6d32e498e4bb6db79936ca79a7ad5cdcf4f09006144c5e98b3e95ec65624d6b1

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Size

192KB
MD5

a36b75335d4b0c61cd9a9716f0e30a76
SHA1

a14f8d513b2eb94bc8295b32cc7117efb3395183
SHA256

6d32e498e4bb6db79936ca79a7ad5cdcf4f09006144c5e98b3e95ec65624d6b1
SHA512

539ff821f724d18aca9964da96dfe80ad08422ee080efa2772e6136ffa664b9a31e9ded9931f9d5c49d788e2f1fd1d988a5ef7825e224a177367c1679eaf9c41
SSDEEP

1536:1EGh0oVl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oVl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002311a-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023126-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002312a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023126-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002312a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}\stubpath = "C:\\Windows\\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe"	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1B2367-0594-46e5-8002-CCE36913463F}	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F55A682-BC3D-4378-863E-6259F9C40D6C}\stubpath = "C:\\Windows\\{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe"	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6184B8C0-80A9-4618-8734-B304D63F9226}	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2047B873-0989-4511-9EAB-92F45BB185F2}	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}\stubpath = "C:\\Windows\\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe"	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070AE305-52EB-4090-AD9A-BD67BAA1062F}	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786FBEE7-2621-483a-AE70-6D8EA370DB68}	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F55A682-BC3D-4378-863E-6259F9C40D6C}	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2047B873-0989-4511-9EAB-92F45BB185F2}\stubpath = "C:\\Windows\\{2047B873-0989-4511-9EAB-92F45BB185F2}.exe"	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6184B8C0-80A9-4618-8734-B304D63F9226}\stubpath = "C:\\Windows\\{6184B8C0-80A9-4618-8734-B304D63F9226}.exe"	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997B4226-851B-4e33-B1AD-CA4AB59B8157}	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070AE305-52EB-4090-AD9A-BD67BAA1062F}\stubpath = "C:\\Windows\\{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe"	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}\stubpath = "C:\\Windows\\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe"	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1B2367-0594-46e5-8002-CCE36913463F}\stubpath = "C:\\Windows\\{2D1B2367-0594-46e5-8002-CCE36913463F}.exe"	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997B4226-851B-4e33-B1AD-CA4AB59B8157}\stubpath = "C:\\Windows\\{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe"	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}\stubpath = "C:\\Windows\\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe"	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786FBEE7-2621-483a-AE70-6D8EA370DB68}\stubpath = "C:\\Windows\\{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe"	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe

Executes dropped EXE 11 IoCs

pid	Process
3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe
2384	{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
File created	C:\Windows\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
File created	C:\Windows\{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
File created	C:\Windows\{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
File created	C:\Windows\{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
File created	C:\Windows\{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
File created	C:\Windows\{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
File created	C:\Windows\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
File created	C:\Windows\{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
File created	C:\Windows\{2047B873-0989-4511-9EAB-92F45BB185F2}.exe	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
File created	C:\Windows\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
Token: SeIncBasePriorityPrivilege	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
Token: SeIncBasePriorityPrivilege	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
Token: SeIncBasePriorityPrivilege	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
Token: SeIncBasePriorityPrivilege	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
Token: SeIncBasePriorityPrivilege	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
Token: SeIncBasePriorityPrivilege	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
Token: SeIncBasePriorityPrivilege	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
Token: SeIncBasePriorityPrivilege	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
Token: SeIncBasePriorityPrivilege	4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3504	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	88
PID 2024 wrote to memory of 3504	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	88
PID 2024 wrote to memory of 3504	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	88
PID 2024 wrote to memory of 420	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	89
PID 2024 wrote to memory of 420	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	89
PID 2024 wrote to memory of 420	2024	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	89
PID 3504 wrote to memory of 888	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	94
PID 3504 wrote to memory of 888	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	94
PID 3504 wrote to memory of 888	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	94
PID 3504 wrote to memory of 1916	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	95
PID 3504 wrote to memory of 1916	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	95
PID 3504 wrote to memory of 1916	3504	{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe	95
PID 888 wrote to memory of 2128	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	97
PID 888 wrote to memory of 2128	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	97
PID 888 wrote to memory of 2128	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	97
PID 888 wrote to memory of 2900	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	96
PID 888 wrote to memory of 2900	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	96
PID 888 wrote to memory of 2900	888	{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe	96
PID 2128 wrote to memory of 3600	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	98
PID 2128 wrote to memory of 3600	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	98
PID 2128 wrote to memory of 3600	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	98
PID 2128 wrote to memory of 2520	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	99
PID 2128 wrote to memory of 2520	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	99
PID 2128 wrote to memory of 2520	2128	{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe	99
PID 3600 wrote to memory of 2924	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	100
PID 3600 wrote to memory of 2924	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	100
PID 3600 wrote to memory of 2924	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	100
PID 3600 wrote to memory of 3860	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	101
PID 3600 wrote to memory of 3860	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	101
PID 3600 wrote to memory of 3860	3600	{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe	101
PID 2924 wrote to memory of 3940	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	102
PID 2924 wrote to memory of 3940	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	102
PID 2924 wrote to memory of 3940	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	102
PID 2924 wrote to memory of 1020	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	103
PID 2924 wrote to memory of 1020	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	103
PID 2924 wrote to memory of 1020	2924	{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe	103
PID 3940 wrote to memory of 3164	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	104
PID 3940 wrote to memory of 3164	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	104
PID 3940 wrote to memory of 3164	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	104
PID 3940 wrote to memory of 4672	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	105
PID 3940 wrote to memory of 4672	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	105
PID 3940 wrote to memory of 4672	3940	{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe	105
PID 3164 wrote to memory of 5032	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	106
PID 3164 wrote to memory of 5032	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	106
PID 3164 wrote to memory of 5032	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	106
PID 3164 wrote to memory of 3432	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	107
PID 3164 wrote to memory of 3432	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	107
PID 3164 wrote to memory of 3432	3164	{2D1B2367-0594-46e5-8002-CCE36913463F}.exe	107
PID 5032 wrote to memory of 4916	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	108
PID 5032 wrote to memory of 4916	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	108
PID 5032 wrote to memory of 4916	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	108
PID 5032 wrote to memory of 536	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	109
PID 5032 wrote to memory of 536	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	109
PID 5032 wrote to memory of 536	5032	{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe	109
PID 4916 wrote to memory of 4384	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	110
PID 4916 wrote to memory of 4384	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	110
PID 4916 wrote to memory of 4384	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	110
PID 4916 wrote to memory of 4960	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	111
PID 4916 wrote to memory of 4960	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	111
PID 4916 wrote to memory of 4960	4916	{6184B8C0-80A9-4618-8734-B304D63F9226}.exe	111
PID 4384 wrote to memory of 2384	4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe	112
PID 4384 wrote to memory of 2384	4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe	112
PID 4384 wrote to memory of 2384	4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe	112
PID 4384 wrote to memory of 1740	4384	{2047B873-0989-4511-9EAB-92F45BB185F2}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
  C:\Windows\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
    C:\Windows\{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{997B4~1.EXE > nul
      4⤵
      PID:2900
  - - C:\Windows\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
      C:\Windows\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
        
        C:\Windows\{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
        
        C:\Windows\{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
        
        C:\Windows\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
        
        C:\Windows\{2D1B2367-0594-46e5-8002-CCE36913463F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
        
        C:\Windows\{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
        
        C:\Windows\{6184B8C0-80A9-4618-8734-B304D63F9226}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{2047B873-0989-4511-9EAB-92F45BB185F2}.exe
        
        C:\Windows\{2047B873-0989-4511-9EAB-92F45BB185F2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe
        
        C:\Windows\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe
        12⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2047B~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6184B~1.EXE > nul
        11⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F55A~1.EXE > nul
        10⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D1B2~1.EXE > nul
        9⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECD1~1.EXE > nul
        8⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{786FB~1.EXE > nul
        7⤵
        
        PID:1020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{070AE~1.EXE > nul
        6⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{470D6~1.EXE > nul
        5⤵
        
        PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FECC4~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{070AE305-52EB-4090-AD9A-BD67BAA1062F}.exe

Filesize
192KB

MD5
f835e3f6fc5384bf7ecc64a28b5a86f9

SHA1
5e3c561f68ac7be3ec92f7213647efb6ec59498d

SHA256
f8f30af6b45fe02ad289ff7c6cda0e238ebe366261d4afe758dc380be2501d93

SHA512
af4c0c29095c75c89277b61387076564d0772dc3ce63917392f344659e32ee1b3ff13e1b1223ff49d3eccfd52254471882e4805f0c85e904d35886ef6a5e2e9b

Download Submit
C:\Windows\{2047B873-0989-4511-9EAB-92F45BB185F2}.exe

Filesize
192KB

MD5
ab7685834edbe7a15897b199b139eeda

SHA1
611b6bb3ed8da42ddca82b7fa2ee611eb5285deb

SHA256
f0dc97f935d9b9d100964cf620194e758595fe7b2d057fae30c6c3896738caaf

SHA512
e98f8c364ee58eaec8bad04bb9ee6316ecac1dc148a96b46dad497a65c544c51ab31255a1b7fdef5297c3faacf63c2c25b11cfca9738223e5a4c0a8bc8f5fdca

Download Submit
C:\Windows\{2D1B2367-0594-46e5-8002-CCE36913463F}.exe

Filesize
192KB

MD5
a61c44e9c054fdfaa0487a8edf7f8691

SHA1
7ce4bdee50143af263f44b69113b9cabdba4ddb9

SHA256
04503fd5a3efef71b253eb34182ce456c1a79d58ad05e1721f96b31cf7f6c43c

SHA512
a2bd705ae436a15eeaa2999bb3a733d99ae26759ce852d8bd963b3f6b345b0aca5e564e889a9a5f20a5337544c26d6e06ce3781a8f783f29f1122db7b1cd64c6

Download Submit
C:\Windows\{470D6D9E-943E-4ac0-8025-5ED8F1E19EF7}.exe

Filesize
192KB

MD5
23f2c1ccec1d5ec1d1f9fe5bfafba537

SHA1
8f9cb456c0011ec577871edb8442ed3c3b0130a9

SHA256
8882651a14e6c4590b68cc7ed1c54d73d4cb919af204f2f22574fd7ab9188116

SHA512
9448a75e04f43842a202fa7f41d0496020e2a5c43ce30fe49925a057bf9b5975a39a39a247933967c9d4a181e1cd282158971a0b45aee0afd3aecc7f1eb70bc8

Download Submit
C:\Windows\{54FCC5A3-5273-4b22-AF4D-A1ADBD476652}.exe

Filesize
192KB

MD5
7bf1114fc9243e44529b05d313164718

SHA1
c7431b31f060f7d3074828953711be1a74956c58

SHA256
ccf7847f14aa14dbeea82bab8acbac8d0bad388efe3dcdafd96a41a69d312383

SHA512
ba0f431d1ec0f04e12c1d2fe4e933667d54183afb37093b61575433bfc0200bc22740c27fb7abdab236d44d305651aec7f03282f496e733386f592cc79d1650a

Download Submit
C:\Windows\{6184B8C0-80A9-4618-8734-B304D63F9226}.exe

Filesize
192KB

MD5
93d9ad893f9713764a00724eb76975cd

SHA1
d145b3564e8cf28d28d75ac35e554b88f49f8e3f

SHA256
10fc5045913b804991056b624ca561b7c3898deb19c7bd74f212536e01c4f0b9

SHA512
edb9f6d930f2e78434452c2b103c93ad9e43a12512979503e7a504223f01d919d95d01a54698ceadf6ffe5bc7040c7d55eff5cba49a688d156f584df5704c868

Download Submit
C:\Windows\{786FBEE7-2621-483a-AE70-6D8EA370DB68}.exe

Filesize
192KB

MD5
900bc97185c8e2031710b923eda5ab8d

SHA1
6c747ebf1cb769572845414785a13ac9aa68a362

SHA256
7a33429224e76d756db68e557c1518c0a67d4b2737f83f65ef55643dec049cc7

SHA512
b87875c79282477b5f7f33348cc37b89656c56a8ba7b4706be607b7c048bc1a5063593b5fd8646ca59a5059061137844de96259b6af104fc1ce12fd7a15f0404

Download Submit
C:\Windows\{7ECD1264-7F2F-421c-BADD-B7AEB99AB6CB}.exe

Filesize
192KB

MD5
1a8aa3e03e819dd6282cfe501fbef598

SHA1
28b3f4756408537fc99d5232409e7cfc6b6b2f4d

SHA256
eeb17aaaec5f17cc6613c542cc1d5d6fbcdcb82ec7ad72ef9486551be66fc4bb

SHA512
2678a7168d00b1c2be4498a526f464486be121b16bc69c2c83e5dd4adde47ffb1f809de6b3747e54844fe74b42cfcb09a612392e781c97e0b3d7af37a7b6b017

Download Submit
C:\Windows\{997B4226-851B-4e33-B1AD-CA4AB59B8157}.exe

Filesize
192KB

MD5
8d3564bdd85db6bf00881ef26bee5902

SHA1
5de6113b386106dd7dbdc0cbf4384571db647f68

SHA256
861b2bd4984631983758ef13acf5ef0e879663c3c34d854715a5b35b50db7f8d

SHA512
b665f45428e4a42e738ea097d5b2d7c79c0a0a63243286b126f5a0c668945b6ec9421060f26f2f3fa9de085671d5a414fb1bc42b8ec375b9de140713ca452f4f

Download Submit
C:\Windows\{9F55A682-BC3D-4378-863E-6259F9C40D6C}.exe

Filesize
192KB

MD5
746e87fe51fed8e7ff072dd2c10fb744

SHA1
c65f2f3623855c6bfa633ab0a98d1f22c8e3a966

SHA256
89f70e9536785f31d0816a74dee483ccc46772775306af323b155ba0dfa13a14

SHA512
21dfeeb0f15eafb6440d324ca316a5a256ced5c936a28c7345fff694b95f293e0803add4cf3e3461dbc7b28e47324c271188533a00cd95328b43864bb976cca7

Download Submit
C:\Windows\{FECC48A7-4C13-44e0-8DC6-726FFB2F66C1}.exe

Filesize
192KB

MD5
03caf9ee1ab16a35a7244ebcbbfba80a

SHA1
c655217260291083581ea1c1ed71012889d31dd3

SHA256
19ba78f877e7d6ef9d6713f2c5681adf928d69547401d4ced55d746af6ec9aeb

SHA512
6f7bddc03f4c4b036d404aca0c151ffa8218f83419a15a2f011bd2a28444a25ec64f0e2f1ced6ed9577fa7d59755fb490d642f19a53e550a73de414fd5d013cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads