c06f4381bea27f766168b28253c42

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
Size

380KB
MD5

675805472f71a27c70e43c8451bf2131
SHA1

8642c22c36087adbf38321f4c0177d5868116850
SHA256

6785e5448df4114c11ce961df33622545e4c06f4381bea27f766168b28253c42
SHA512

2a10295e26aad2f7a7437481701ecb971ee270f1f41c27b2108288e63f56356b238e5192bb058c6318d427b92b66e65b825b22e20659b2a3efeff41c8fc8c2ab
SSDEEP

3072:mEGh0oWlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGsl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012223-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012266-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000014b38-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05462389-FE02-4888-AF0A-C87171A85C9C}\stubpath = "C:\\Windows\\{05462389-FE02-4888-AF0A-C87171A85C9C}.exe"	{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}\stubpath = "C:\\Windows\\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe"	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842B6CC6-D9C8-4486-A276-A16081F858A2}	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{204EA7F1-6C60-467d-9BDB-59F177C49C90}	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}\stubpath = "C:\\Windows\\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe"	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{316815F5-3693-4897-BC31-0216B3C1DA80}	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{316815F5-3693-4897-BC31-0216B3C1DA80}\stubpath = "C:\\Windows\\{316815F5-3693-4897-BC31-0216B3C1DA80}.exe"	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{204EA7F1-6C60-467d-9BDB-59F177C49C90}\stubpath = "C:\\Windows\\{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe"	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}\stubpath = "C:\\Windows\\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe"	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}	{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}\stubpath = "C:\\Windows\\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe"	{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}\stubpath = "C:\\Windows\\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe"	{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}	{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842B6CC6-D9C8-4486-A276-A16081F858A2}\stubpath = "C:\\Windows\\{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe"	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}\stubpath = "C:\\Windows\\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe"	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}\stubpath = "C:\\Windows\\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe"	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05462389-FE02-4888-AF0A-C87171A85C9C}	{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
708	{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
1200	{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
1992	{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
2000	{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe	{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
File created	C:\Windows\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe	{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
File created	C:\Windows\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
File created	C:\Windows\{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
File created	C:\Windows\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
File created	C:\Windows\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
File created	C:\Windows\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
File created	C:\Windows\{05462389-FE02-4888-AF0A-C87171A85C9C}.exe	{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
File created	C:\Windows\{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
File created	C:\Windows\{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
File created	C:\Windows\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
Token: SeIncBasePriorityPrivilege	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
Token: SeIncBasePriorityPrivilege	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
Token: SeIncBasePriorityPrivilege	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
Token: SeIncBasePriorityPrivilege	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
Token: SeIncBasePriorityPrivilege	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
Token: SeIncBasePriorityPrivilege	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
Token: SeIncBasePriorityPrivilege	708	{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
Token: SeIncBasePriorityPrivilege	1200	{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
Token: SeIncBasePriorityPrivilege	1992	{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2736	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	28
PID 1656 wrote to memory of 2736	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	28
PID 1656 wrote to memory of 2736	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	28
PID 1656 wrote to memory of 2736	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	28
PID 1656 wrote to memory of 2868	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	29
PID 1656 wrote to memory of 2868	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	29
PID 1656 wrote to memory of 2868	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	29
PID 1656 wrote to memory of 2868	1656	2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe	29
PID 2736 wrote to memory of 2872	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	30
PID 2736 wrote to memory of 2872	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	30
PID 2736 wrote to memory of 2872	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	30
PID 2736 wrote to memory of 2872	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	30
PID 2736 wrote to memory of 3044	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	31
PID 2736 wrote to memory of 3044	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	31
PID 2736 wrote to memory of 3044	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	31
PID 2736 wrote to memory of 3044	2736	{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe	31
PID 2872 wrote to memory of 1160	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	34
PID 2872 wrote to memory of 1160	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	34
PID 2872 wrote to memory of 1160	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	34
PID 2872 wrote to memory of 1160	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	34
PID 2872 wrote to memory of 2456	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	35
PID 2872 wrote to memory of 2456	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	35
PID 2872 wrote to memory of 2456	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	35
PID 2872 wrote to memory of 2456	2872	{316815F5-3693-4897-BC31-0216B3C1DA80}.exe	35
PID 1160 wrote to memory of 2912	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	36
PID 1160 wrote to memory of 2912	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	36
PID 1160 wrote to memory of 2912	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	36
PID 1160 wrote to memory of 2912	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	36
PID 1160 wrote to memory of 2976	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	37
PID 1160 wrote to memory of 2976	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	37
PID 1160 wrote to memory of 2976	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	37
PID 1160 wrote to memory of 2976	1160	{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe	37
PID 2912 wrote to memory of 2816	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	39
PID 2912 wrote to memory of 2816	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	39
PID 2912 wrote to memory of 2816	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	39
PID 2912 wrote to memory of 2816	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	39
PID 2912 wrote to memory of 2684	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	38
PID 2912 wrote to memory of 2684	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	38
PID 2912 wrote to memory of 2684	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	38
PID 2912 wrote to memory of 2684	2912	{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe	38
PID 2816 wrote to memory of 2664	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	41
PID 2816 wrote to memory of 2664	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	41
PID 2816 wrote to memory of 2664	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	41
PID 2816 wrote to memory of 2664	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	41
PID 2816 wrote to memory of 1936	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	40
PID 2816 wrote to memory of 1936	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	40
PID 2816 wrote to memory of 1936	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	40
PID 2816 wrote to memory of 1936	2816	{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe	40
PID 2664 wrote to memory of 324	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	42
PID 2664 wrote to memory of 324	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	42
PID 2664 wrote to memory of 324	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	42
PID 2664 wrote to memory of 324	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	42
PID 2664 wrote to memory of 336	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	43
PID 2664 wrote to memory of 336	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	43
PID 2664 wrote to memory of 336	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	43
PID 2664 wrote to memory of 336	2664	{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe	43
PID 324 wrote to memory of 708	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	45
PID 324 wrote to memory of 708	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	45
PID 324 wrote to memory of 708	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	45
PID 324 wrote to memory of 708	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	45
PID 324 wrote to memory of 1528	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	44
PID 324 wrote to memory of 1528	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	44
PID 324 wrote to memory of 1528	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	44
PID 324 wrote to memory of 1528	324	{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_675805472f71a27c70e43c8451bf2131_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
  C:\Windows\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
    C:\Windows\{316815F5-3693-4897-BC31-0216B3C1DA80}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
      C:\Windows\{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
        
        C:\Windows\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEECB~1.EXE > nul
        6⤵
        
        PID:2684
      - C:\Windows\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
        
        C:\Windows\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E067E~1.EXE > nul
        7⤵
        
        PID:1936
        
        C:\Windows\{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
        
        C:\Windows\{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
        
        C:\Windows\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C8EF~1.EXE > nul
        9⤵
        
        PID:1528
        
        C:\Windows\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
        
        C:\Windows\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
        
        C:\Windows\{05462389-FE02-4888-AF0A-C87171A85C9C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
        
        C:\Windows\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe
        
        C:\Windows\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA14~1.EXE > nul
        12⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05462~1.EXE > nul
        11⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4075A~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{204EA~1.EXE > nul
        8⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{842B6~1.EXE > nul
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{31681~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6BB0~1.EXE > nul
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05462389-FE02-4888-AF0A-C87171A85C9C}.exe

Filesize
380KB

MD5
f18b567c052bb971e50743ca4cb8114e

SHA1
7678e1394362413851fe197f23acdfadfac78679

SHA256
e0e9b0ee8ed52bfe6e14a0c6df859ce52eccd966e7efa4a19689181f8658bbc6

SHA512
5f0c8250ac55bb204f6f874ebac152681e05aff747dff7016cd1ba0daa758c6f36a0f31f2f74261765654b4fb269c3d50fe9d51cebadfa68501555369492689e

Download Submit
C:\Windows\{204EA7F1-6C60-467d-9BDB-59F177C49C90}.exe

Filesize
380KB

MD5
69183e51716fddfb7315604086571c0f

SHA1
eeaae0e351383216529c274bc19cb1d70834f739

SHA256
32acf1f19242ead23d8c9e2cb9b3c3545e2f459523c1e0ad8f670a79bdd41330

SHA512
f68c41139219835f4686d49521bd84d682ce41f57a8e65828ed7b75d7565f7fbbc35a26681f6e6ab3b85945a36363824a0a5a7b2197cf110ec57b9e920ba01d7

Download Submit
C:\Windows\{316815F5-3693-4897-BC31-0216B3C1DA80}.exe

Filesize
380KB

MD5
94e187a91deaf775b763b79e25161cfe

SHA1
152a6abb6ab16699b65ab10b037b350f0f89c076

SHA256
a86f1c081029ac0d5f65dffdd3a7a692c03a15033526567236f7a2d54a035241

SHA512
fbccbbc81abc09f3fb015b45e8764a96650aae02ef6dabf980581eded853fb722b0f031dd3a074b417bd85a271bb4508a4c3585b79bd974be593525d07027364

Download Submit
C:\Windows\{4075AE85-E65F-4f96-97DB-24C878BA1BFE}.exe

Filesize
380KB

MD5
5c527a6fe4241e5d7a8e7e57481f09b3

SHA1
7660f068c1e2a9e0533bddd45291cf31234d0513

SHA256
3434815c5fa7399ad9985d9a8d2409fcf3e149336c68fe4acffd02e37700e060

SHA512
4a047b022fdaf8059fdd562e688ecd5a1161392bede16d65a085411e447dec86920ce85bf67922e6e13556842ed31979697b0f1f98962720227da4b427367dcb

Download Submit
C:\Windows\{7C8EF9D7-038C-43ff-8036-D3E3E24845CC}.exe

Filesize
380KB

MD5
04be50b18c2ef28e645f1780547e8b67

SHA1
fd6cdb366893b30ca8b77397835e88b3f272663b

SHA256
c16ba834ff3dc0b73b0fa92f8856430825cd1fb4910ac436336f1b736ad88928

SHA512
8e6c07684fc7735951263f38a33498e27d923c24cfff731bc55d929b24aa65a4014842841a451426e9b08426778029c0201cfc18d114533406d0d1911a7c9c73

Download Submit
C:\Windows\{842B6CC6-D9C8-4486-A276-A16081F858A2}.exe

Filesize
380KB

MD5
5420fc0427b66cf290592e9d08e3aa2f

SHA1
a015f255cad303da8e6e410628c0d4f586b4a20e

SHA256
6c14afe286542024a251680ee92e8bf8e4d166d3dffe806d7e2d6f9aecdda0f3

SHA512
e4396db7a6b8c3b332d444962e889714fb9652dfbd5091b1ddc146108ceff5f32edd1a38d629fe8aeea7d0b511a5390345cae19ec9fd9622bd1df36f89b516b8

Download Submit
C:\Windows\{A6BB0DF5-6631-44ef-A135-7E2F18DA9113}.exe

Filesize
380KB

MD5
1927ceb5e31d5dcafe13d008b78f7f0f

SHA1
5e6714c60e6759df4d593dabf20de8db1284581f

SHA256
6d52c3c3b5ee8d7836f091e900a55d529686fc52934f8122bf48631ac347a5bf

SHA512
7c98685db341a349194e3f6e425ebec7a17bd51832b2b0a087e030182697a7899e70dbd30bd31414d5b13b4e71b989447229ddfb4cbea1b7b7f79a324c702d55

Download Submit
C:\Windows\{BCA149D3-DE3C-4527-82AF-2B0EFCEC804B}.exe

Filesize
380KB

MD5
9734846fa6178f8333781c3866956b4c

SHA1
d8def2180283d295c2d5eb11b5cb95d5a4190052

SHA256
ce200aa735b0a1283ce83c2db8b938ddd31edd859198cee94fe568c6ce569c49

SHA512
740dbca5ac63774a0f33da08e81955cefa4c0ebbec7a088b5a6d9c3a3e097af404ff85bddda135419ec379994bc4294c339048f2cc8510e8301394927fdb42c0

Download Submit
C:\Windows\{E067E01E-12FE-4932-AFAC-F35559EE1A9C}.exe

Filesize
380KB

MD5
a4ca42917760379dfa241da72360c594

SHA1
94603babd32d41a50c7b3ab6abdae2e1ba35f250

SHA256
557c603e6b1996d4fc672a96d55d1aee828b838b2c095445d54b89ce4599dbfe

SHA512
3b7960ffef0c283cc4720275bf577a77ee41f5c5958ef52b9c4461aacd412c3ff5c5add066ec3708b1e58c6662cb476f6565c2921167c9d6d866f586c1af192c

Download Submit
C:\Windows\{E91F7135-6F63-4658-BB11-4081B1AEB5D8}.exe

Filesize
380KB

MD5
8382f2e71bc9f102e0412c0e53c3a8d5

SHA1
46bb727699a81e9cc7bbed4152b8f0dadfde4b40

SHA256
144edb5320defce3d48f7e8eb400ea2155ec04aa64627b281fb73747005b29c5

SHA512
997b8567d73ec4f7ef7a39ba3812bf339d60f3a6b0fd4aec1d8ed6e70e363b0a6efd86b2df419b1f6a3fc716a64e343e2b19f41ed3e3c0e5cf3e3e851b7fad45

Download Submit
C:\Windows\{FEECB95D-F55C-49c3-A9FF-5183D57DB6E2}.exe

Filesize
380KB

MD5
ef9169d802c117d391018fb9628addbc

SHA1
fe911ac0815e7dab68f1d5a9fd29a1b6cbd9ff6f

SHA256
e34badd3d7aa3a9012fdcc12cbc385de1ef5af240e6ed9f5d17e1d094cdd100b

SHA512
6c08dc704edf0e149ad00e2c6b3e33013d7a86d2d21180a43c60ad35d0d6d1dec533c00ec4d1c09f9a342c51b0275c576e78834e5f924b3d83a4e4e9c2083ff9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads