e170590c78ef43039c630428b193c03d3eb1b9fb09c4c80648f2142712570017

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Size

344KB
MD5

d61b56d195a6fa70713ae1952ba10143
SHA1

af93c01bc78c3e08b73db23eefdde40ff074141b
SHA256

e170590c78ef43039c630428b193c03d3eb1b9fb09c4c80648f2142712570017
SHA512

ab800baa4836195e70431ae8830e92fbd42d17b638dbfc716e29499cefce6850360a05e25e58dc9bbdfbd5db91b340f0f0ab6e423cc9467b96142cafb3b84991
SSDEEP

3072:mEGh0otlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGnlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012272-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016c0e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016c0e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016ce9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016ced-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016ce9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016ced-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016ce9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016ced-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}\stubpath = "C:\\Windows\\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe"	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FB338A6-7D8B-4878-A750-C680FF908095}	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}\stubpath = "C:\\Windows\\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe"	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135867AC-20A5-4d81-8199-308905372871}\stubpath = "C:\\Windows\\{135867AC-20A5-4d81-8199-308905372871}.exe"	{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}	{135867AC-20A5-4d81-8199-308905372871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B224681-388B-4131-93D8-39FA92F00E80}	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}	{9B224681-388B-4131-93D8-39FA92F00E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}\stubpath = "C:\\Windows\\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe"	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}\stubpath = "C:\\Windows\\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe"	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135867AC-20A5-4d81-8199-308905372871}	{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}\stubpath = "C:\\Windows\\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe"	{135867AC-20A5-4d81-8199-308905372871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}\stubpath = "C:\\Windows\\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe"	{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B224681-388B-4131-93D8-39FA92F00E80}\stubpath = "C:\\Windows\\{9B224681-388B-4131-93D8-39FA92F00E80}.exe"	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}\stubpath = "C:\\Windows\\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe"	{9B224681-388B-4131-93D8-39FA92F00E80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FB338A6-7D8B-4878-A750-C680FF908095}\stubpath = "C:\\Windows\\{6FB338A6-7D8B-4878-A750-C680FF908095}.exe"	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}\stubpath = "C:\\Windows\\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe"	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}	{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe
2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
1856	{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
1436	{135867AC-20A5-4d81-8199-308905372871}.exe
2056	{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe
2972	{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	{9B224681-388B-4131-93D8-39FA92F00E80}.exe
File created	C:\Windows\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe	{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe
File created	C:\Windows\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
File created	C:\Windows\{135867AC-20A5-4d81-8199-308905372871}.exe	{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
File created	C:\Windows\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
File created	C:\Windows\{9B224681-388B-4131-93D8-39FA92F00E80}.exe	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
File created	C:\Windows\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
File created	C:\Windows\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
File created	C:\Windows\{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
File created	C:\Windows\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
File created	C:\Windows\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe	{135867AC-20A5-4d81-8199-308905372871}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
Token: SeIncBasePriorityPrivilege	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe
Token: SeIncBasePriorityPrivilege	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
Token: SeIncBasePriorityPrivilege	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
Token: SeIncBasePriorityPrivilege	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
Token: SeIncBasePriorityPrivilege	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
Token: SeIncBasePriorityPrivilege	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
Token: SeIncBasePriorityPrivilege	1856	{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
Token: SeIncBasePriorityPrivilege	1436	{135867AC-20A5-4d81-8199-308905372871}.exe
Token: SeIncBasePriorityPrivilege	2056	{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2544	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	28
PID 744 wrote to memory of 2544	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	28
PID 744 wrote to memory of 2544	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	28
PID 744 wrote to memory of 2544	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	28
PID 744 wrote to memory of 2648	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	29
PID 744 wrote to memory of 2648	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	29
PID 744 wrote to memory of 2648	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	29
PID 744 wrote to memory of 2648	744	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	29
PID 2544 wrote to memory of 2536	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	30
PID 2544 wrote to memory of 2536	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	30
PID 2544 wrote to memory of 2536	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	30
PID 2544 wrote to memory of 2536	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	30
PID 2544 wrote to memory of 2940	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	31
PID 2544 wrote to memory of 2940	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	31
PID 2544 wrote to memory of 2940	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	31
PID 2544 wrote to memory of 2940	2544	{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe	31
PID 2536 wrote to memory of 2476	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	34
PID 2536 wrote to memory of 2476	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	34
PID 2536 wrote to memory of 2476	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	34
PID 2536 wrote to memory of 2476	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	34
PID 2536 wrote to memory of 2884	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	35
PID 2536 wrote to memory of 2884	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	35
PID 2536 wrote to memory of 2884	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	35
PID 2536 wrote to memory of 2884	2536	{9B224681-388B-4131-93D8-39FA92F00E80}.exe	35
PID 2476 wrote to memory of 1656	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	36
PID 2476 wrote to memory of 1656	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	36
PID 2476 wrote to memory of 1656	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	36
PID 2476 wrote to memory of 1656	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	36
PID 2476 wrote to memory of 692	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	37
PID 2476 wrote to memory of 692	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	37
PID 2476 wrote to memory of 692	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	37
PID 2476 wrote to memory of 692	2476	{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe	37
PID 1656 wrote to memory of 908	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	38
PID 1656 wrote to memory of 908	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	38
PID 1656 wrote to memory of 908	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	38
PID 1656 wrote to memory of 908	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	38
PID 1656 wrote to memory of 624	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	39
PID 1656 wrote to memory of 624	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	39
PID 1656 wrote to memory of 624	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	39
PID 1656 wrote to memory of 624	1656	{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe	39
PID 908 wrote to memory of 2684	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	40
PID 908 wrote to memory of 2684	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	40
PID 908 wrote to memory of 2684	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	40
PID 908 wrote to memory of 2684	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	40
PID 908 wrote to memory of 2320	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	41
PID 908 wrote to memory of 2320	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	41
PID 908 wrote to memory of 2320	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	41
PID 908 wrote to memory of 2320	908	{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe	41
PID 2684 wrote to memory of 1744	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	42
PID 2684 wrote to memory of 1744	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	42
PID 2684 wrote to memory of 1744	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	42
PID 2684 wrote to memory of 1744	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	42
PID 2684 wrote to memory of 1948	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	43
PID 2684 wrote to memory of 1948	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	43
PID 2684 wrote to memory of 1948	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	43
PID 2684 wrote to memory of 1948	2684	{6FB338A6-7D8B-4878-A750-C680FF908095}.exe	43
PID 1744 wrote to memory of 1856	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	44
PID 1744 wrote to memory of 1856	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	44
PID 1744 wrote to memory of 1856	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	44
PID 1744 wrote to memory of 1856	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	44
PID 1744 wrote to memory of 1636	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	45
PID 1744 wrote to memory of 1636	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	45
PID 1744 wrote to memory of 1636	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	45
PID 1744 wrote to memory of 1636	1744	{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
  C:\Windows\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{9B224681-388B-4131-93D8-39FA92F00E80}.exe
    C:\Windows\{9B224681-388B-4131-93D8-39FA92F00E80}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
      C:\Windows\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
        
        C:\Windows\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
        
        C:\Windows\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
        
        C:\Windows\{6FB338A6-7D8B-4878-A750-C680FF908095}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
        
        C:\Windows\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
        
        C:\Windows\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{135867AC-20A5-4d81-8199-308905372871}.exe
        
        C:\Windows\{135867AC-20A5-4d81-8199-308905372871}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe
        
        C:\Windows\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe
        
        C:\Windows\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A68E~1.EXE > nul
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13586~1.EXE > nul
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA5CA~1.EXE > nul
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC6C~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FB33~1.EXE > nul
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3E74~1.EXE > nul
        7⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7E4~1.EXE > nul
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C2A~1.EXE > nul
        5⤵
        
        PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B224~1.EXE > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1F21~1.EXE > nul
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C2AB08-BC61-4379-B6D7-A7F8209486F6}.exe

Filesize
344KB

MD5
a7e2fcfbcd14e032776298ed7eb0878e

SHA1
5228a004765edd2ddd7510077f910605002dac98

SHA256
1811cfaf0edb11f07b6ca5a7755db978fd30de22e1ad54417bc5fe18e6386279

SHA512
f02d397bdf245608473b4b40f49f7ce2cdc8675530d91b444de33802edd50914fe8ce20a745ed5d2d03bd860497f7d85e9e11bc6f0215eacb4f8cc61b715e8c5

Download Submit
C:\Windows\{0FC6CD96-E852-427d-A39F-4805AE14ADC5}.exe

Filesize
344KB

MD5
ecdb096874e032a642959d8f111a7673

SHA1
5318c812dd98907f7a25ca2f9675fc698622e596

SHA256
8e7554620cb4736fe834edd15c726d9587a4d9149c2f5ebb7d03cdc261bfb522

SHA512
44d706af5b1017c9e923b96c6e80511cb65c64686d0e037a07a0f2aba5e93ec8f329813adde44884dc14548784846eccdb36bb3306806bf2e3cf673ff8bdda1c

Download Submit
C:\Windows\{135867AC-20A5-4d81-8199-308905372871}.exe

Filesize
344KB

MD5
39248baf8b34468d40acb326c6e2ece7

SHA1
9207766f68befa3f8564dc9698952905f3259421

SHA256
25a668e57df27261f8f6f8746cf71f1c03ab96ac0d73f2a30cd0407456001e5c

SHA512
efd9b2c6d0eca04a07009c0002ae344e8c2f0dd830f5ac9aa430a704bf7f128eab754cd391d3749aea01e08cdfa52028d82239bcb300bc970503b6fd31b1c910

Download Submit
C:\Windows\{3A68E2E9-A02F-46d1-8206-5A3DACDCBD40}.exe

Filesize
344KB

MD5
08b7894e0ce750b7cbeacca96d73f06a

SHA1
111b643fba65be79a4bb46b91c162e71c78ea680

SHA256
d92ae3779e9e19c5dc995cc068bf7a0fa95c1a60ff267cbaaf8c3367ae64a061

SHA512
025e610083ebd98ef019958c8ce346180f209f58b191abb566325af0144643ed8a59780b4655a2d41f30e1fa237b95c1b0d64ceac11b21e8210dbc6ace201933

Download Submit
C:\Windows\{6FB338A6-7D8B-4878-A750-C680FF908095}.exe

Filesize
344KB

MD5
0f17e9cd09a29f364e4b41d8dea12855

SHA1
c7333851c9f250d40640ac8b13520ae2c92e23fd

SHA256
fdb1a7fe2aa88cc56821a3f81c1ccf3f4a83aa8ee9e661c86f5232f4eeb110ef

SHA512
e5a4f2daa74d7f1a8eae08e5d923c583f2f40e7741d27ddcd437cd7a200202899540533d285bd0f2608eb2e9974551ecbb6de130c70b809cea0d047022ec14bb

Download Submit
C:\Windows\{9B224681-388B-4131-93D8-39FA92F00E80}.exe

Filesize
344KB

MD5
47ec2e2cb29bf7e6ac5b1d625b431894

SHA1
88fb0f295c519004050aac0cb4b99fb3ac6cd88b

SHA256
445a8ff1113e4817fa21b6fedb2057d4afda586e6b524e75d4bd4364811b0121

SHA512
af6ed109c43def57076379eb3b6a17115ca9ea1d57494c3b7dd6f7b4a308a3aaecb02a8734cdca3b9c2c6ce116a2b7dcdfe40be5a5d4aa5bb1aeace188e73eca

Download Submit
C:\Windows\{B10FD96D-4D6E-407c-8C74-D25B1421FF8C}.exe

Filesize
344KB

MD5
78179efe271f01779f465fb2e5bc2801

SHA1
1138b139945be94fc119926c7f9b0eef4268dbec

SHA256
6338f5cf4dd876cc9e85601b9292d0997699689d6928b78fa9baae9a84ab4335

SHA512
61341ec62489e34aa695cd0b66132586514333ff3fc030f0d5e527106f388e62a9792a4e9c49e0b480d8fe462707757580fa6287cc14c8599a4791bfe86c7842

Download Submit
C:\Windows\{BA5CAC09-CE9C-40fe-8ED2-579040FA8C52}.exe

Filesize
344KB

MD5
6c775e4c24c150f841deda44c8102c1b

SHA1
046501a877b643f583465d973fae13a15b13ef21

SHA256
d246d98d3808bc83ccbfc26189552e07f175acd498e8d6a4e36a608f3a1ef07a

SHA512
35efdc011a1025ceac1041fbcd10143c46bec478b3f702ce35576c1435b76b8446843263d1367e11a20dd11555260ee5850d3299475e47e6af67991e73fb3da6

Download Submit
C:\Windows\{BC7E49FD-9417-4770-8B5F-063DDA0C6DE5}.exe

Filesize
344KB

MD5
55f838234c87af54cbf92666d29176c9

SHA1
db6f8d17462f23b4630016f2b55be738aabd7657

SHA256
4eadfc8f05b772e4f97938b360df616f1d78f63027360c627a738c4b13a71edf

SHA512
8aef53fcfe8c126b0a066d2e3044f6a2999bcad4cc6ba5c574832f84995c9c650fa257277220a650222c469b50502f7d61fcaed528349191144b6fd1acc36363

Download Submit
C:\Windows\{C1F21D73-7DEC-436d-ABC4-FD8C56DAF7DA}.exe

Filesize
344KB

MD5
b3a5c2fe324233008f9349aef8f0d6eb

SHA1
44cb384fc165217493f8b416494cb3afaa3027e4

SHA256
d42f67f501c2f73ec4dad79642a3fe8eee02ce3c95464f21fb5cec0001b74283

SHA512
3f6920187471d43475f8dcda2380b2c2fb676909a5ca815588d82c1839cd15bd223aa7d01cc040457e3f242e817e6b4bacf5c098acc07f17479c0d33648bc3e3

Download Submit
C:\Windows\{E3E74963-78B1-4075-AD8B-4F9578DF2AA4}.exe

Filesize
344KB

MD5
0f942894a8f738b4e6d6bd856f893c05

SHA1
d36c70ac8b883e4186343e9f76a407ace78ace43

SHA256
9ef4579ce465c114bc0695643e36775fd439f1bf6e70c3250d34871cb1198add

SHA512
79bcc9c0618900afc538d963ab54b12d2be91a6f8ff355fb932d2cbd848c8c58b709ea31cac482c44b2089459c5b0c5a40e0ee2634db1096d3505cc2670f2490

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads