4c4189084e41d5281bf09e7f862f5483d68287c16a2394dd69e9a75a0ad41323

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
Size

408KB
MD5

b3a8149159b54376872ea28662633aaa
SHA1

27ca4edf2b76958edfce8e433bb49441a72ab03d
SHA256

4c4189084e41d5281bf09e7f862f5483d68287c16a2394dd69e9a75a0ad41323
SHA512

90019e6dab604fb2f5f99a2237b75e99f0fb1ce3387df4b79f6306ec561388c88b8f3110fed8083313446e8d9e1ac6cfd96a7635407efb13dda9f260ff8be185
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGpldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001233c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000153c7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001233c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015ba8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001233c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001233c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001233c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881B9C89-745C-448e-9128-CD95996714E1}\stubpath = "C:\\Windows\\{881B9C89-745C-448e-9128-CD95996714E1}.exe"	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2070CAE-E905-4431-A735-A7A4EDE5225E}\stubpath = "C:\\Windows\\{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe"	{881B9C89-745C-448e-9128-CD95996714E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}\stubpath = "C:\\Windows\\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe"	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92022C3-1F42-46b8-943B-EBB25481BC40}\stubpath = "C:\\Windows\\{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe"	{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}	{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881B9C89-745C-448e-9128-CD95996714E1}	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E58808CA-1B4A-445e-BF80-D033334BDFF5}	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}\stubpath = "C:\\Windows\\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe"	{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2D1997-3F00-4d91-98E0-937D64C17100}	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2D1997-3F00-4d91-98E0-937D64C17100}\stubpath = "C:\\Windows\\{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe"	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E58808CA-1B4A-445e-BF80-D033334BDFF5}\stubpath = "C:\\Windows\\{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe"	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}	{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92022C3-1F42-46b8-943B-EBB25481BC40}	{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2070CAE-E905-4431-A735-A7A4EDE5225E}	{881B9C89-745C-448e-9128-CD95996714E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}\stubpath = "C:\\Windows\\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe"	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}\stubpath = "C:\\Windows\\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe"	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}\stubpath = "C:\\Windows\\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe"	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}\stubpath = "C:\\Windows\\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe"	{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe

Deletes itself 1 IoCs

pid	Process
1304	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe
3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
1724	{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
2068	{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
2844	{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe
1124	{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe	{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe
File created	C:\Windows\{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	{881B9C89-745C-448e-9128-CD95996714E1}.exe
File created	C:\Windows\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
File created	C:\Windows\{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
File created	C:\Windows\{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
File created	C:\Windows\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe	{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
File created	C:\Windows\{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe	{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
File created	C:\Windows\{881B9C89-745C-448e-9128-CD95996714E1}.exe	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
File created	C:\Windows\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
File created	C:\Windows\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
File created	C:\Windows\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe
Token: SeIncBasePriorityPrivilege	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
Token: SeIncBasePriorityPrivilege	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
Token: SeIncBasePriorityPrivilege	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
Token: SeIncBasePriorityPrivilege	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
Token: SeIncBasePriorityPrivilege	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
Token: SeIncBasePriorityPrivilege	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
Token: SeIncBasePriorityPrivilege	1724	{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
Token: SeIncBasePriorityPrivilege	2068	{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
Token: SeIncBasePriorityPrivilege	2844	{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2128	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	28
PID 1148 wrote to memory of 2128	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	28
PID 1148 wrote to memory of 2128	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	28
PID 1148 wrote to memory of 2128	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	28
PID 1148 wrote to memory of 1304	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	29
PID 1148 wrote to memory of 1304	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	29
PID 1148 wrote to memory of 1304	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	29
PID 1148 wrote to memory of 1304	1148	2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe	29
PID 2128 wrote to memory of 3008	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	30
PID 2128 wrote to memory of 3008	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	30
PID 2128 wrote to memory of 3008	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	30
PID 2128 wrote to memory of 3008	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	30
PID 2128 wrote to memory of 2080	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	31
PID 2128 wrote to memory of 2080	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	31
PID 2128 wrote to memory of 2080	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	31
PID 2128 wrote to memory of 2080	2128	{881B9C89-745C-448e-9128-CD95996714E1}.exe	31
PID 3008 wrote to memory of 2732	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	32
PID 3008 wrote to memory of 2732	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	32
PID 3008 wrote to memory of 2732	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	32
PID 3008 wrote to memory of 2732	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	32
PID 3008 wrote to memory of 2480	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	33
PID 3008 wrote to memory of 2480	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	33
PID 3008 wrote to memory of 2480	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	33
PID 3008 wrote to memory of 2480	3008	{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe	33
PID 2732 wrote to memory of 2140	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	37
PID 2732 wrote to memory of 2140	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	37
PID 2732 wrote to memory of 2140	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	37
PID 2732 wrote to memory of 2140	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	37
PID 2732 wrote to memory of 1316	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	36
PID 2732 wrote to memory of 1316	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	36
PID 2732 wrote to memory of 1316	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	36
PID 2732 wrote to memory of 1316	2732	{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe	36
PID 2140 wrote to memory of 2816	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	39
PID 2140 wrote to memory of 2816	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	39
PID 2140 wrote to memory of 2816	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	39
PID 2140 wrote to memory of 2816	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	39
PID 2140 wrote to memory of 2932	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	38
PID 2140 wrote to memory of 2932	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	38
PID 2140 wrote to memory of 2932	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	38
PID 2140 wrote to memory of 2932	2140	{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe	38
PID 2816 wrote to memory of 2072	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	41
PID 2816 wrote to memory of 2072	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	41
PID 2816 wrote to memory of 2072	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	41
PID 2816 wrote to memory of 2072	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	41
PID 2816 wrote to memory of 1828	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	40
PID 2816 wrote to memory of 1828	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	40
PID 2816 wrote to memory of 1828	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	40
PID 2816 wrote to memory of 1828	2816	{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe	40
PID 2072 wrote to memory of 832	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	43
PID 2072 wrote to memory of 832	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	43
PID 2072 wrote to memory of 832	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	43
PID 2072 wrote to memory of 832	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	43
PID 2072 wrote to memory of 1040	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	42
PID 2072 wrote to memory of 1040	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	42
PID 2072 wrote to memory of 1040	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	42
PID 2072 wrote to memory of 1040	2072	{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe	42
PID 832 wrote to memory of 1724	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	44
PID 832 wrote to memory of 1724	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	44
PID 832 wrote to memory of 1724	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	44
PID 832 wrote to memory of 1724	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	44
PID 832 wrote to memory of 1668	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	45
PID 832 wrote to memory of 1668	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	45
PID 832 wrote to memory of 1668	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	45
PID 832 wrote to memory of 1668	832	{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_b3a8149159b54376872ea28662633aaa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\{881B9C89-745C-448e-9128-CD95996714E1}.exe
  C:\Windows\{881B9C89-745C-448e-9128-CD95996714E1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
    C:\Windows\{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
      C:\Windows\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DA5~1.EXE > nul
        5⤵
        
        PID:1316
    - - C:\Windows\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
        
        C:\Windows\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3AE~1.EXE > nul
        6⤵
        
        PID:2932
      - C:\Windows\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
        
        C:\Windows\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F54C~1.EXE > nul
        7⤵
        
        PID:1828
        
        C:\Windows\{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
        
        C:\Windows\{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2D1~1.EXE > nul
        8⤵
        
        PID:1040
        
        C:\Windows\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
        
        C:\Windows\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
        
        C:\Windows\{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
        
        C:\Windows\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C041~1.EXE > nul
        11⤵
        
        PID:2116
        
        C:\Windows\{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe
        
        C:\Windows\{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe
        
        C:\Windows\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9202~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5880~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9436~1.EXE > nul
        9⤵
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E2070~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{881B9~1.EXE > nul
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E2D1997-3F00-4d91-98E0-937D64C17100}.exe

Filesize
408KB

MD5
eba9ecbe866a9d2153ee9403ffe3cc61

SHA1
87d0451e4174a3f32bbeac754d48de6c2aede48a

SHA256
2e3f9ddb998f9af4cd3b7d0732d2014d2d6841a42949d34989293f6b2704f7f0

SHA512
f3ed48d0c47931c4bc23e41074aa5cfe001dd83bc52be514d678d009c5e7327424e0672531e267e13582ac7a421818c06854f747187cc9a0d8daf9c79e43e2b7

Download Submit
C:\Windows\{0F54CBB8-D256-4ffc-BC94-A518FD9ABBB6}.exe

Filesize
408KB

MD5
914dc7ade896bd95fd5896d7fde47d5f

SHA1
a4f614b49afb7488329abc43147ebb75bad616ec

SHA256
a028c5ab3a917268b77b8ff973ecfe1449f8d8eb35d41d57819369106717fe2d

SHA512
e1729463660fa004c0b0d70eb8a01d041c1431b9652cd2f90c03feab91dd0b62c268254d22360e65634a1001584043f07836ce68010b452daebd0b3e0f573d28

Download Submit
C:\Windows\{46DA52A0-8629-4db9-B539-CC1D902CE8EE}.exe

Filesize
408KB

MD5
6f4cce1f9912aea36e472a7028b6df59

SHA1
2cf34da70c46cda3aac4eec964ec34541801ebf0

SHA256
0ecccdc524af18451c66a512296265c510f25e3a38675fd64edadf33961d8100

SHA512
aef714ff5918668933fd6fa07b3ba9840ab31b3da4d81bf2e5dbae5129b551ee3364a387cd5293a38961c77636cf1704c0b3d32a757050c3a897b2c33baf8712

Download Submit
C:\Windows\{881B9C89-745C-448e-9128-CD95996714E1}.exe

Filesize
408KB

MD5
1633a541ccc797b3036048ca277bdfc0

SHA1
0f3fc09771574d3a3f692eddc0c239c48ec002b9

SHA256
c64ad35b975cac3c102e1b5e3610a08dc25b736abad957e80ba5c19c23300e8f

SHA512
79a3fe73014b2b60d451b3ec46660babe01c9cbdb423f537cdbefff6e5e22ad23945b8577a5edebe66dff3d47382215436d445d2f06028d6b4c93d2d83662080

Download Submit
C:\Windows\{8C0416C6-9F5D-4bbc-9474-1D2633906F04}.exe

Filesize
408KB

MD5
0917df1b63b4bd5caaa0fd5f7a1a9ff4

SHA1
4a175bb5017ef3678d4e44a36c2b7290f28df248

SHA256
9edfb86eeaf9d998ce31de871535831525e2c3acd6a5782b77ff57acce4e7c62

SHA512
c617027228801c7ea1eb90a607ed7de48e13062972a9672a0a9cc5417d79c4a4af6fcffc5ebd3f0f1f70f2e0dd80520691b0fbd8b68b46dd29558990c33eef3f

Download Submit
C:\Windows\{A94368B9-4C22-42c9-AF3C-10D8E97E7FE3}.exe

Filesize
408KB

MD5
b17ac155f575658fca5eebef787cb0ab

SHA1
b1102221045a6916e0728063df1e07c595e12cbe

SHA256
b31478bedb8d0b4efbbcf0ad0a06c270cef5a28408c5a40fef7ff17636cfce90

SHA512
ad81b2af93b31ade36db1c4287d6cf4eeceaf7a431731e113dcc9818d0e5cbb41bd21b520587d903b5dec36f1f647013cba0bc645369663c705312bbaf2d73d8

Download Submit
C:\Windows\{AB3AE897-427B-46b7-931E-3EFDC73B6BB8}.exe

Filesize
408KB

MD5
4c5cc519144c9804fad836590a021f4f

SHA1
4362c54815703cb3dab2e441abfaeafe3fbe9a7f

SHA256
71e8fac99e1250104cb4aa8e8fc028287dc3ba08e58bc3cf521099157c33402d

SHA512
e6e183ee5d01091389aacb50786973527ec65967c5b4b59c024c593eb2db47cc45f552d45f4b1db0a3b675f2f71353a8022797faf98a6489d3adb3e84bd0cefb

Download Submit
C:\Windows\{C92022C3-1F42-46b8-943B-EBB25481BC40}.exe

Filesize
408KB

MD5
e6952e9fd990ec7106c568192b70e1b0

SHA1
0324ea68da9a801375f487a09cc4af8f52f83c5c

SHA256
c98538786da5efe1405e04606b4b43d17628e94ff7f418b54d316a600f373e1a

SHA512
cda31c6d7b600c20c9b7abdaa0c651e2e78692164873d674f5059403212355ad2d4798e4d49c143af5ae13108778e26ef203a1d8a8361d9914cbaa2cb61eb2a9

Download Submit
C:\Windows\{D9F51E3E-17DF-48b1-A169-CF9FCDC46EA7}.exe

Filesize
408KB

MD5
5086ad7fdfdc3f2d4ee153ea88dea6cb

SHA1
45a5a30a428c541ad7797d6a8fedacdca76f4106

SHA256
a184814128053d09b591fcddc4d309d5e302495a53275e58668a16ff77b7f7a8

SHA512
5bc53dd6503b532ec725fc22d4066f28dc5fd8a8d95f9211155c3edd3050700f64662445e761809c6321b9da75e67a008643345c3d87637da3c37c3116db886b

Download Submit
C:\Windows\{E2070CAE-E905-4431-A735-A7A4EDE5225E}.exe

Filesize
408KB

MD5
c4b703c2bd2d39b049d7451ae155339c

SHA1
c73371a05e01af60e7c14f4b72f238503460e1be

SHA256
bd4bd3dc40f9256ea91b65a01a59531feaf7451c3de39947c382381762bc7dd3

SHA512
db84e09a5a73ad6680b08f53c104ec347971b6e128337fcee558af9e04ed0547187208e1751b2e3a01a8e60cf72e61fd2952f986648e69a4b859608a027d418b

Download Submit
C:\Windows\{E58808CA-1B4A-445e-BF80-D033334BDFF5}.exe

Filesize
408KB

MD5
519e1c0d462314588003f490022338dc

SHA1
f87d7a88812a3f559fa4317b12887040fc780177

SHA256
7597b34245f0e059c09ab21d60a98b837ab5b0380a3a32f51ba02198d41d62c5

SHA512
b1f39205d4102cdc5f91304a26bd00e1d8533b4b33e0f6fecdecd8cf2f7cd8658fd2b6d91e34603c9692cd13f1eb4db514b7ed65309a62822db54fe62e4ac64a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads