9689e553b97de54fef6a5ed442da1bd0ea963cea731e735cb4123de35d91a066

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
Size

408KB
MD5

008118b49efe2d1a5092725a38ed4ffe
SHA1

1a01059c737ea87ff7dec3ed8b12765f62102760
SHA256

9689e553b97de54fef6a5ed442da1bd0ea963cea731e735cb4123de35d91a066
SHA512

07953ce1648c30e1041745650d9549ba7b65bc3988ce8fe25eb887b7428b5aef15c1b4900a686aaa6f577be99c84c7a0128287733a75bcd27df72930b406d373
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGRldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012326-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001480e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012326-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014eb9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012326-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012326-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012326-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}\stubpath = "C:\\Windows\\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe"	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}	{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828F3F83-1094-484e-AFDE-D031820ADA17}\stubpath = "C:\\Windows\\{828F3F83-1094-484e-AFDE-D031820ADA17}.exe"	{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6212B-1421-4281-881E-0455DACF0711}\stubpath = "C:\\Windows\\{83D6212B-1421-4281-881E-0455DACF0711}.exe"	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B36C00-37A7-4219-8B87-49F5689691FB}	{76851605-5758-44fe-996C-C3F72EF9229D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5381F5A2-2674-4b0c-8446-933AA009D909}\stubpath = "C:\\Windows\\{5381F5A2-2674-4b0c-8446-933AA009D909}.exe"	{83D6212B-1421-4281-881E-0455DACF0711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76851605-5758-44fe-996C-C3F72EF9229D}	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B36C00-37A7-4219-8B87-49F5689691FB}\stubpath = "C:\\Windows\\{39B36C00-37A7-4219-8B87-49F5689691FB}.exe"	{76851605-5758-44fe-996C-C3F72EF9229D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}\stubpath = "C:\\Windows\\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe"	{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}\stubpath = "C:\\Windows\\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe"	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5381F5A2-2674-4b0c-8446-933AA009D909}	{83D6212B-1421-4281-881E-0455DACF0711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}\stubpath = "C:\\Windows\\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe"	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76851605-5758-44fe-996C-C3F72EF9229D}\stubpath = "C:\\Windows\\{76851605-5758-44fe-996C-C3F72EF9229D}.exe"	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}\stubpath = "C:\\Windows\\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe"	{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}	{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}\stubpath = "C:\\Windows\\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe"	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6212B-1421-4281-881E-0455DACF0711}	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828F3F83-1094-484e-AFDE-D031820ADA17}	{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe
2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe
1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
2892	{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
1892	{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
2216	{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe
1176	{828F3F83-1094-484e-AFDE-D031820ADA17}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{828F3F83-1094-484e-AFDE-D031820ADA17}.exe	{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe
File created	C:\Windows\{83D6212B-1421-4281-881E-0455DACF0711}.exe	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
File created	C:\Windows\{76851605-5758-44fe-996C-C3F72EF9229D}.exe	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
File created	C:\Windows\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
File created	C:\Windows\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe	{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
File created	C:\Windows\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe	{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
File created	C:\Windows\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
File created	C:\Windows\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
File created	C:\Windows\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
File created	C:\Windows\{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	{83D6212B-1421-4281-881E-0455DACF0711}.exe
File created	C:\Windows\{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	{76851605-5758-44fe-996C-C3F72EF9229D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
Token: SeIncBasePriorityPrivilege	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
Token: SeIncBasePriorityPrivilege	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
Token: SeIncBasePriorityPrivilege	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe
Token: SeIncBasePriorityPrivilege	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
Token: SeIncBasePriorityPrivilege	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe
Token: SeIncBasePriorityPrivilege	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
Token: SeIncBasePriorityPrivilege	2892	{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
Token: SeIncBasePriorityPrivilege	1892	{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
Token: SeIncBasePriorityPrivilege	2216	{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2584	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	28
PID 1728 wrote to memory of 2584	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	28
PID 1728 wrote to memory of 2584	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	28
PID 1728 wrote to memory of 2584	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	28
PID 1728 wrote to memory of 1724	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	29
PID 1728 wrote to memory of 1724	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	29
PID 1728 wrote to memory of 1724	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	29
PID 1728 wrote to memory of 1724	1728	2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe	29
PID 2584 wrote to memory of 2500	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	30
PID 2584 wrote to memory of 2500	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	30
PID 2584 wrote to memory of 2500	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	30
PID 2584 wrote to memory of 2500	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	30
PID 2584 wrote to memory of 1964	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	31
PID 2584 wrote to memory of 1964	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	31
PID 2584 wrote to memory of 1964	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	31
PID 2584 wrote to memory of 1964	2584	{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe	31
PID 2500 wrote to memory of 2720	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	32
PID 2500 wrote to memory of 2720	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	32
PID 2500 wrote to memory of 2720	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	32
PID 2500 wrote to memory of 2720	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	32
PID 2500 wrote to memory of 2560	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	33
PID 2500 wrote to memory of 2560	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	33
PID 2500 wrote to memory of 2560	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	33
PID 2500 wrote to memory of 2560	2500	{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe	33
PID 2720 wrote to memory of 2316	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	36
PID 2720 wrote to memory of 2316	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	36
PID 2720 wrote to memory of 2316	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	36
PID 2720 wrote to memory of 2316	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	36
PID 2720 wrote to memory of 1228	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	37
PID 2720 wrote to memory of 1228	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	37
PID 2720 wrote to memory of 1228	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	37
PID 2720 wrote to memory of 1228	2720	{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe	37
PID 2316 wrote to memory of 2496	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	38
PID 2316 wrote to memory of 2496	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	38
PID 2316 wrote to memory of 2496	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	38
PID 2316 wrote to memory of 2496	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	38
PID 2316 wrote to memory of 2852	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	39
PID 2316 wrote to memory of 2852	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	39
PID 2316 wrote to memory of 2852	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	39
PID 2316 wrote to memory of 2852	2316	{83D6212B-1421-4281-881E-0455DACF0711}.exe	39
PID 2496 wrote to memory of 1568	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	40
PID 2496 wrote to memory of 1568	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	40
PID 2496 wrote to memory of 1568	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	40
PID 2496 wrote to memory of 1568	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	40
PID 2496 wrote to memory of 1596	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	41
PID 2496 wrote to memory of 1596	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	41
PID 2496 wrote to memory of 1596	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	41
PID 2496 wrote to memory of 1596	2496	{5381F5A2-2674-4b0c-8446-933AA009D909}.exe	41
PID 1568 wrote to memory of 1440	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	43
PID 1568 wrote to memory of 1440	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	43
PID 1568 wrote to memory of 1440	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	43
PID 1568 wrote to memory of 1440	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	43
PID 1568 wrote to memory of 1636	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	42
PID 1568 wrote to memory of 1636	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	42
PID 1568 wrote to memory of 1636	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	42
PID 1568 wrote to memory of 1636	1568	{76851605-5758-44fe-996C-C3F72EF9229D}.exe	42
PID 1440 wrote to memory of 2892	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	45
PID 1440 wrote to memory of 2892	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	45
PID 1440 wrote to memory of 2892	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	45
PID 1440 wrote to memory of 2892	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	45
PID 1440 wrote to memory of 2828	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	44
PID 1440 wrote to memory of 2828	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	44
PID 1440 wrote to memory of 2828	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	44
PID 1440 wrote to memory of 2828	1440	{39B36C00-37A7-4219-8B87-49F5689691FB}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_008118b49efe2d1a5092725a38ed4ffe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
  C:\Windows\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
    C:\Windows\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
      C:\Windows\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{83D6212B-1421-4281-881E-0455DACF0711}.exe
        
        C:\Windows\{83D6212B-1421-4281-881E-0455DACF0711}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
        
        C:\Windows\{5381F5A2-2674-4b0c-8446-933AA009D909}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{76851605-5758-44fe-996C-C3F72EF9229D}.exe
        
        C:\Windows\{76851605-5758-44fe-996C-C3F72EF9229D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76851~1.EXE > nul
        8⤵
        
        PID:1636
        
        C:\Windows\{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
        
        C:\Windows\{39B36C00-37A7-4219-8B87-49F5689691FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39B36~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
        
        C:\Windows\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC01B~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
        
        C:\Windows\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe
        
        C:\Windows\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE8B3~1.EXE > nul
        12⤵
        
        PID:1768
        
        C:\Windows\{828F3F83-1094-484e-AFDE-D031820ADA17}.exe
        
        C:\Windows\{828F3F83-1094-484e-AFDE-D031820ADA17}.exe
        12⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42D36~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5381F~1.EXE > nul
        7⤵
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83D62~1.EXE > nul
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA45~1.EXE > nul
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACBD~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD356~1.EXE > nul
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{39B36C00-37A7-4219-8B87-49F5689691FB}.exe

Filesize
408KB

MD5
35a940c6d1f9f81fc71331a861cd4e5f

SHA1
57aa4f0f16073899f19195c0321e43637581e571

SHA256
045b0e46910d11f88ca6b195dba319dfa5f75e62ec4517b2043da1505b7b21c0

SHA512
f696f2c33a589ea77542e1e9505c54cbc2caae75e675f3f198e4581edb446486cf4e1866dfa716019fed7ef9d68b18b227e7fe0c4e106b866c97f6275d3c8568

Download Submit
C:\Windows\{3ACBDB27-D86A-4f85-9A93-51388DE59EF8}.exe

Filesize
408KB

MD5
dbe13d0201eb269f817709d8a412dd61

SHA1
e5f06971ca2ecd4542cc0e80f7b5c0544816b6e2

SHA256
71c54eb495a4eea20b735fa551a6c316b2ae24e6fdb546f6d092895e3384fe1e

SHA512
e7ac319d57b8bd012fe16003ffab0838c1bcf811a65623c1b7bc418cd654066001f71aa766e3a39841b9956cd5630fd55120689c10325953c9769f9ebef63fd6

Download Submit
C:\Windows\{42D367B8-C4D1-4d50-A369-9908ADC7E3E9}.exe

Filesize
408KB

MD5
26915b84820e9f550b83d7e2ce2b9324

SHA1
4088bf66c1827adc828d146beb23c56e90e5fbe3

SHA256
d5ef476dcba763125b8102ec312032d0437ac456812381a62573e87a5de25df1

SHA512
89e7e98f43bf2bdda4ccd0852f2cd38eec42c52d43dacb6c0f083edaa608821ba567752d1316ecc4d0ba0aadd0c7a4fa0f9d1f4916c80e0b2d368315d648a60a

Download Submit
C:\Windows\{5381F5A2-2674-4b0c-8446-933AA009D909}.exe

Filesize
408KB

MD5
9ec97970c9631ba1a402554a4392765f

SHA1
941b0b6d60dab9e08bfecaaf3e620d67ab69009b

SHA256
9c47fbfe04f61e2acbda2b9a2b13d5d8a144632efd2b0fa98c3e734e232861a2

SHA512
13f8e1ef9efd4925dd39c976b911b71779ba437e40cd9dfa6301854c8d41198fa3b0193c206047e8c41b7a87b61a84a272fc0a1242a1aa44e93ecae0713a1610

Download Submit
C:\Windows\{76851605-5758-44fe-996C-C3F72EF9229D}.exe

Filesize
408KB

MD5
532321fc8238914c3a7c903fc7f484d4

SHA1
27d73f90505b751a80a1e9483a07d43cc3a2cbd3

SHA256
7255d6e3f99582e02f5c593c831be8bc3047c368624c0d39a4286a23d2fbdd63

SHA512
03527e2c77535aa055fd01829a1a759951a0c9ff3b77a6b8bd50254deb46ec281b6c5507d0cc7e8e092f1b616357e9594520be16e9c636bc93a32db914750d2c

Download Submit
C:\Windows\{828F3F83-1094-484e-AFDE-D031820ADA17}.exe

Filesize
408KB

MD5
dedea8a32505860b4e98c41fe43b8e6f

SHA1
18de34ba03a77e96d3944e53f3e9bd52de032c01

SHA256
7ac4dd87a9b4bb12c6e8df2c4ecf7cd3d13920a34c24adceabfc25ebdc94cb90

SHA512
870c696fe1e654b0b095c45e649e2fe810af8dd4b03a41e063e37fd3c67d32542b5fa40c5c8fefbca4a367350fc39adb8b01b9bc8e21996913673f39c7020608

Download Submit
C:\Windows\{83D6212B-1421-4281-881E-0455DACF0711}.exe

Filesize
408KB

MD5
c1511f3986c97334fff53e092f64c522

SHA1
e66ea4af6c4c5ff245c7367b3a98e4bf79125733

SHA256
02fdba8b469fa4396bc539f3e683da868c637501698791de49e6c57ab936d387

SHA512
45f5e2a90b2656d5dc7fe9f8986429dc2c0475b23ee801e0d3d823d972c18c0f3d37e704754401cf7d183f086b3ff7ab4396772f96c515ca1f67d5e662f3953c

Download Submit
C:\Windows\{ACA45AEB-7064-4bba-95CB-627EAE9E3F6F}.exe

Filesize
408KB

MD5
4eeb7f622a320253ba5ed4a1253f9bbc

SHA1
4278b94850331e2785bf19b27fef823714e68e91

SHA256
25643b3011f438b86ce76fe0c1e6b3d3e17aef1617893976286e1c7b3a0295ae

SHA512
10df0a25a04c8e413720c57df5b56ec7ee94c1da1b7522d1dc7bd4ff6f37c85f032053ad4fa2804eafaaed6f8786a559b7aef537057ac536bc18a49fa1a92e10

Download Submit
C:\Windows\{BE8B3B40-8F65-4d7b-9C87-F77713765EAB}.exe

Filesize
408KB

MD5
519a41adaf1fea3b99077088b9f529aa

SHA1
8c1425218444690e05cf714e16703d904fd2e545

SHA256
cc2c7ab325a7fdc37a8e202d57933ad548f9f1bbe05b9fc12c7f18e84acbab11

SHA512
db9b3cd423fa794eb16624e79559033f8d934840875f330a2bcbca301d64b59916ee4aec4294fcf5b4c777179d273556d54e08b9b5311008817b38bf68bab998

Download Submit
C:\Windows\{DD3565EF-D5FE-4be0-94EE-B4DA14F0C3CB}.exe

Filesize
408KB

MD5
175bcd427e84b1dd649fd3d611530a0b

SHA1
010678d0fdd25768d37139bf0f698cf48e7a47b4

SHA256
f5b4d1e79d758f84382a9b6dba1c6285d3c8dc20231bc7a35ccfffd7133dab8a

SHA512
419905921e0e8554049e59259f63f1400585019bd7c6c491ef605e247d446d6552636005c8140c39ab653c2a02e35ee612cd9ea799b9067a7db329b6ca1cad19

Download Submit
C:\Windows\{FC01B21B-EC04-4c14-A3F1-9D2F2C4FDE6A}.exe

Filesize
408KB

MD5
0bad2c999186e26164e3449b8c5ec128

SHA1
455f0cbd6a564ae0c253c93ad82640f4948110ff

SHA256
ef90809807d388231563df81c8112e5d6c17f32ae7ee05bd46f60f6e8a2d7aac

SHA512
e6df22043c6eb6ff0b33c534dbb1a8f2d309edf2ff3729ddcc56f284240f15956cf24225ad0cb2290a73c864c68e54667fc558f0984652b5671734ab0a501dd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads