151ebb2cb543bc2898fee0b38d7ddff345bd80a7471af00709fa80fef83ed764

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Size

180KB
MD5

fda654ae3da061bffb7acd922e0d424e
SHA1

c8e67241b4ff900a5acd417cf16228c8f6c42b55
SHA256

151ebb2cb543bc2898fee0b38d7ddff345bd80a7471af00709fa80fef83ed764
SHA512

4851fb7f8afe650e63fd9baa18812037ec73d6e4bc5349df38bb5d951b1236c8489fd7335cc9a30dade5da161dbe8ccdcc7ea2f1628b393b6e75799d63bdcf07
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000000e610-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001220d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001220d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001220d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001220d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001220d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75CFD31-0C96-4310-9E87-538FB902EE3E}	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75CFD31-0C96-4310-9E87-538FB902EE3E}\stubpath = "C:\\Windows\\{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe"	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050738CD-F8E2-4e64-806F-16DEE2789B56}	{A8947717-0C10-420d-847C-81F643A62E61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}\stubpath = "C:\\Windows\\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe"	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE281BCF-82CC-4638-BB02-4812B8619D31}	{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8947717-0C10-420d-847C-81F643A62E61}\stubpath = "C:\\Windows\\{A8947717-0C10-420d-847C-81F643A62E61}.exe"	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}\stubpath = "C:\\Windows\\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe"	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}\stubpath = "C:\\Windows\\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe"	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B6A893-5460-4ca0-B168-A17575E5E4D0}\stubpath = "C:\\Windows\\{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe"	{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8947717-0C10-420d-847C-81F643A62E61}	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}\stubpath = "C:\\Windows\\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe"	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}\stubpath = "C:\\Windows\\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe"	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B6A893-5460-4ca0-B168-A17575E5E4D0}	{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}\stubpath = "C:\\Windows\\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe"	{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050738CD-F8E2-4e64-806F-16DEE2789B56}\stubpath = "C:\\Windows\\{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe"	{A8947717-0C10-420d-847C-81F643A62E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE281BCF-82CC-4638-BB02-4812B8619D31}\stubpath = "C:\\Windows\\{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe"	{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}	{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe
2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
1880	{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
2080	{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
1832	{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe
1640	{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
File created	C:\Windows\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
File created	C:\Windows\{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
File created	C:\Windows\{A8947717-0C10-420d-847C-81F643A62E61}.exe	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
File created	C:\Windows\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
File created	C:\Windows\{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe	{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
File created	C:\Windows\{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe	{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
File created	C:\Windows\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe	{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe
File created	C:\Windows\{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	{A8947717-0C10-420d-847C-81F643A62E61}.exe
File created	C:\Windows\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
File created	C:\Windows\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
Token: SeIncBasePriorityPrivilege	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe
Token: SeIncBasePriorityPrivilege	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
Token: SeIncBasePriorityPrivilege	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
Token: SeIncBasePriorityPrivilege	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
Token: SeIncBasePriorityPrivilege	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
Token: SeIncBasePriorityPrivilege	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
Token: SeIncBasePriorityPrivilege	1880	{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
Token: SeIncBasePriorityPrivilege	2080	{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
Token: SeIncBasePriorityPrivilege	1832	{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2644	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	28
PID 2988 wrote to memory of 2644	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	28
PID 2988 wrote to memory of 2644	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	28
PID 2988 wrote to memory of 2644	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	28
PID 2988 wrote to memory of 3016	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	29
PID 2988 wrote to memory of 3016	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	29
PID 2988 wrote to memory of 3016	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	29
PID 2988 wrote to memory of 3016	2988	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	29
PID 2644 wrote to memory of 2696	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	30
PID 2644 wrote to memory of 2696	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	30
PID 2644 wrote to memory of 2696	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	30
PID 2644 wrote to memory of 2696	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	30
PID 2644 wrote to memory of 2624	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	31
PID 2644 wrote to memory of 2624	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	31
PID 2644 wrote to memory of 2624	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	31
PID 2644 wrote to memory of 2624	2644	{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe	31
PID 2696 wrote to memory of 2532	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	34
PID 2696 wrote to memory of 2532	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	34
PID 2696 wrote to memory of 2532	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	34
PID 2696 wrote to memory of 2532	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	34
PID 2696 wrote to memory of 2500	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	35
PID 2696 wrote to memory of 2500	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	35
PID 2696 wrote to memory of 2500	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	35
PID 2696 wrote to memory of 2500	2696	{A8947717-0C10-420d-847C-81F643A62E61}.exe	35
PID 2532 wrote to memory of 1712	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	36
PID 2532 wrote to memory of 1712	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	36
PID 2532 wrote to memory of 1712	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	36
PID 2532 wrote to memory of 1712	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	36
PID 2532 wrote to memory of 536	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	37
PID 2532 wrote to memory of 536	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	37
PID 2532 wrote to memory of 536	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	37
PID 2532 wrote to memory of 536	2532	{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe	37
PID 1712 wrote to memory of 704	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	38
PID 1712 wrote to memory of 704	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	38
PID 1712 wrote to memory of 704	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	38
PID 1712 wrote to memory of 704	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	38
PID 1712 wrote to memory of 1956	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	39
PID 1712 wrote to memory of 1956	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	39
PID 1712 wrote to memory of 1956	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	39
PID 1712 wrote to memory of 1956	1712	{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe	39
PID 704 wrote to memory of 1340	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	40
PID 704 wrote to memory of 1340	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	40
PID 704 wrote to memory of 1340	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	40
PID 704 wrote to memory of 1340	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	40
PID 704 wrote to memory of 2420	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	41
PID 704 wrote to memory of 2420	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	41
PID 704 wrote to memory of 2420	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	41
PID 704 wrote to memory of 2420	704	{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe	41
PID 1340 wrote to memory of 2244	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	42
PID 1340 wrote to memory of 2244	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	42
PID 1340 wrote to memory of 2244	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	42
PID 1340 wrote to memory of 2244	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	42
PID 1340 wrote to memory of 2248	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	43
PID 1340 wrote to memory of 2248	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	43
PID 1340 wrote to memory of 2248	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	43
PID 1340 wrote to memory of 2248	1340	{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe	43
PID 2244 wrote to memory of 1880	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	44
PID 2244 wrote to memory of 1880	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	44
PID 2244 wrote to memory of 1880	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	44
PID 2244 wrote to memory of 1880	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	44
PID 2244 wrote to memory of 1628	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	45
PID 2244 wrote to memory of 1628	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	45
PID 2244 wrote to memory of 1628	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	45
PID 2244 wrote to memory of 1628	2244	{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
  C:\Windows\{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\{A8947717-0C10-420d-847C-81F643A62E61}.exe
    C:\Windows\{A8947717-0C10-420d-847C-81F643A62E61}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
      C:\Windows\{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
        
        C:\Windows\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
        
        C:\Windows\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
        
        C:\Windows\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
        
        C:\Windows\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
        
        C:\Windows\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
        
        C:\Windows\{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe
        
        C:\Windows\{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe
        
        C:\Windows\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe
        12⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE281~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B6A~1.EXE > nul
        11⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60B36~1.EXE > nul
        10⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30C72~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{272ED~1.EXE > nul
        8⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F8D~1.EXE > nul
        7⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2915~1.EXE > nul
        6⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05073~1.EXE > nul
        5⤵
        
        PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8947~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A75CF~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{050738CD-F8E2-4e64-806F-16DEE2789B56}.exe

Filesize
180KB

MD5
c5377bc8bb5744dc4b73162f76e6927d

SHA1
e5f81d293ec4f82f96f72c5bc5b63353d5786af0

SHA256
297af9030c4cef4d30f080be43e62cb6628ccaddc02a2170216e16f97e7f28c7

SHA512
ac0222877c31634490bbec76e65794f75a2a774c99c05103640c691d581cd7f5e6e2a151976d1fc362ae9d75424f09039bff3a3d193859137db5a6240bb784c8

Download Submit
C:\Windows\{272ED3D9-0425-4228-B94B-E9F7D39F9F91}.exe

Filesize
180KB

MD5
7cf4664028c393f46966c08bf5757686

SHA1
4dde547dd189a5ffbcceaf0596dcabc0ade32345

SHA256
1a536d8c831bce31b677323c98702c0565b0f5d1bc18bd9e0ed938c8e2ea90f4

SHA512
a907b9efd6c3c6347117bf2711b1b09071dc07c5534f664372b2d4d824bfe2bf147ed106ed90c74224c82a459e45738cabd52877f1dff5dedfa7b8f1472c56bf

Download Submit
C:\Windows\{30C7201C-C4FF-43fd-ACA7-7C16BA20A0DC}.exe

Filesize
180KB

MD5
921979c29d738deba8b204411fb5031e

SHA1
5b6699f7d4fccb6bdda2c63e65e395d3b76007c2

SHA256
860bfc0603af88c23b223ac8947065f762cb1b556386d0b09bace90022fd1671

SHA512
5bf0b92b7becb16f7a8373a2d4a3e34b7b280388405a7845b33935d753542e2401d9efe4d9374a565d9dc916df543e04f780db00bd8a09ccfbbb42a7bc28640a

Download Submit
C:\Windows\{60B3600D-31F1-40cd-964E-6C8C54CC16CF}.exe

Filesize
180KB

MD5
56383a56d2c3e4d738b9f32965650663

SHA1
b4e13a089130b22142fc8f9b9566617728e53f8b

SHA256
7b2288fcbf9202f4b4bc12ac47c03407c3bd4bc7a9ace79499200d01be7efec3

SHA512
2cd1c8c16eef9395d6b2e6ffa14c5eb67fe538149049d6a6a2890997aaad3f5c682cb3157c0b85c31ef81f2f2c5468c739cb1f0bcde555ab0140d8703f304065

Download Submit
C:\Windows\{65B6A893-5460-4ca0-B168-A17575E5E4D0}.exe

Filesize
180KB

MD5
1072b5e0b0cfb4397bdc193f199fc3a0

SHA1
86ba6b38945285db561f0c2ef105e293681753ef

SHA256
3ce3459e13e46387753fa2758e0c776731cbfc5a9c74718b8f8af6e39759eb4d

SHA512
0dfd04d71fccf75fe774040bee8ecd5f115a83753d018885430058b4db9234f93d47ba5e55f88f19351931ecac6369a0b9201618550000d5f37fa536538ba5d5

Download Submit
C:\Windows\{7E2E8EB4-9EF3-4fd0-B938-E5FFDBEDFC90}.exe

Filesize
180KB

MD5
589a8cc8875fe87698b0d8f3a746924c

SHA1
cdb689b08669692f2d92bdfb5071b73cb2d51583

SHA256
7d95da901f453a7461e231192852a2c72ab6c508f18ea64f73d4d8aa28c8b009

SHA512
1de8ad228c79b1be51557d4b840295368cee8beaf5330692b4747e861bd60f2978678b02cd12f2e493dd015bb6d2f94d91d7d7a8ccd4395517e1fc1b31aedc99

Download Submit
C:\Windows\{A75CFD31-0C96-4310-9E87-538FB902EE3E}.exe

Filesize
180KB

MD5
8048949fcad3de4bcb4938fcd35b91b6

SHA1
5484bce9c750b143b2329b8231d9b53ccd3c72d7

SHA256
56f387b2a1cd91b2eae9bd32a4fdb87127490d8994ed6458930f851dfe7e3105

SHA512
24d157d1eacd16912a47aead45921f4918cfbd4ca2c657d172a7e1b0540c01888f0c8b18c5e4a74dd8a895ac8e9b17d38d3a110064f6c07c8f6215b9377854cb

Download Submit
C:\Windows\{A8947717-0C10-420d-847C-81F643A62E61}.exe

Filesize
180KB

MD5
31eeb978d9d97a5f7e7ecad21fdc7ac7

SHA1
e58b9cd5b0dc033cf103e61741f1fa68768891b4

SHA256
0dc18a1f51184853dce7e6f53e9554fb902ca664235390f40f54229fbf33ed24

SHA512
1f01dd9f08f3bb42da744d63c265afdd0e566525ad07d29c4fc8f84c9a1cf064edd3ff294933e4bc8056bf4697186bd262b0df0e146b826297bb30a45f44a353

Download Submit
C:\Windows\{AE281BCF-82CC-4638-BB02-4812B8619D31}.exe

Filesize
180KB

MD5
e320243a04ac5f47aa2f817d8ef432a0

SHA1
bf41a697ef167857abbc6c5943425396f655a404

SHA256
0caa3dccff322a0973d0570e7afccb3b631d020b46af9164c4163c223211bb86

SHA512
439b7fc5925d00f091dbb884620b95b8ad98290fe08d75f340e4e0ba4c5d13509abf5d9c893990847ab1b25693447f3326574eec8fcf71c716da39a89b4b08f6

Download Submit
C:\Windows\{E2915AE5-3CA7-4447-B5D6-8D7086DD0F17}.exe

Filesize
180KB

MD5
afe8b7a74732df304194d0503a7e0a94

SHA1
32c7941f57aa158c9b07bf0e0f69a153d705611a

SHA256
61dbc2beaeb9faf199f3bab648e9f4286cf45831cc77999c1633db2ebf778321

SHA512
9a87c2f7fb59348c4b79fbec5a8fb353cdbe3884e62eb6eedc86f906c09fb4e4e8afe98be27fad0ff9b5d8ebb7addf0140c08e5cd51489fa150c7dd6452ceab5

Download Submit
C:\Windows\{E2F8D034-F53E-47a5-8D96-B3EABC53CFB7}.exe

Filesize
180KB

MD5
05325277545d01f3c288993251a0c9b4

SHA1
e940830fe8a6126ddad4a0179e388253a9a9c983

SHA256
6473e0c8cae519a72092680b1b29ecfff412489f911070d5b3ef670e1da3fbb6

SHA512
055e546cdfd110842a9e360a8983e27b6625fc1b0403bf55284f4777b895c61e56f38ed07c534595cdf97dc3d469f74b883a282c362400d2325a77e498bd7f0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads