1c0d71e64ed1f0607d65d23addaf50d975068b3e0446da1c29fc9e7015bb8e16

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe
Size

197KB
MD5

a6d0e8835ee8c1127f29802de63ea4f9
SHA1

746805086c300f378a2276b0c5cc214d088fcab0
SHA256

1c0d71e64ed1f0607d65d23addaf50d975068b3e0446da1c29fc9e7015bb8e16
SHA512

18e48b0e88bd2fde70bf59aaa0e7515d9107b578b8e3bdfd04d2c1db351654944aabcce9f57c2bb36e4ced3b659b45d887a6ff4bef324413cc37905010204caf
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015610-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0014000000015c9f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015610-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015610-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015610-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015610-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65C7D29-6B89-408b-82F3-8D7766503E65}\stubpath = "C:\\Windows\\{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe"	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5430166C-ED14-4673-B31E-3D1CC8303115}\stubpath = "C:\\Windows\\{5430166C-ED14-4673-B31E-3D1CC8303115}.exe"	{40125378-DEDA-434e-84AC-970AD45C140A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}\stubpath = "C:\\Windows\\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe"	{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208956D8-F1A8-4400-9ED1-5849F186EFD7}	{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208956D8-F1A8-4400-9ED1-5849F186EFD7}\stubpath = "C:\\Windows\\{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe"	{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C690C4-911B-44e9-99B1-42F7F636A734}\stubpath = "C:\\Windows\\{33C690C4-911B-44e9-99B1-42F7F636A734}.exe"	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}\stubpath = "C:\\Windows\\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe"	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40125378-DEDA-434e-84AC-970AD45C140A}	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40125378-DEDA-434e-84AC-970AD45C140A}\stubpath = "C:\\Windows\\{40125378-DEDA-434e-84AC-970AD45C140A}.exe"	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5430166C-ED14-4673-B31E-3D1CC8303115}	{40125378-DEDA-434e-84AC-970AD45C140A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}\stubpath = "C:\\Windows\\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe"	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}	{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432210EB-1226-48fd-A1B5-A45F608610A2}	{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65C7D29-6B89-408b-82F3-8D7766503E65}	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}\stubpath = "C:\\Windows\\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe"	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}\stubpath = "C:\\Windows\\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe"	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432210EB-1226-48fd-A1B5-A45F608610A2}\stubpath = "C:\\Windows\\{432210EB-1226-48fd-A1B5-A45F608610A2}.exe"	{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C690C4-911B-44e9-99B1-42F7F636A734}	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe
2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
1924	{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
612	{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
2948	{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
1944	{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe
File created	C:\Windows\{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
File created	C:\Windows\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
File created	C:\Windows\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
File created	C:\Windows\{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe	{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
File created	C:\Windows\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
File created	C:\Windows\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
File created	C:\Windows\{40125378-DEDA-434e-84AC-970AD45C140A}.exe	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
File created	C:\Windows\{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	{40125378-DEDA-434e-84AC-970AD45C140A}.exe
File created	C:\Windows\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe	{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
File created	C:\Windows\{432210EB-1226-48fd-A1B5-A45F608610A2}.exe	{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
Token: SeIncBasePriorityPrivilege	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
Token: SeIncBasePriorityPrivilege	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
Token: SeIncBasePriorityPrivilege	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
Token: SeIncBasePriorityPrivilege	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe
Token: SeIncBasePriorityPrivilege	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
Token: SeIncBasePriorityPrivilege	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
Token: SeIncBasePriorityPrivilege	1924	{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
Token: SeIncBasePriorityPrivilege	612	{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
Token: SeIncBasePriorityPrivilege	2948	{432210EB-1226-48fd-A1B5-A45F608610A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1980	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	28
PID 2436 wrote to memory of 1980	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	28
PID 2436 wrote to memory of 1980	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	28
PID 2436 wrote to memory of 1980	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	28
PID 2436 wrote to memory of 2560	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	29
PID 2436 wrote to memory of 2560	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	29
PID 2436 wrote to memory of 2560	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	29
PID 2436 wrote to memory of 2560	2436	2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe	29
PID 1980 wrote to memory of 2676	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	32
PID 1980 wrote to memory of 2676	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	32
PID 1980 wrote to memory of 2676	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	32
PID 1980 wrote to memory of 2676	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	32
PID 1980 wrote to memory of 2488	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	33
PID 1980 wrote to memory of 2488	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	33
PID 1980 wrote to memory of 2488	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	33
PID 1980 wrote to memory of 2488	1980	{33C690C4-911B-44e9-99B1-42F7F636A734}.exe	33
PID 2676 wrote to memory of 2480	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	34
PID 2676 wrote to memory of 2480	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	34
PID 2676 wrote to memory of 2480	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	34
PID 2676 wrote to memory of 2480	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	34
PID 2676 wrote to memory of 2540	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	35
PID 2676 wrote to memory of 2540	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	35
PID 2676 wrote to memory of 2540	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	35
PID 2676 wrote to memory of 2540	2676	{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe	35
PID 2480 wrote to memory of 2956	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	36
PID 2480 wrote to memory of 2956	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	36
PID 2480 wrote to memory of 2956	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	36
PID 2480 wrote to memory of 2956	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	36
PID 2480 wrote to memory of 1008	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	37
PID 2480 wrote to memory of 1008	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	37
PID 2480 wrote to memory of 1008	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	37
PID 2480 wrote to memory of 1008	2480	{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe	37
PID 2956 wrote to memory of 1812	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	38
PID 2956 wrote to memory of 1812	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	38
PID 2956 wrote to memory of 1812	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	38
PID 2956 wrote to memory of 1812	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	38
PID 2956 wrote to memory of 1180	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	39
PID 2956 wrote to memory of 1180	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	39
PID 2956 wrote to memory of 1180	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	39
PID 2956 wrote to memory of 1180	2956	{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe	39
PID 1812 wrote to memory of 2780	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	40
PID 1812 wrote to memory of 2780	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	40
PID 1812 wrote to memory of 2780	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	40
PID 1812 wrote to memory of 2780	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	40
PID 1812 wrote to memory of 1904	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	41
PID 1812 wrote to memory of 1904	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	41
PID 1812 wrote to memory of 1904	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	41
PID 1812 wrote to memory of 1904	1812	{40125378-DEDA-434e-84AC-970AD45C140A}.exe	41
PID 2780 wrote to memory of 1344	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	42
PID 2780 wrote to memory of 1344	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	42
PID 2780 wrote to memory of 1344	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	42
PID 2780 wrote to memory of 1344	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	42
PID 2780 wrote to memory of 2016	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	43
PID 2780 wrote to memory of 2016	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	43
PID 2780 wrote to memory of 2016	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	43
PID 2780 wrote to memory of 2016	2780	{5430166C-ED14-4673-B31E-3D1CC8303115}.exe	43
PID 1344 wrote to memory of 1924	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	44
PID 1344 wrote to memory of 1924	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	44
PID 1344 wrote to memory of 1924	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	44
PID 1344 wrote to memory of 1924	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	44
PID 1344 wrote to memory of 1500	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	45
PID 1344 wrote to memory of 1500	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	45
PID 1344 wrote to memory of 1500	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	45
PID 1344 wrote to memory of 1500	1344	{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_a6d0e8835ee8c1127f29802de63ea4f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
  C:\Windows\{33C690C4-911B-44e9-99B1-42F7F636A734}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
    C:\Windows\{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
      C:\Windows\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
        
        C:\Windows\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\{40125378-DEDA-434e-84AC-970AD45C140A}.exe
        
        C:\Windows\{40125378-DEDA-434e-84AC-970AD45C140A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
        
        C:\Windows\{5430166C-ED14-4673-B31E-3D1CC8303115}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
        
        C:\Windows\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
        
        C:\Windows\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
        
        C:\Windows\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
        
        C:\Windows\{432210EB-1226-48fd-A1B5-A45F608610A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe
        
        C:\Windows\{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43221~1.EXE > nul
        12⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9F8~1.EXE > nul
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF9C~1.EXE > nul
        10⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC85C~1.EXE > nul
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54301~1.EXE > nul
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40125~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59001~1.EXE > nul
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA5BD~1.EXE > nul
        5⤵
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E65C7~1.EXE > nul
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33C69~1.EXE > nul
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{208956D8-F1A8-4400-9ED1-5849F186EFD7}.exe

Filesize
197KB

MD5
ab36e2fa8fa11c178192121d7c2e64ca

SHA1
5927219aece5537cb9198bc0fc3ed0ca6a8837db

SHA256
20905e87ba9dd7a68d4f268f7e1fe2f40784070d090058ed9bd501640beea928

SHA512
7b705862bcdbf69ae77f9a05f8e7c680e3af0c17219d7e61c8817f25afeb76ccfc69df3eda5874fa26537ed298bd85273d01f487d38e750842cd3a2450e47bcf

Download Submit
C:\Windows\{33C690C4-911B-44e9-99B1-42F7F636A734}.exe

Filesize
197KB

MD5
9757a21509be4bf042782a3dda754bbe

SHA1
0fbe5f1b6c207be9a408eaf9cc28a6c508138133

SHA256
662c43676f8fea96831c36c3d1ad6f3f254e1aa5514a84f5da28fadb128adbb6

SHA512
fb59869cc4fb508d79267a80399cd5c78f7d78d0cd8185c115a052a152f8e380a8c5989782c4aba1c2dfbd0c78256c54d5dd975b0bfb4e8bda70cd196ec0a5ec

Download Submit
C:\Windows\{40125378-DEDA-434e-84AC-970AD45C140A}.exe

Filesize
197KB

MD5
532c816ab0240381119e9bf141b3d35f

SHA1
6771d477a78474e1a9d07cb7f78b8e3155adc77c

SHA256
dfb069daf5f04d2ee046cf5a1c36181bc9bb9d619df3765007f02e8bf920af89

SHA512
ebbef220653827454cedd5c7cd442bd3676123fec505989e064dfa6f3a76dc42eabe3d5e27261d2e6ce847a1140c22c5e1c2e6ae1bb180011b431c27d6c2f5c6

Download Submit
C:\Windows\{432210EB-1226-48fd-A1B5-A45F608610A2}.exe

Filesize
197KB

MD5
7824cbf55083877f9438d276e238b29d

SHA1
4afcb8ef7f2232cffe7bd53e28afd12a67c3a974

SHA256
d78d49f2b73ef75a285df8887622e0217e17be8d66eb927ee160f949d42abf0f

SHA512
747012b8bb0a292e8fd36088b1833f5b3e84d49892e4181434ac7091e2ea2569e8d50a351817b105ea2cc26da4e6d6a6e680b4712fc20d0e3ffd8f3b8ba8ee6f

Download Submit
C:\Windows\{5430166C-ED14-4673-B31E-3D1CC8303115}.exe

Filesize
197KB

MD5
46859b02b499e96257a6276276ff38f4

SHA1
b2f42478bf5f07c8e9d322f347fcc1da3ffda767

SHA256
cc28e2b3ac64951ba8b8a33314044e460f06e71d8d74104ee8759bd810585692

SHA512
a58c84fd793f1c8a00b68aca04ed820406cab319acddd7becd229c1f87bef89f3cfbee4a7e80fa24826300619e2ce8dd87618e33b78fd53935b10ae031fdada8

Download Submit
C:\Windows\{59001AFE-52A1-4dc0-8F04-FCC54DA3D5CC}.exe

Filesize
197KB

MD5
9c1614ea299eb1e4ef2048caa849346f

SHA1
775a08e12dc500b31106274f0eaee62d41502954

SHA256
4c803c778f74667b50d2b76d720ae2c402106e9a55cfe72441595fcfc48dcdd6

SHA512
afcb260434d9b0b81d46abe3b09d687ad0cc1825ddef7b73fde6206019a314599bf96cb141fdf0de5181a1d845fe794252822e422f0882f58308a7711eee60a7

Download Submit
C:\Windows\{7FF9C797-14F5-4cc4-9034-6990AC2ADA07}.exe

Filesize
197KB

MD5
0f9a68b087686575d0a87cdbafdad398

SHA1
c0e0973c68b4f32164b129d69a5f258c98aed5e0

SHA256
24c009bc8d278925e96d050e7d675e1b1def817d0b250e3cc023009456830264

SHA512
2b331c4af7f9d3f92eb4d524c570d09167701d8eaba5badcaeefd9129d157379d4aa904a450424a177bef25e919a9cafa030266f29cb0ac2e38e1b9c234829a5

Download Submit
C:\Windows\{AA9F8DCB-8EE2-4e3f-997D-DE0D0D5FC5F8}.exe

Filesize
197KB

MD5
11f3782a7223b37ee37b47b2dbe9c329

SHA1
fd5e7d3f6ab97ee0baaa8d4f0752a32de5cdb6d0

SHA256
6676cb4e438e4ef1a7e3bd222753e296421f6ccd7154f5f54f09c504d0307312

SHA512
217c0eef53a9fbb86aaed9bf869856faacfe33aaeef585e3965af6c1bdccf44be318a9868b8cdcdba09f3014eed4bada0986d564b96016cb63f9501d434e61a3

Download Submit
C:\Windows\{DA5BDA0A-4ED3-495a-8969-3A16D40284A6}.exe

Filesize
197KB

MD5
7cd38a62542e0718f973803985e98c0c

SHA1
189035ed72a54a604ac4519e02b26c911213e10c

SHA256
992a7faf86712010be29df0f1bd04c69d60f032c00b5898620bf385e0093b207

SHA512
1348488c2a67372719813ff8762b2cf9c888ffa767d85c55bb2723f0feadd75e9fedbc9c5fcba967b732a8223af14e1347fe94dc295d778814dff8e36fa7f2c7

Download Submit
C:\Windows\{E65C7D29-6B89-408b-82F3-8D7766503E65}.exe

Filesize
197KB

MD5
104d39991a237f199251c2f97564d5df

SHA1
76dff9418af88eacf099573cd64069bfa1485d89

SHA256
a65820e8305b7bb17e59f82411f0f4fc055471ded1632efa55dbf7c939556ec7

SHA512
042c12426def19fb3fba3db8e7480a15fc9bb81b02dccc96a51c706d9f7e264f4bf91db655dcb8296f2eb793dc6224071e3e97e3afdd04ffbea1c4c29422e3db

Download Submit
C:\Windows\{EC85C180-DB10-4531-8D76-DA5F1BF9B31A}.exe

Filesize
197KB

MD5
52c99d30490e7715dc6dad090184232b

SHA1
322ad7d7319567d2fd5e948ec42e98c6390785ae

SHA256
b1c8858512d016362ebb161fe4dd80baa6e7494ebb6185c9b28589950d3f0587

SHA512
7082e68ed4134364fa0f700a43438739f4929a2927808cd266497d85c7428ef085e9a95d9ccfe2d41b7868142ec82e7e118cd6045bfdab47e6661c6cbe40bf65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads