0d7edd2bef6578e24fe679046060bc1aa116bb0089f574ee99c160c162cf81f0

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
Size

408KB
MD5

2f0e633f67331e013a375568b2b31e16
SHA1

14a99464cddc6d9308fdac009efafae19bd35d7f
SHA256

0d7edd2bef6578e24fe679046060bc1aa116bb0089f574ee99c160c162cf81f0
SHA512

580f356c0b47bcf66d2a0a172962c20a67fa1dd521ec47e7b7129bdb9454aaa96fec75a245d9fe9a1ae4fd25da20e8f541309532378c32f8e2f2c14163775f82
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG5ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023214-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023214-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d93-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d92-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{291AC215-A88B-4772-B66A-BF12A91522D1}\stubpath = "C:\\Windows\\{291AC215-A88B-4772-B66A-BF12A91522D1}.exe"	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}\stubpath = "C:\\Windows\\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe"	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900FB886-E050-400d-9465-763F4F336CC8}\stubpath = "C:\\Windows\\{900FB886-E050-400d-9465-763F4F336CC8}.exe"	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}\stubpath = "C:\\Windows\\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe"	{D18FD117-36DE-45bb-B765-93C441625036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF8DBD6-9103-4c77-9490-74F51DC56847}\stubpath = "C:\\Windows\\{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe"	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}\stubpath = "C:\\Windows\\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe"	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900FB886-E050-400d-9465-763F4F336CC8}	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FA53CC-3377-4a8a-849F-323F498FAC59}\stubpath = "C:\\Windows\\{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe"	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18FD117-36DE-45bb-B765-93C441625036}\stubpath = "C:\\Windows\\{D18FD117-36DE-45bb-B765-93C441625036}.exe"	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}	{D18FD117-36DE-45bb-B765-93C441625036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}\stubpath = "C:\\Windows\\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe"	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF8DBD6-9103-4c77-9490-74F51DC56847}	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}\stubpath = "C:\\Windows\\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe"	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}\stubpath = "C:\\Windows\\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe"	{900FB886-E050-400d-9465-763F4F336CC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{291AC215-A88B-4772-B66A-BF12A91522D1}	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18FD117-36DE-45bb-B765-93C441625036}	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}	{900FB886-E050-400d-9465-763F4F336CC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FA53CC-3377-4a8a-849F-323F498FAC59}	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe

Executes dropped EXE 11 IoCs

pid	Process
2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
264	{D18FD117-36DE-45bb-B765-93C441625036}.exe
2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe
2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe
4588	{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe	{900FB886-E050-400d-9465-763F4F336CC8}.exe
File created	C:\Windows\{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe
File created	C:\Windows\{D18FD117-36DE-45bb-B765-93C441625036}.exe	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
File created	C:\Windows\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
File created	C:\Windows\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
File created	C:\Windows\{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
File created	C:\Windows\{900FB886-E050-400d-9465-763F4F336CC8}.exe	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
File created	C:\Windows\{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
File created	C:\Windows\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	{D18FD117-36DE-45bb-B765-93C441625036}.exe
File created	C:\Windows\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
File created	C:\Windows\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
Token: SeIncBasePriorityPrivilege	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe
Token: SeIncBasePriorityPrivilege	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
Token: SeIncBasePriorityPrivilege	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
Token: SeIncBasePriorityPrivilege	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
Token: SeIncBasePriorityPrivilege	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
Token: SeIncBasePriorityPrivilege	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
Token: SeIncBasePriorityPrivilege	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
Token: SeIncBasePriorityPrivilege	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe
Token: SeIncBasePriorityPrivilege	2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2468	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	88
PID 2100 wrote to memory of 2468	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	88
PID 2100 wrote to memory of 2468	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	88
PID 2100 wrote to memory of 3492	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	89
PID 2100 wrote to memory of 3492	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	89
PID 2100 wrote to memory of 3492	2100	2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe	89
PID 2468 wrote to memory of 264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	92
PID 2468 wrote to memory of 264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	92
PID 2468 wrote to memory of 264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	92
PID 2468 wrote to memory of 4264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	93
PID 2468 wrote to memory of 4264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	93
PID 2468 wrote to memory of 4264	2468	{291AC215-A88B-4772-B66A-BF12A91522D1}.exe	93
PID 264 wrote to memory of 2904	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	95
PID 264 wrote to memory of 2904	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	95
PID 264 wrote to memory of 2904	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	95
PID 264 wrote to memory of 2296	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	96
PID 264 wrote to memory of 2296	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	96
PID 264 wrote to memory of 2296	264	{D18FD117-36DE-45bb-B765-93C441625036}.exe	96
PID 2904 wrote to memory of 4300	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	97
PID 2904 wrote to memory of 4300	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	97
PID 2904 wrote to memory of 4300	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	97
PID 2904 wrote to memory of 4852	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	98
PID 2904 wrote to memory of 4852	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	98
PID 2904 wrote to memory of 4852	2904	{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe	98
PID 4300 wrote to memory of 4400	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	99
PID 4300 wrote to memory of 4400	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	99
PID 4300 wrote to memory of 4400	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	99
PID 4300 wrote to memory of 1840	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	100
PID 4300 wrote to memory of 1840	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	100
PID 4300 wrote to memory of 1840	4300	{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe	100
PID 4400 wrote to memory of 4860	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	101
PID 4400 wrote to memory of 4860	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	101
PID 4400 wrote to memory of 4860	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	101
PID 4400 wrote to memory of 1268	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	102
PID 4400 wrote to memory of 1268	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	102
PID 4400 wrote to memory of 1268	4400	{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe	102
PID 4860 wrote to memory of 3724	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	103
PID 4860 wrote to memory of 3724	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	103
PID 4860 wrote to memory of 3724	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	103
PID 4860 wrote to memory of 4504	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	104
PID 4860 wrote to memory of 4504	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	104
PID 4860 wrote to memory of 4504	4860	{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe	104
PID 3724 wrote to memory of 4204	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	105
PID 3724 wrote to memory of 4204	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	105
PID 3724 wrote to memory of 4204	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	105
PID 3724 wrote to memory of 4212	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	106
PID 3724 wrote to memory of 4212	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	106
PID 3724 wrote to memory of 4212	3724	{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe	106
PID 4204 wrote to memory of 2472	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	107
PID 4204 wrote to memory of 2472	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	107
PID 4204 wrote to memory of 2472	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	107
PID 4204 wrote to memory of 4576	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	108
PID 4204 wrote to memory of 4576	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	108
PID 4204 wrote to memory of 4576	4204	{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe	108
PID 2472 wrote to memory of 2636	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	109
PID 2472 wrote to memory of 2636	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	109
PID 2472 wrote to memory of 2636	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	109
PID 2472 wrote to memory of 4292	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	110
PID 2472 wrote to memory of 4292	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	110
PID 2472 wrote to memory of 4292	2472	{900FB886-E050-400d-9465-763F4F336CC8}.exe	110
PID 2636 wrote to memory of 4588	2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe	111
PID 2636 wrote to memory of 4588	2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe	111
PID 2636 wrote to memory of 4588	2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe	111
PID 2636 wrote to memory of 1264	2636	{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f0e633f67331e013a375568b2b31e16_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
  C:\Windows\{291AC215-A88B-4772-B66A-BF12A91522D1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\{D18FD117-36DE-45bb-B765-93C441625036}.exe
    C:\Windows\{D18FD117-36DE-45bb-B765-93C441625036}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
      C:\Windows\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
        
        C:\Windows\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Windows\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
        
        C:\Windows\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
        
        C:\Windows\{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
        
        C:\Windows\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
        
        C:\Windows\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{900FB886-E050-400d-9465-763F4F336CC8}.exe
        
        C:\Windows\{900FB886-E050-400d-9465-763F4F336CC8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe
        
        C:\Windows\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe
        
        C:\Windows\{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe
        12⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E47B~1.EXE > nul
        12⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{900FB~1.EXE > nul
        11⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C30F~1.EXE > nul
        10⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70F6F~1.EXE > nul
        9⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF8D~1.EXE > nul
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4DF3~1.EXE > nul
        7⤵
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B36F~1.EXE > nul
        6⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{883AB~1.EXE > nul
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D18FD~1.EXE > nul
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{291AC~1.EXE > nul
    3⤵
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C30FF67-4942-4b56-9352-0B8B2C09D8CA}.exe

Filesize
408KB

MD5
5654429128dae076848469dc30d0e957

SHA1
6bda003f82343150bad0ce66800bceb51aa6577d

SHA256
9db655a0e2a72ed3bce8a692cb4d78a7bba0c8ca77aeb83bdc57d81578504658

SHA512
5c4a264e11a16a26dc01ef0ff02ffd93406e2319bb335996f1d067f3d3fdea457f06c55ac74859d67da453a5232ee80c41174a41433a9a3a146f3008658f75bb

Download Submit
C:\Windows\{28FA53CC-3377-4a8a-849F-323F498FAC59}.exe

Filesize
408KB

MD5
ece5832cd614f23813a3b84257849534

SHA1
2e7a7c6569fa24958b59a1738fe1ac991ba5673e

SHA256
5769767a5927c951501a6233072affb78e6cedcb51f41e7f7f65b6b96ecfcb03

SHA512
3582b57e31d1559aec67034469bee9347e0e40373e0b4287835015f1450c9609c267ee898cee1d7d4862adb812bad58bf3954d34d48606fb90ad4429271c5238

Download Submit
C:\Windows\{291AC215-A88B-4772-B66A-BF12A91522D1}.exe

Filesize
408KB

MD5
8f0e893ece9c8a036c4b49e3ed875919

SHA1
6a27148890ae8b7b75ddd79605a21d81e68971fc

SHA256
46466fb5e7fd05227b9d0d8ef6ff94336ab58b1a931c8e6f0eeb150f039ae3e0

SHA512
cb23d6a36d9bfa5b124bc0bb2c6950cd6f250773543f1d0d5c90b428bacf215ae7f4a80c32c2dc06b80e695d56f99f9193d44c7bd759a438157e72c0fe28af92

Download Submit
C:\Windows\{2E47BAFD-3A90-4da7-8AF9-A9CE82FF85C6}.exe

Filesize
408KB

MD5
d980cb0142baf1910a180183dc695d2c

SHA1
08d9ff448b4e89838447a928ccd8059c510b8ead

SHA256
ba884d7091dff07f3f0dc145d387d21afc93b57626161eb2bbccfcf0c4ecc5c9

SHA512
78016e051d2f47fc6e807453a74aaade32544311b7416c4c950d2b18d96128ed5b91f188904add4bf632ce0214e99ad746e1531f5aa016075fc0cfce49158bc6

Download Submit
C:\Windows\{6B36FF79-D09F-447e-8AFE-DB67F6CDF165}.exe

Filesize
408KB

MD5
eee85786493714b54fd5bae154823b4a

SHA1
7e83d34286df2646351a0ad68bfc665be02a09e7

SHA256
2e85505f2ec70e64cbd9307a3afddac930bf6fbfd903b25c3ad94bbad4130368

SHA512
a18fd1f5b48bfbf6eaf773e6cd2003df2d994bb8b931f913855618ead2df4b19cb27f58a51155356916b6101bb39bfe8350cdd4c94c5eaa51212df71332fe622

Download Submit
C:\Windows\{70F6FE4D-2B16-404c-A7DE-6DC5C5B36ACA}.exe

Filesize
408KB

MD5
7d727864dcb7866c97e39261df6f4cd2

SHA1
95042c8f2879fc52abef234515151f1b19ab4480

SHA256
f105b5f930a098a3f104c6c58194cd84a1b8a53b447044ae30ec7b13e3ae0a9c

SHA512
48554734cafaa6499ec23c13bb11e7731acab67f1d57dcea7af2577ae5df392f2741352513deac416a1b8557da80edbf41126eee7e6a269f954423ee783ad02e

Download Submit
C:\Windows\{883ABF62-38FA-4f75-9BA8-58A97F1C7D1D}.exe

Filesize
408KB

MD5
3b26e47caebfd67c11329fabdf22bbc4

SHA1
4f0f4fe78aedbd32ad710f1dad85adb947465553

SHA256
a59e93a30fb571f16e28fb39c7291daa01a897a41280b27aa6772cede851b553

SHA512
ae475fb79822ec7af30d9610fae7c3d3ce3d6ddf7d5346cc7906eb905834857cffe31f870e3fd6d5bac0ef7736b582abc6b70f25ec8604bc79cab4cf4204dca7

Download Submit
C:\Windows\{900FB886-E050-400d-9465-763F4F336CC8}.exe

Filesize
408KB

MD5
26247814b284586a0fc76ab2a9dd53e3

SHA1
a3f0b038236e48b3150e55aa14c90606203e9f8e

SHA256
604ff5bbf9c0d8a4224a42ed8c67b98c74072bdc20c37a20967ed287db5fc61f

SHA512
5ba09dc2d15c8a96b6055f841b1b5b44d9601b8b9a425881e0882444a0ab5f65c887222d57c4e5faf75ddc7fed19bd726a5a37426e0adb89c19e553aa2f7ee8f

Download Submit
C:\Windows\{B4DF364E-31A5-4f28-AC6D-1BEC48EC26A1}.exe

Filesize
408KB

MD5
b0dc19c9ad1f08c239b7fa91ac02a6db

SHA1
47fef192563bafb0fc367acc4104f20b07dd4c65

SHA256
f4d59b679acb1cb688738b8892814a48420d52740a9d9c97d53b2b013296bb2f

SHA512
93b18840fb7fac0b12790d5f77355b9b697b3cbdd8bebdb4106b54110763ff7f355034655174b5ce16bd40f047987475ffe614a0dc69f8ca2d9bbcc74e9ec8a2

Download Submit
C:\Windows\{D18FD117-36DE-45bb-B765-93C441625036}.exe

Filesize
408KB

MD5
a6bb12243e3668117febecec77cdffc0

SHA1
9ed425f3f6b6b406f731c8aa3d7e0e03441ba043

SHA256
18559b3b3e8538624161eaef0acfc4896cf277539c5d50af4609ac97c1aad1e6

SHA512
c9e58d697d2a0ea8e1749e6232d8164d61017f71f96a78c8817cdee531fcfff02f4edb546ea3219dcf0fc51307ea74ce9f7c4ca6d9fe73b249c45e447e69d83a

Download Submit
C:\Windows\{EEF8DBD6-9103-4c77-9490-74F51DC56847}.exe

Filesize
408KB

MD5
c88c9f9ebedc3e0b054806e755e69932

SHA1
ee81255a97ff4752b5dd0f042b2ae22e98a0a0ed

SHA256
10e82b7d4792b74bde05723ae8fb2174bf700c95df00918c374ef7b3e037f0df

SHA512
092ad2fa2e6ed3a6b7c9d135fec6c8d81f04b07d2224220580e625da7ce1b87c44377809404e90e517bbc6f5e7d848106f707113091bc53666b1b5bec8755204

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads