0bd996147afc8a9d7118a14a30292e5e76a1d90936f835fd5ad674e184e14164

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Size

197KB
MD5

53677e53c1d82111b26a3e98256f54f4
SHA1

fd9dd7af39647db49bfd3ef3f7c6a92cbccd562d
SHA256

0bd996147afc8a9d7118a14a30292e5e76a1d90936f835fd5ad674e184e14164
SHA512

11e2f488f409b7091f33913bfe13778cf4d1756f20dccebc547cb8054dc7a4e2146b6433602f412fd53d74982bdf2bce9fa1f57cd73dab367de98477b7545047
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGClEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012232-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122bf-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122bf-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122bf-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122bf-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122bf-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}\stubpath = "C:\\Windows\\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe"	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}\stubpath = "C:\\Windows\\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe"	{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62333E5-073C-42cc-AC99-8975BF6DFE53}\stubpath = "C:\\Windows\\{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe"	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}\stubpath = "C:\\Windows\\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe"	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}\stubpath = "C:\\Windows\\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe"	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3714797C-5F7F-4666-AA6A-5D070613673C}	{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{733759C3-7325-4b70-927F-DEBE9FB4AB88}	{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3456C6FA-3320-49d3-ABF2-58959C7370A7}	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62333E5-073C-42cc-AC99-8975BF6DFE53}	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}\stubpath = "C:\\Windows\\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe"	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}\stubpath = "C:\\Windows\\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe"	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{733759C3-7325-4b70-927F-DEBE9FB4AB88}\stubpath = "C:\\Windows\\{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe"	{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3456C6FA-3320-49d3-ABF2-58959C7370A7}\stubpath = "C:\\Windows\\{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe"	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}	{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}\stubpath = "C:\\Windows\\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe"	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3714797C-5F7F-4666-AA6A-5D070613673C}\stubpath = "C:\\Windows\\{3714797C-5F7F-4666-AA6A-5D070613673C}.exe"	{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
2224	{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
864	{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
2012	{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
2348	{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe	{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
File created	C:\Windows\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
File created	C:\Windows\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
File created	C:\Windows\{3714797C-5F7F-4666-AA6A-5D070613673C}.exe	{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
File created	C:\Windows\{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe	{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
File created	C:\Windows\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
File created	C:\Windows\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
File created	C:\Windows\{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
File created	C:\Windows\{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
File created	C:\Windows\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
File created	C:\Windows\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
Token: SeIncBasePriorityPrivilege	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
Token: SeIncBasePriorityPrivilege	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
Token: SeIncBasePriorityPrivilege	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
Token: SeIncBasePriorityPrivilege	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
Token: SeIncBasePriorityPrivilege	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
Token: SeIncBasePriorityPrivilege	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
Token: SeIncBasePriorityPrivilege	2224	{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
Token: SeIncBasePriorityPrivilege	864	{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
Token: SeIncBasePriorityPrivilege	2012	{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2740	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	28
PID 2772 wrote to memory of 2740	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	28
PID 2772 wrote to memory of 2740	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	28
PID 2772 wrote to memory of 2740	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	28
PID 2772 wrote to memory of 2828	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	29
PID 2772 wrote to memory of 2828	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	29
PID 2772 wrote to memory of 2828	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	29
PID 2772 wrote to memory of 2828	2772	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	29
PID 2740 wrote to memory of 2832	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	30
PID 2740 wrote to memory of 2832	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	30
PID 2740 wrote to memory of 2832	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	30
PID 2740 wrote to memory of 2832	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	30
PID 2740 wrote to memory of 2336	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	31
PID 2740 wrote to memory of 2336	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	31
PID 2740 wrote to memory of 2336	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	31
PID 2740 wrote to memory of 2336	2740	{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe	31
PID 2832 wrote to memory of 3024	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	34
PID 2832 wrote to memory of 3024	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	34
PID 2832 wrote to memory of 3024	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	34
PID 2832 wrote to memory of 3024	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	34
PID 2832 wrote to memory of 1356	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	35
PID 2832 wrote to memory of 1356	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	35
PID 2832 wrote to memory of 1356	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	35
PID 2832 wrote to memory of 1356	2832	{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe	35
PID 3024 wrote to memory of 1800	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	36
PID 3024 wrote to memory of 1800	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	36
PID 3024 wrote to memory of 1800	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	36
PID 3024 wrote to memory of 1800	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	36
PID 3024 wrote to memory of 1172	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	37
PID 3024 wrote to memory of 1172	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	37
PID 3024 wrote to memory of 1172	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	37
PID 3024 wrote to memory of 1172	3024	{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe	37
PID 1800 wrote to memory of 292	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	38
PID 1800 wrote to memory of 292	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	38
PID 1800 wrote to memory of 292	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	38
PID 1800 wrote to memory of 292	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	38
PID 1800 wrote to memory of 2868	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	39
PID 1800 wrote to memory of 2868	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	39
PID 1800 wrote to memory of 2868	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	39
PID 1800 wrote to memory of 2868	1800	{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe	39
PID 292 wrote to memory of 3016	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	40
PID 292 wrote to memory of 3016	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	40
PID 292 wrote to memory of 3016	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	40
PID 292 wrote to memory of 3016	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	40
PID 292 wrote to memory of 2440	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	41
PID 292 wrote to memory of 2440	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	41
PID 292 wrote to memory of 2440	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	41
PID 292 wrote to memory of 2440	292	{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe	41
PID 3016 wrote to memory of 1144	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	42
PID 3016 wrote to memory of 1144	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	42
PID 3016 wrote to memory of 1144	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	42
PID 3016 wrote to memory of 1144	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	42
PID 3016 wrote to memory of 956	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	43
PID 3016 wrote to memory of 956	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	43
PID 3016 wrote to memory of 956	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	43
PID 3016 wrote to memory of 956	3016	{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe	43
PID 1144 wrote to memory of 2224	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	44
PID 1144 wrote to memory of 2224	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	44
PID 1144 wrote to memory of 2224	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	44
PID 1144 wrote to memory of 2224	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	44
PID 1144 wrote to memory of 1336	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	45
PID 1144 wrote to memory of 1336	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	45
PID 1144 wrote to memory of 1336	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	45
PID 1144 wrote to memory of 1336	1144	{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
  C:\Windows\{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
    C:\Windows\{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
      C:\Windows\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
        
        C:\Windows\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
        
        C:\Windows\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
        
        C:\Windows\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
        
        C:\Windows\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
        
        C:\Windows\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
        
        C:\Windows\{3714797C-5F7F-4666-AA6A-5D070613673C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
        
        C:\Windows\{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe
        
        C:\Windows\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe
        12⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73375~1.EXE > nul
        12⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37147~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BBCA~1.EXE > nul
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF76~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C8A8~1.EXE > nul
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A37B~1.EXE > nul
        7⤵
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE138~1.EXE > nul
        6⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34A83~1.EXE > nul
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6233~1.EXE > nul
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3456C~1.EXE > nul
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A37B872-F6E1-45ff-90C0-C03109E04EFD}.exe

Filesize
197KB

MD5
bee153a6ac7507d878da5dd871ef7a56

SHA1
022c76afe4b884ef81bca6fe11be7162f4bf82d5

SHA256
c95ceea5afe0d4948ab2b7839361f19414d9b28c2aaed450bd4e3358b3a35ba4

SHA512
d1f65a0a6dbfe6b42bfd53d53ab3a27269abb1b1b1c9f9738c9646d04ee2d47986a92c38ef7d623faa64ed05c759d1b9d87ad02280ceeaccef4961df28d91112

Download Submit
C:\Windows\{3456C6FA-3320-49d3-ABF2-58959C7370A7}.exe

Filesize
197KB

MD5
2876a7171f81d4273eceebf42bb477af

SHA1
043d836ac8355849368869bf7148b57f23d025db

SHA256
b2c92621e2b20b55f1bf2bfc2e8450cc311fa292e9e17d76d504d234be315ffc

SHA512
d1c620b9065bb5e14ac3d5d558b941eba69f9b0156e9820c7d50e58c42351189d7425e0b2b8addecfcc4759a7da977535224522915d9e370930b57cb836c7f0d

Download Submit
C:\Windows\{34A8364F-4B89-4a8f-82EA-0A8BB11D35E3}.exe

Filesize
197KB

MD5
acb621f4fd241f33931523c5aa89b0f2

SHA1
d03e3547207b09d51838e52cf6c372f55e10f897

SHA256
c9dbae7473452cd4cf3ad528eb9c27cfedf16b8ff6c501c389f54813841b8c1e

SHA512
b49b5d968dfd8db9f03e5b3f9259fa5f914024a3f8056c10407845f38efff2023435e6700262387da68bebb9146c7d0923ab50e810dbbce55a16d139e9bd105d

Download Submit
C:\Windows\{3714797C-5F7F-4666-AA6A-5D070613673C}.exe

Filesize
197KB

MD5
1c1f00758ca9d21861242a1d997cf7e6

SHA1
c67341441bfdd7254c97261d18e2cdfa2dc7a89c

SHA256
92b5bd844352824aac07249e321ba70f35ac2d19c3b4bdb125998c0532b93320

SHA512
14938a8d23212bc92fda470d94b30ba159939873bb600195893eaab286c56583ab8cc9d243868adc36545cff337f7c8f50db5f8a9a9c4e3463ae09d32514783f

Download Submit
C:\Windows\{43B9038E-C94A-4a4c-8EFF-0D83A02F0091}.exe

Filesize
197KB

MD5
73644de74c5dcb0b7465c5964169a937

SHA1
073754ceee4c4aa49d69eccd7902a980332b1c57

SHA256
013e22e702cc0c0aa777dd1909d46c38c8968d8b39158ccdc96c926bd2d3fb89

SHA512
6baf73e1f568ca7604b83b969d0aa5033d40ff7d7c6d5ec7c34b9f6d953f2821076499aedcc7d7dd6f121db89e0d63172737b77069f34c46304fd5ab617c0d47

Download Submit
C:\Windows\{4C8A8D6E-3758-44cd-81A6-B3D82A89768A}.exe

Filesize
197KB

MD5
ee6d29e1a2e32bd76ee5f00c667ec1e6

SHA1
2caf13fb624d83e78f0fbbb3bd1d099549106c25

SHA256
5941bd42578af9fd173d8db71f1f1f819874bd911aef06e7d3a785c19aef3c45

SHA512
2308ef6e9b9aea1f098c0e46cfbe7cbc09d06794650065765c9dddfd33ea2d95c0312fc431669223ccb7da5be00c9a3b1d8493e8b4c95ad2417b0c0097c3c204

Download Submit
C:\Windows\{733759C3-7325-4b70-927F-DEBE9FB4AB88}.exe

Filesize
197KB

MD5
e69c3c8f3ece9b701e491dfd0e128b00

SHA1
3653414992ee2bec56ab5ee60aa5c9d817155385

SHA256
0a18af846e2ce7c948210fee5e6ad206d568b74734f5d10034f036b5f8c3a0c2

SHA512
b2621d7daeff6c6be612401b1ea2ae0ad11edb78ed7cd7e6d97d7fbdec5fb0a5cbfac6e2474328b841ece136a39292436cb2edcb5114d7bdbb9ccdf0150decef

Download Submit
C:\Windows\{8BBCA030-F15E-4b95-9F13-F3181DEF5564}.exe

Filesize
197KB

MD5
b9f4a63181cd3ec990a0af5e15896d70

SHA1
6cbdf406a4a3e0fcff5372b2f14b64eb40abbfad

SHA256
405850231af09ed7c8072a22e72c843ed6621d6dbc8ed2f29be970b470b04318

SHA512
f5c77fe2ab3a3869067a10a04a8ca9487cfd28678b3b32fe551815e3316e971cab661c548b26c26cbd56342323a039e8235040a58224811cd4e5aba028b27d2a

Download Submit
C:\Windows\{9CF76C80-4267-4eb4-B9D9-66B449CBACE2}.exe

Filesize
197KB

MD5
f8c4128ff9cb53568db2a48e792b3550

SHA1
0e36261751438ebb03ca7b38f8fdb692dc7c29cf

SHA256
f5c5e70f982b079ba155145a0f32092e9d345466d008eb9e86f2ca8c3f5e7ee2

SHA512
f1d816036537f07883da45df0da2333a873f44f470bbb9d8e24dc669e03dfbba420c27839d5e89dd93680c864b3e9fe2d8ce056812eb17a5e3832d4ddb74a172

Download Submit
C:\Windows\{D62333E5-073C-42cc-AC99-8975BF6DFE53}.exe

Filesize
197KB

MD5
73684b56f6ed981039aceb8c32bc28af

SHA1
0d4a9ebcebd573f6953026e8e48b7a709043506a

SHA256
524a3cf0352242fb553a4c7d7593a639fb8de17ac77763b1c77b955e9c51afdf

SHA512
6fe7d3904ce4244aca4ad4b9ba8482d0ad76b3982ceb6d004c2043644e373e401ea496d700bb7ca3c98f14e8288977b83ebfe78ebcf33ddf921d5483b8edfd13

Download Submit
C:\Windows\{FE138EEB-F1E1-4889-B4B0-470D2467B32A}.exe

Filesize
197KB

MD5
a9066bcc674331067192a69a96204e48

SHA1
ad92cd6e2d9c439ea77869ee0c784cb2af9d7d91

SHA256
3aa285810423f10788f5db2712e4ce5723b3441d4f895534f6a7a2174f4f0644

SHA512
8ccbc89a659a19d40629967bf802d01358f089cc7ba80af66171d7025d78d7288c95d827ab853a2c0417ab932d652cb78829f0b7f92c06990f679dcb8ba556bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads