77c561c59149faa979eb7ac434bf28aee1df84c840d7f1f47a5d6ccb29670878

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Size

344KB
MD5

3af88b3d8fc125b822efe6cc7129902f
SHA1

73fe0a2ae6404838ea0a66cd674e815fcc017c7f
SHA256

77c561c59149faa979eb7ac434bf28aee1df84c840d7f1f47a5d6ccb29670878
SHA512

f0534272c18ccd9230c0de9f079e0a7e02928745eeff76278f99dda60e308460d45754608da1707a500064408eb63d6af6c3fb91c303e4ebc5092d3cbb2bfca5
SSDEEP

3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012247-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0021000000015c63-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0022000000015c63-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0023000000015c63-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0024000000015c63-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000015c63-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0020000000015c6f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37841303-A579-4600-9D0B-E9BD63B01CAC}	{0AA42979-A00F-4afb-944E-823455787525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37841303-A579-4600-9D0B-E9BD63B01CAC}\stubpath = "C:\\Windows\\{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe"	{0AA42979-A00F-4afb-944E-823455787525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}\stubpath = "C:\\Windows\\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe"	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}\stubpath = "C:\\Windows\\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe"	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A657CE-9F6B-488f-9601-4ED30697B374}\stubpath = "C:\\Windows\\{66A657CE-9F6B-488f-9601-4ED30697B374}.exe"	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AA42979-A00F-4afb-944E-823455787525}\stubpath = "C:\\Windows\\{0AA42979-A00F-4afb-944E-823455787525}.exe"	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D8F033-82D4-4a33-90BC-B0384EE143E9}	{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D822FA-A837-4b09-AE0B-EE70A386A179}	{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AA42979-A00F-4afb-944E-823455787525}	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72305712-DFB7-4e93-B087-C6CAA6421EEB}	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D8F033-82D4-4a33-90BC-B0384EE143E9}\stubpath = "C:\\Windows\\{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe"	{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A657CE-9F6B-488f-9601-4ED30697B374}	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}\stubpath = "C:\\Windows\\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe"	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72305712-DFB7-4e93-B087-C6CAA6421EEB}\stubpath = "C:\\Windows\\{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe"	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}	{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}\stubpath = "C:\\Windows\\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe"	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}\stubpath = "C:\\Windows\\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe"	{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D822FA-A837-4b09-AE0B-EE70A386A179}\stubpath = "C:\\Windows\\{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe"	{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
2732	{0AA42979-A00F-4afb-944E-823455787525}.exe
1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
1924	{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
612	{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
2948	{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe
1944	{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe	{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe
File created	C:\Windows\{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
File created	C:\Windows\{0AA42979-A00F-4afb-944E-823455787525}.exe	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
File created	C:\Windows\{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
File created	C:\Windows\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe	{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
File created	C:\Windows\{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	{0AA42979-A00F-4afb-944E-823455787525}.exe
File created	C:\Windows\{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe	{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
File created	C:\Windows\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
File created	C:\Windows\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
File created	C:\Windows\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
File created	C:\Windows\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
Token: SeIncBasePriorityPrivilege	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
Token: SeIncBasePriorityPrivilege	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
Token: SeIncBasePriorityPrivilege	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
Token: SeIncBasePriorityPrivilege	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
Token: SeIncBasePriorityPrivilege	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe
Token: SeIncBasePriorityPrivilege	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
Token: SeIncBasePriorityPrivilege	1924	{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
Token: SeIncBasePriorityPrivilege	612	{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
Token: SeIncBasePriorityPrivilege	2948	{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1464	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	28
PID 1696 wrote to memory of 1464	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	28
PID 1696 wrote to memory of 1464	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	28
PID 1696 wrote to memory of 1464	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	28
PID 1696 wrote to memory of 2272	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	29
PID 1696 wrote to memory of 2272	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	29
PID 1696 wrote to memory of 2272	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	29
PID 1696 wrote to memory of 2272	1696	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	29
PID 1464 wrote to memory of 2500	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	32
PID 1464 wrote to memory of 2500	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	32
PID 1464 wrote to memory of 2500	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	32
PID 1464 wrote to memory of 2500	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	32
PID 1464 wrote to memory of 2944	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	33
PID 1464 wrote to memory of 2944	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	33
PID 1464 wrote to memory of 2944	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	33
PID 1464 wrote to memory of 2944	1464	{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe	33
PID 2500 wrote to memory of 2476	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	34
PID 2500 wrote to memory of 2476	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	34
PID 2500 wrote to memory of 2476	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	34
PID 2500 wrote to memory of 2476	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	34
PID 2500 wrote to memory of 2528	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	35
PID 2500 wrote to memory of 2528	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	35
PID 2500 wrote to memory of 2528	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	35
PID 2500 wrote to memory of 2528	2500	{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe	35
PID 2476 wrote to memory of 2952	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	36
PID 2476 wrote to memory of 2952	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	36
PID 2476 wrote to memory of 2952	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	36
PID 2476 wrote to memory of 2952	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	36
PID 2476 wrote to memory of 516	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	37
PID 2476 wrote to memory of 516	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	37
PID 2476 wrote to memory of 516	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	37
PID 2476 wrote to memory of 516	2476	{66A657CE-9F6B-488f-9601-4ED30697B374}.exe	37
PID 2952 wrote to memory of 568	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	38
PID 2952 wrote to memory of 568	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	38
PID 2952 wrote to memory of 568	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	38
PID 2952 wrote to memory of 568	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	38
PID 2952 wrote to memory of 944	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	39
PID 2952 wrote to memory of 944	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	39
PID 2952 wrote to memory of 944	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	39
PID 2952 wrote to memory of 944	2952	{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe	39
PID 568 wrote to memory of 2732	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	40
PID 568 wrote to memory of 2732	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	40
PID 568 wrote to memory of 2732	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	40
PID 568 wrote to memory of 2732	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	40
PID 568 wrote to memory of 1864	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	41
PID 568 wrote to memory of 1864	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	41
PID 568 wrote to memory of 1864	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	41
PID 568 wrote to memory of 1864	568	{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe	41
PID 2732 wrote to memory of 1344	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	42
PID 2732 wrote to memory of 1344	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	42
PID 2732 wrote to memory of 1344	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	42
PID 2732 wrote to memory of 1344	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	42
PID 2732 wrote to memory of 2016	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	43
PID 2732 wrote to memory of 2016	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	43
PID 2732 wrote to memory of 2016	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	43
PID 2732 wrote to memory of 2016	2732	{0AA42979-A00F-4afb-944E-823455787525}.exe	43
PID 1344 wrote to memory of 1924	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	44
PID 1344 wrote to memory of 1924	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	44
PID 1344 wrote to memory of 1924	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	44
PID 1344 wrote to memory of 1924	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	44
PID 1344 wrote to memory of 1500	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	45
PID 1344 wrote to memory of 1500	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	45
PID 1344 wrote to memory of 1500	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	45
PID 1344 wrote to memory of 1500	1344	{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
  C:\Windows\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
    C:\Windows\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
      C:\Windows\{66A657CE-9F6B-488f-9601-4ED30697B374}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
        
        C:\Windows\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
        
        C:\Windows\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{0AA42979-A00F-4afb-944E-823455787525}.exe
        
        C:\Windows\{0AA42979-A00F-4afb-944E-823455787525}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
        
        C:\Windows\{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
        
        C:\Windows\{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
        
        C:\Windows\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe
        
        C:\Windows\{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe
        
        C:\Windows\{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe
        12⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D8F~1.EXE > nul
        12⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE88~1.EXE > nul
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72305~1.EXE > nul
        10⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37841~1.EXE > nul
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AA42~1.EXE > nul
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C3F~1.EXE > nul
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7828F~1.EXE > nul
        6⤵
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A65~1.EXE > nul
        5⤵
        
        PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CB77~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA252~1.EXE > nul
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AA42979-A00F-4afb-944E-823455787525}.exe

Filesize
344KB

MD5
162c18b87576f088dde3662af94f01e5

SHA1
228dc3cc5595a3bbfb30ea9b489e067a3ffefc96

SHA256
b241b6b4de1df7d6e6b5be6a51b4db27075b1fd6d6776c75b34726a54b286e57

SHA512
d091738cce61aaf1e57448f8752f272db1de1904ff32baf57eeed005e4b88cb57e8bc80992d5ae24234427cfde8e05fee8f52984098cbe5a3f981c54b76f6a76

Download Submit
C:\Windows\{1CB77C5C-0A62-4aa0-9446-F85DD9362D26}.exe

Filesize
344KB

MD5
a5e8bcc4ea25c999ff737d2fd7aea7c6

SHA1
c1dfea3bc867e0031fdcc15673eaa4a2aea536ee

SHA256
78777b0a4be91734202673e4c0ea0bb633041d2c75001fe3db9df5cc0ebe2312

SHA512
3e5111d9ee42d7ccb5ce4cece1aa2348eb498a5413543c0558da10a1f5182363fbc50ffa8a262dfb463bab8618ee18ce43b01ddd7b50594aef394c9dcf4ae877

Download Submit
C:\Windows\{37841303-A579-4600-9D0B-E9BD63B01CAC}.exe

Filesize
344KB

MD5
e04118234081daf58918a5b226fb3fe2

SHA1
b85d61a5e685f98bfa222e339bf820768d91ea68

SHA256
20e95e852e5b52c9c1f049eb040a827a08921d4f2063c7e2965b0511064ce365

SHA512
389ff081c3002a065dc6c29d04fdc1b2b31cafbb1fef1b863142cbea721ace8e88df20e62a83c0a5ee37cf6f365ee1fe16ef56cc6302b75bf6f278268fd6c67d

Download Submit
C:\Windows\{43D822FA-A837-4b09-AE0B-EE70A386A179}.exe

Filesize
344KB

MD5
b5bd8e07c0619b3f6d12c158bb962c74

SHA1
33631df75d9d7e47904f0ff071ab277972e3d408

SHA256
745ccfb8a0e11c30ca2f141d7f43e4298ab309b3e60b21d49c02f2f099c52e8a

SHA512
db443ce3e9692ffadd747e2c1d1f28f95168c4f96509af9cd98c2c8bde7c6dc44e7eb9328ce435df0b86b4a441e30c9bbcf7a20f63a1c57d74f04b3c60630d70

Download Submit
C:\Windows\{66A657CE-9F6B-488f-9601-4ED30697B374}.exe

Filesize
344KB

MD5
596b592007062e5b72faae51cb9eb777

SHA1
4cf3f695f105b6cb2289d872afcdbaea442e1452

SHA256
68a98d328929b7d537fe8ddd4f077e9f332f95f17d7b17d5dddb72afe6e28ec9

SHA512
9e0221dbb9879c0daf56c5e16ace5bfa1132942f99638f2a26d20191c70597940bcb6ba4e0d6a93995801c48b5675d2669385e138ceb3fef4eac47178f412057

Download Submit
C:\Windows\{72305712-DFB7-4e93-B087-C6CAA6421EEB}.exe

Filesize
344KB

MD5
0db179907d079a8be66e0a0c7384e5ef

SHA1
8319c45972ccb4fce8d992080f272471b1731a93

SHA256
e08bacc392eca0ed8e8d775aa9f30e200785286a0af8967d06c5ebaa5e129243

SHA512
f421de39ba212cb0c0583e3ba019e8c349931fd53f0b8d9f4fb2c221fb83ca28c2f08656dd6040392829d7ab8b197c6eb3657c1dcd5415300a93479571b2875d

Download Submit
C:\Windows\{77D8F033-82D4-4a33-90BC-B0384EE143E9}.exe

Filesize
344KB

MD5
89ddaeb8528bdbcdc4eb8385db47ed5e

SHA1
2c74f0b5b964cd67eb105727f8cb09723409df40

SHA256
5523e8031e468213f6cc18fcc4b2eb42a1d4305d5b596f511089c96458ff7d31

SHA512
1fbd4d7779e3d1e52b6c9a24850fc6455012b866acee8df1540488771be1e717dc11877740bdd4bc1452bdf8bb03eb42fa9c61802fb82eb505cc457f8c0719a2

Download Submit
C:\Windows\{7828F5F9-3D7A-4001-A5D4-D8650646EF6D}.exe

Filesize
344KB

MD5
8ec7f0b2658b735ee3da185913d21b1e

SHA1
9b6c52d033ab813fe48ca9a8901cabff70f6330a

SHA256
d509bfe329d84bde69e4dede1111b6c68962589c1998f06cbf1decbe1cc15c15

SHA512
5f6e2817b80773eacf554ea5047d5d02e25d41ae8157cbffc43dadd43e8e2956cfa8851d878597555d65222cb948ce66856d7c1d79a376ac08fff289c89ad1fc

Download Submit
C:\Windows\{B2C3FAF4-36D0-41cd-BDBB-C3739BB5D941}.exe

Filesize
344KB

MD5
53322666b580e1524a2ec98a0de60351

SHA1
c650d0470691882721370d6326a0c21edb282fb8

SHA256
b5137a62f85e48294455204f7d55f5b9c0c5a2c7a9efb873ba38c76db574c5f4

SHA512
058638b257476c7e0daaa24713bfee555020831e7af15c6711bdfc64a1b96989eac043fd300359aa9b52c8044769fbda70e5f8a18768e714ba030da435139ac4

Download Submit
C:\Windows\{CA2528D6-24DD-41c4-A1AB-921A76D8DC26}.exe

Filesize
344KB

MD5
6b53434ba7f86ff52fca81f69b779e2a

SHA1
5dae75416da3b763d9038291f0493df413674473

SHA256
3e87c8548f055334255783a7cf8a13f5a797dc53fbd928896815d557cb8c8526

SHA512
15e0eebc5e5579c0830d58192c4136d6fce7fe9c8757e20d0fcf0f5d48700e42110308e2daf1f2e8acc290ad85d5091636b1a00180e98b9d6b2044205631d045

Download Submit
C:\Windows\{CDE88574-14C9-48c5-8BBD-EE89B9B0FC49}.exe

Filesize
344KB

MD5
5506a64f923d511e1bbce7bbf64de5ba

SHA1
ff951814d78945d2b95c72e8bd2a9dff73df50f7

SHA256
d8881aaad04876f1ca9f15957a8fbef8be20a6b442f160a7ab4970638a861f0a

SHA512
e24c5302c61f659b95dea09432c981fa9a1b26b3ace1a1bf6cf5e874e5889d5153550c0dc56174f87a32c9d33a8b8dd7ea9cb64062e3deb90ba6c55cefac3afa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads