efc1d3ee568c93071c612163b94ed7b339f1667255f85bf876ef5f2d08d2d340

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Size

380KB
MD5

0b5ba4d013c95cfa205bd47112881dcb
SHA1

bbeb505152012aeae76983e741ffecb71a3fe0b4
SHA256

efc1d3ee568c93071c612163b94ed7b339f1667255f85bf876ef5f2d08d2d340
SHA512

563f97b93defe3937f3afeed3815fa8e1687f4c6f8bbcc50f65c7df1cc5afc1f22d4beea8cbe5c1b262598b82f697b9729f5b710ef6e527b19eddf4bbbf7b1e7
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGel7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022480-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023124-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023130-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023139-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023130-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023139-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A5F561-2244-4941-99EE-0133F5692227}\stubpath = "C:\\Windows\\{B2A5F561-2244-4941-99EE-0133F5692227}.exe"	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4963B66-3B79-4c35-A2E1-5A67408383EB}\stubpath = "C:\\Windows\\{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe"	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F56108-4A49-48bd-997A-2CF914B27054}	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F56108-4A49-48bd-997A-2CF914B27054}\stubpath = "C:\\Windows\\{F1F56108-4A49-48bd-997A-2CF914B27054}.exe"	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}\stubpath = "C:\\Windows\\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe"	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140DA969-78DB-4b21-BD16-72B6970B80C0}\stubpath = "C:\\Windows\\{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe"	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A5F561-2244-4941-99EE-0133F5692227}	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}\stubpath = "C:\\Windows\\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe"	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3009717C-617E-4946-9C9B-AB851B5F7B02}	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63A4F37-83A6-4289-AE50-0157DA98B459}	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63A4F37-83A6-4289-AE50-0157DA98B459}\stubpath = "C:\\Windows\\{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe"	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3009717C-617E-4946-9C9B-AB851B5F7B02}\stubpath = "C:\\Windows\\{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe"	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}\stubpath = "C:\\Windows\\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe"	{B2A5F561-2244-4941-99EE-0133F5692227}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4963B66-3B79-4c35-A2E1-5A67408383EB}	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}\stubpath = "C:\\Windows\\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe"	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140DA969-78DB-4b21-BD16-72B6970B80C0}	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}\stubpath = "C:\\Windows\\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe"	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}	{B2A5F561-2244-4941-99EE-0133F5692227}.exe

Executes dropped EXE 11 IoCs

pid	Process
4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe
3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
4016	{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B2A5F561-2244-4941-99EE-0133F5692227}.exe	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
File created	C:\Windows\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	{B2A5F561-2244-4941-99EE-0133F5692227}.exe
File created	C:\Windows\{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
File created	C:\Windows\{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
File created	C:\Windows\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
File created	C:\Windows\{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
File created	C:\Windows\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
File created	C:\Windows\{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
File created	C:\Windows\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
File created	C:\Windows\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
File created	C:\Windows\{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe
Token: SeIncBasePriorityPrivilege	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
Token: SeIncBasePriorityPrivilege	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
Token: SeIncBasePriorityPrivilege	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
Token: SeIncBasePriorityPrivilege	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
Token: SeIncBasePriorityPrivilege	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
Token: SeIncBasePriorityPrivilege	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
Token: SeIncBasePriorityPrivilege	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
Token: SeIncBasePriorityPrivilege	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
Token: SeIncBasePriorityPrivilege	4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4388	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	89
PID 1256 wrote to memory of 4388	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	89
PID 1256 wrote to memory of 4388	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	89
PID 1256 wrote to memory of 2420	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	90
PID 1256 wrote to memory of 2420	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	90
PID 1256 wrote to memory of 2420	1256	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	90
PID 4388 wrote to memory of 3128	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	93
PID 4388 wrote to memory of 3128	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	93
PID 4388 wrote to memory of 3128	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	93
PID 4388 wrote to memory of 3408	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	94
PID 4388 wrote to memory of 3408	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	94
PID 4388 wrote to memory of 3408	4388	{B2A5F561-2244-4941-99EE-0133F5692227}.exe	94
PID 3128 wrote to memory of 2632	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	100
PID 3128 wrote to memory of 2632	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	100
PID 3128 wrote to memory of 2632	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	100
PID 3128 wrote to memory of 60	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	101
PID 3128 wrote to memory of 60	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	101
PID 3128 wrote to memory of 60	3128	{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe	101
PID 2632 wrote to memory of 1840	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	103
PID 2632 wrote to memory of 1840	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	103
PID 2632 wrote to memory of 1840	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	103
PID 2632 wrote to memory of 3152	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	104
PID 2632 wrote to memory of 3152	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	104
PID 2632 wrote to memory of 3152	2632	{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe	104
PID 1840 wrote to memory of 3140	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	105
PID 1840 wrote to memory of 3140	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	105
PID 1840 wrote to memory of 3140	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	105
PID 1840 wrote to memory of 2944	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	106
PID 1840 wrote to memory of 2944	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	106
PID 1840 wrote to memory of 2944	1840	{F1F56108-4A49-48bd-997A-2CF914B27054}.exe	106
PID 3140 wrote to memory of 3656	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	107
PID 3140 wrote to memory of 3656	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	107
PID 3140 wrote to memory of 3656	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	107
PID 3140 wrote to memory of 2960	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	108
PID 3140 wrote to memory of 2960	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	108
PID 3140 wrote to memory of 2960	3140	{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe	108
PID 3656 wrote to memory of 2116	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	109
PID 3656 wrote to memory of 2116	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	109
PID 3656 wrote to memory of 2116	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	109
PID 3656 wrote to memory of 4632	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	110
PID 3656 wrote to memory of 4632	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	110
PID 3656 wrote to memory of 4632	3656	{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe	110
PID 2116 wrote to memory of 4832	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	111
PID 2116 wrote to memory of 4832	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	111
PID 2116 wrote to memory of 4832	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	111
PID 2116 wrote to memory of 3472	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	112
PID 2116 wrote to memory of 3472	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	112
PID 2116 wrote to memory of 3472	2116	{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe	112
PID 4832 wrote to memory of 1992	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	113
PID 4832 wrote to memory of 1992	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	113
PID 4832 wrote to memory of 1992	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	113
PID 4832 wrote to memory of 5028	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	114
PID 4832 wrote to memory of 5028	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	114
PID 4832 wrote to memory of 5028	4832	{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe	114
PID 1992 wrote to memory of 4468	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	115
PID 1992 wrote to memory of 4468	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	115
PID 1992 wrote to memory of 4468	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	115
PID 1992 wrote to memory of 3096	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	116
PID 1992 wrote to memory of 3096	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	116
PID 1992 wrote to memory of 3096	1992	{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe	116
PID 4468 wrote to memory of 4016	4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe	117
PID 4468 wrote to memory of 4016	4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe	117
PID 4468 wrote to memory of 4016	4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe	117
PID 4468 wrote to memory of 404	4468	{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\{B2A5F561-2244-4941-99EE-0133F5692227}.exe
  C:\Windows\{B2A5F561-2244-4941-99EE-0133F5692227}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
    C:\Windows\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
      C:\Windows\{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
        
        C:\Windows\{F1F56108-4A49-48bd-997A-2CF914B27054}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
        
        C:\Windows\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
        
        C:\Windows\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
        
        C:\Windows\{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
        
        C:\Windows\{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
        
        C:\Windows\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
        
        C:\Windows\{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe
        
        C:\Windows\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe
        12⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30097~1.EXE > nul
        12⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27A93~1.EXE > nul
        11⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{140DA~1.EXE > nul
        10⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B63A4~1.EXE > nul
        9⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CD1~1.EXE > nul
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B797~1.EXE > nul
        7⤵
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F56~1.EXE > nul
        6⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4963~1.EXE > nul
        5⤵
        
        PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA2F~1.EXE > nul
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2A5F~1.EXE > nul
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{140DA969-78DB-4b21-BD16-72B6970B80C0}.exe

Filesize
380KB

MD5
74f427a3d73bed9c7d930f2a5fb37663

SHA1
d43ee776d1812685f4f3033562b9a93353b8e163

SHA256
6d40c6b0e62335c1ef3039e1484b277af8b62e6123511840df63aea309ee2864

SHA512
81bc633ec28b11fb341f1fa6f1333da99fd7efa77f167764ec4ce6b205b1a7ae3240fbf73f5cfb78ecd1e58ae666b85ad03451e8db53dd4b6441e2bd95b01952

Download Submit
C:\Windows\{27A9337E-3C56-42f3-81D9-FE36DEDFF37B}.exe

Filesize
380KB

MD5
da62c53f13933a854fb71676fd87bd24

SHA1
a43ca887fe50c4aba4fe567df4cb03a41519927e

SHA256
f8248dd2e7aed121b29f8b6570b69aff1eebc9f7d67044c55a5c2f11b658583d

SHA512
feaf9689e937969fb8c6513fc1055ef996919655cd16b46dc2ed5d62449f9461d758683255a76810a05ec22d47f2ed54efceae0c16a72875fed3c53cbfbd5b44

Download Submit
C:\Windows\{3009717C-617E-4946-9C9B-AB851B5F7B02}.exe

Filesize
380KB

MD5
e275d56e72da682cadb31de7b86703d0

SHA1
3cee978a468d4280423bfdbe75e2e560aedb40d6

SHA256
e3612ef64a33190db45ccf8d809274ee96ff404559ade4b05c79754589d56e4a

SHA512
8c68e4d86fa8029dc5b3fdb042fa513dbf4b86285d5e078defb9dae4b2ca7f6572d60dbc601d10cc6d0bff1f8ecd5da3090fdec18bbba83704cbc3840910c52e

Download Submit
C:\Windows\{5CBAB08E-59B5-4b46-AAAD-A2BC4F7DB79B}.exe

Filesize
380KB

MD5
673b8755f861f6677119a39e85018a77

SHA1
bd594e337e4ff7841a1abe1a44006958b2034813

SHA256
a37917c0acfa1ff20a7daa2e5fbbdbe00e5a9ad40e4ac5accc793e6e73199d26

SHA512
0d50317a51179493936c428b7cb323f5bd663ba61abb76de1a29d5d2f18314361538d51310a15dfc5da7a96e937d4b45c37958ed6640f91935ab8a870da8fb66

Download Submit
C:\Windows\{7B797C3D-C1DF-4ff9-8BA4-280DB1D3D059}.exe

Filesize
380KB

MD5
1522cf55ae21bde378f5c5e18f84f78e

SHA1
523099fb15302b9653f7591bad73ba5bb9c3e959

SHA256
34f7015cccf05b6e4d87142282cf6092d67d29010080dec90cf62f235edbd081

SHA512
45a2bdc6aab02359d551decc7f6c862e914ece084bf8cbf3a2ab2fceefa028d43291d1e279d918fb5e2f25e6ba281b30526b41aab98fdf9e14b4e85d586c2827

Download Submit
C:\Windows\{8CA2F249-C396-4b68-8B8E-FC4E2AED1C1E}.exe

Filesize
380KB

MD5
42e02fdb83f7bc4ff73d895800b6656d

SHA1
e16ff83f001ae4e6aff833917b9627f2da6e74f4

SHA256
69a8697fc7de880a0c4e008d224339f9401a81f0cc631330ed1c7d1e50016125

SHA512
28c4920a138d12ec180a8039fa2f3f25847eb327b806ebaf33fe3a06caf3a6a64cf70bf4bd548bd8bca07a2fc81c9d40fa9598297dbf671733060adee0377ab8

Download Submit
C:\Windows\{B2A5F561-2244-4941-99EE-0133F5692227}.exe

Filesize
380KB

MD5
018c96fcaeb9fd072ddc01ea99ca4d7b

SHA1
072b8ed80abfbb380abd41e589d4022b733da469

SHA256
bf7136073e13303e8ab21d9d4461ca36022feee703b4bce472b3d7a927b971dd

SHA512
847fcd6663f79f578f5e445baba29ff2ed10abf92ac34608f39835db7ca396ba63173cc4d8922a85c1243f77c1daf03918c3b775718122d18c9158a1cee48ea4

Download Submit
C:\Windows\{B63A4F37-83A6-4289-AE50-0157DA98B459}.exe

Filesize
380KB

MD5
33e230371b025e8e2a809a1de784d79a

SHA1
0bb11f54ecef7b016611838f6285de255d74d82a

SHA256
bdcd5bce94aa4993433dd7a99ba399cfc0dc993e7663e7bd05149d28e4a93bc1

SHA512
077880e2aa7a34d716d50b6dc05fd445e752bb50fceb90251b01da3f298c21da294d3401968f77e432570cee758d36aa6e698ef5b073cbcbaed73ffc7abdb93d

Download Submit
C:\Windows\{C1CD1876-2E29-4b0f-813B-B8FDE5200422}.exe

Filesize
380KB

MD5
1e2cc891cf9b8a7576b6b64cc6e89de1

SHA1
b3e57f389c4f11afcb34b06466d8bb8a21eece45

SHA256
6638d3c96c84b9dcc1cd70096dbafefe65183280361ad6c8b89dc83f8d7303a1

SHA512
fba83b7fde9ef4fcd6eeb5a6a2a850c4c6164e0aadae77566a1a7a67789106f243a38462ad4ede380c85cfd1ab294e469a40635146b37c714e0e5bff3ff448f0

Download Submit
C:\Windows\{D4963B66-3B79-4c35-A2E1-5A67408383EB}.exe

Filesize
380KB

MD5
8e7e0d995a40daf93e8d0a71399c5f87

SHA1
d2402e72b2d21fc2c44fe1bd9643f85f46bacba6

SHA256
66f77b3308cb6176fe35680e1af805face69d39ce414522307d9181191a7fa1d

SHA512
9a7e8d240f96905cf945e95a4a4193983199fe184d74fde2090e0a539d669d6d56d72819c3186fad9878f8a9da9f70689384283d354cfa42177af12031be274e

Download Submit
C:\Windows\{F1F56108-4A49-48bd-997A-2CF914B27054}.exe

Filesize
380KB

MD5
90a8f92a82d947a7a5b918057859225f

SHA1
8ff0043d35d034d474f2de8c91cefdc65634d3e7

SHA256
4f8e9cae6321e4b7ecb93241d57c8d3bc8246260d3b524737aa5c454765cc74b

SHA512
1ef48081fcf3e944eb8b88839f98e52b2deaaa158425fdb468ea4c9e7897542032ccd5db62d7d66d4b0ecf44f52f9aa1799a5576e5c0790e286d75ceeb2313b8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads