05877561112a2769521ca091d0a5af648beee3956c8279d11064149f8dd7bb71

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
Size

408KB
MD5

6fc12090822a30b1bc5a2b028d651e9f
SHA1

320b84a8e42b3637a4d6832f5c9fea81c832b5eb
SHA256

05877561112a2769521ca091d0a5af648beee3956c8279d11064149f8dd7bb71
SHA512

8a68a1051b2ed5b8b839c7d1261e5a901f2f1f5634bc2c7d846429927da928c275c6909256911f2c1f092fd0baffe246878b9bfadc716e5dd15fd1cbb19e10de
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGRldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012256-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012256-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012256-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96352912-5E5D-4a00-BCF3-DA4EA833198D}\stubpath = "C:\\Windows\\{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe"	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{721250C6-C8B2-417a-8008-C81BA5BF9008}	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFBBADF0-A208-4585-875C-C91F4D193941}	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D4C397-A765-4a4c-B034-C38D82F55BF6}	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}\stubpath = "C:\\Windows\\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe"	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}	{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}\stubpath = "C:\\Windows\\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe"	{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}	{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{571A4BCB-A4F6-45d5-8623-580CB62C1139}	{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C028A79D-7F68-4507-A7F1-8BC398D10809}	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D4C397-A765-4a4c-B034-C38D82F55BF6}\stubpath = "C:\\Windows\\{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe"	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}\stubpath = "C:\\Windows\\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe"	{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}\stubpath = "C:\\Windows\\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe"	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}\stubpath = "C:\\Windows\\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe"	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96352912-5E5D-4a00-BCF3-DA4EA833198D}	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{721250C6-C8B2-417a-8008-C81BA5BF9008}\stubpath = "C:\\Windows\\{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe"	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{571A4BCB-A4F6-45d5-8623-580CB62C1139}\stubpath = "C:\\Windows\\{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe"	{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFBBADF0-A208-4585-875C-C91F4D193941}\stubpath = "C:\\Windows\\{CFBBADF0-A208-4585-875C-C91F4D193941}.exe"	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C028A79D-7F68-4507-A7F1-8BC398D10809}\stubpath = "C:\\Windows\\{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe"	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
604	{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
1032	{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
2280	{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
2296	{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
File created	C:\Windows\{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
File created	C:\Windows\{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
File created	C:\Windows\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe	{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
File created	C:\Windows\{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
File created	C:\Windows\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
File created	C:\Windows\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
File created	C:\Windows\{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
File created	C:\Windows\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe	{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
File created	C:\Windows\{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe	{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
File created	C:\Windows\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
Token: SeIncBasePriorityPrivilege	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
Token: SeIncBasePriorityPrivilege	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
Token: SeIncBasePriorityPrivilege	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
Token: SeIncBasePriorityPrivilege	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
Token: SeIncBasePriorityPrivilege	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
Token: SeIncBasePriorityPrivilege	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
Token: SeIncBasePriorityPrivilege	604	{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
Token: SeIncBasePriorityPrivilege	1032	{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
Token: SeIncBasePriorityPrivilege	2280	{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3052	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	28
PID 2368 wrote to memory of 3048	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe	29
PID 3052 wrote to memory of 2584	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	30
PID 3052 wrote to memory of 2584	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	30
PID 3052 wrote to memory of 2584	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	30
PID 3052 wrote to memory of 2584	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	30
PID 3052 wrote to memory of 2468	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	31
PID 3052 wrote to memory of 2468	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	31
PID 3052 wrote to memory of 2468	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	31
PID 3052 wrote to memory of 2468	3052	{CFBBADF0-A208-4585-875C-C91F4D193941}.exe	31
PID 2584 wrote to memory of 2800	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	32
PID 2584 wrote to memory of 2800	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	32
PID 2584 wrote to memory of 2800	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	32
PID 2584 wrote to memory of 2800	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	32
PID 2584 wrote to memory of 2632	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	33
PID 2584 wrote to memory of 2632	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	33
PID 2584 wrote to memory of 2632	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	33
PID 2584 wrote to memory of 2632	2584	{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe	33
PID 2800 wrote to memory of 1804	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	36
PID 2800 wrote to memory of 1804	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	36
PID 2800 wrote to memory of 1804	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	36
PID 2800 wrote to memory of 1804	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	36
PID 2800 wrote to memory of 2720	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	37
PID 2800 wrote to memory of 2720	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	37
PID 2800 wrote to memory of 2720	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	37
PID 2800 wrote to memory of 2720	2800	{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe	37
PID 1804 wrote to memory of 2964	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	38
PID 1804 wrote to memory of 2964	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	38
PID 1804 wrote to memory of 2964	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	38
PID 1804 wrote to memory of 2964	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	38
PID 1804 wrote to memory of 2928	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	39
PID 1804 wrote to memory of 2928	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	39
PID 1804 wrote to memory of 2928	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	39
PID 1804 wrote to memory of 2928	1804	{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe	39
PID 2964 wrote to memory of 1768	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	40
PID 2964 wrote to memory of 1768	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	40
PID 2964 wrote to memory of 1768	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	40
PID 2964 wrote to memory of 1768	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	40
PID 2964 wrote to memory of 1976	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	41
PID 2964 wrote to memory of 1976	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	41
PID 2964 wrote to memory of 1976	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	41
PID 2964 wrote to memory of 1976	2964	{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe	41
PID 1768 wrote to memory of 1984	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	42
PID 1768 wrote to memory of 1984	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	42
PID 1768 wrote to memory of 1984	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	42
PID 1768 wrote to memory of 1984	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	42
PID 1768 wrote to memory of 1596	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	43
PID 1768 wrote to memory of 1596	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	43
PID 1768 wrote to memory of 1596	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	43
PID 1768 wrote to memory of 1596	1768	{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe	43
PID 1984 wrote to memory of 604	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	44
PID 1984 wrote to memory of 604	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	44
PID 1984 wrote to memory of 604	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	44
PID 1984 wrote to memory of 604	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	44
PID 1984 wrote to memory of 536	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	45
PID 1984 wrote to memory of 536	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	45
PID 1984 wrote to memory of 536	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	45
PID 1984 wrote to memory of 536	1984	{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fc12090822a30b1bc5a2b028d651e9f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
  C:\Windows\{CFBBADF0-A208-4585-875C-C91F4D193941}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
    C:\Windows\{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
      C:\Windows\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
        
        C:\Windows\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
        
        C:\Windows\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
        
        C:\Windows\{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
        
        C:\Windows\{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
        
        C:\Windows\{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
        
        C:\Windows\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
        
        C:\Windows\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe
        
        C:\Windows\{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe
        12⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4D62~1.EXE > nul
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94C6A~1.EXE > nul
        11⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72125~1.EXE > nul
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96352~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65D4C~1.EXE > nul
        8⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CFD~1.EXE > nul
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA9C~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56E5C~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C028A~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CFBBA~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{56E5CDE7-108D-46a6-BF81-78D13BCC6682}.exe

Filesize
408KB

MD5
659679ea4f9887aeb5db4ac4242f25db

SHA1
db5e01d107a75a1d6823f2658f025d12ad436ffc

SHA256
5e9d50e5bbbe3d3fccf4e2793aa01b4648b56d5e61c834a51adf5ee1b28a72ab

SHA512
0ced1e03b25770f2b68cf8b52d81ca7a711f84cadbd8538c2b4270b7848c780d25aa9003e5202ecaacd75c53180a6181573e1e48d237a50b224566a986f53d56

Download Submit
C:\Windows\{571A4BCB-A4F6-45d5-8623-580CB62C1139}.exe

Filesize
408KB

MD5
93c60c49d5e68a9c718493f6a03d4306

SHA1
f007768d711c00a040f49687273caa43552f4af0

SHA256
e7592e3c0eb01773a5db5205310a83cf2764285b12f2055b55521563bee880e0

SHA512
60ef9c8b4d94a0f223ab402ba17e580f7d81550096238c7633f4b3929fa6b27bbdcb50073a44f09b3eb898c68e123c8e3119c7a573414686ef77ab9965c742b7

Download Submit
C:\Windows\{65D4C397-A765-4a4c-B034-C38D82F55BF6}.exe

Filesize
408KB

MD5
f32a197ee5bc2bdd05d45b6a4b044bdc

SHA1
035593e96cf3918815fbf10e72b213919123a11f

SHA256
75c5d9ff9a0dc998707a780d72bbcb5da790133155bb79d44db848562c80f77d

SHA512
c4521d4287fef4037abbb1e0d6df5b51e2d7592824583d77287b17690d27d3658f213f4781d26d10e56ee03b17a867288ed385c5195d295a53d8655757e46e51

Download Submit
C:\Windows\{721250C6-C8B2-417a-8008-C81BA5BF9008}.exe

Filesize
408KB

MD5
6f476a48b72a2cbd0123deabdb8620f8

SHA1
c36649109a8f169a506b5b010e306d8a20e3eea2

SHA256
c75458e14fd467fa17ed9d394ec67817c18f43c19082a115a850f715269d88a0

SHA512
08637aebe1309d9796467c5b30c2af2b8397357ef3e2c674a3281e64ac76300d6d60f1de0684ed4efb733732fc824a52651ec9904797d240fc0d805f29d8aa38

Download Submit
C:\Windows\{94C6A2B2-C8C1-42f8-A8F9-6B7AC0849525}.exe

Filesize
408KB

MD5
99d8ffef54d67611a8b1a5da6fd06f9c

SHA1
a362b05856dcd86a8e2e58a97ef496d15b86798c

SHA256
3a1901c598ed99836343df2a665078a70eb92dc462257eec1bed854ad1edd611

SHA512
183f5ad3382aefb03e84267c7f8b5a07b549cf1e518bd136581a7356a3891672c43740b4224d95f0d8a7a1d10c3681a7691656ff3afb6ce2d6a7cb4607391982

Download Submit
C:\Windows\{96352912-5E5D-4a00-BCF3-DA4EA833198D}.exe

Filesize
408KB

MD5
dd53a2a21d97b8edf85d33533c796b91

SHA1
96ce2cff97ea0d09e767a7e91449c4cb1f73cdae

SHA256
1e7a554a257c000de90572e34bae8241a7c0e4bc21734e8acfbe08408538dc01

SHA512
70a18819e8f0199316e861d0a00abef9fd301d8dcc8560bce5779c953c251d0ceabaa4d3a01fa57668c3c2218616d1521d650d5e025e24cfd8052ad37dae42bb

Download Submit
C:\Windows\{9AA9C9DC-6671-4deb-9229-D2C2D0234351}.exe

Filesize
408KB

MD5
bb1509d7dcfa7a80ce91ddd85b30cbad

SHA1
debc9bd3881c42a94f1b9b840cd399e0d1611dfb

SHA256
b0adcbaa66052e4a39fffbddc421fedef12299459706349f3bca10259338f5fd

SHA512
6b8e777dc926bd63223173fc8569620d38cc8f9e59579e41db640a9b744d5c4701d6a79cfc28fc7c14638b6d3f8b00f3c5fcd64248716c8612810e4048e0d9cd

Download Submit
C:\Windows\{A4D620D1-BCD7-4e83-86FE-9EC6F3217D9B}.exe

Filesize
408KB

MD5
5ebef482d23f6dc38d96c646728610d7

SHA1
c78bf1aaf23e78069d3aa3398ea01bd5433a3b69

SHA256
ecda627fe1a122dc23429066d0203d7be3c04b2dbcd86e30c1aa47e4e4fa7cc7

SHA512
a14221cab3b5ecd2f702d2e0e728d7c68a6f6264366ce521615925c58703c1bc6f05cdebb1f073099d1a4f0c6c4b238e78de3c8a6851ef2584584e4bc1483fa2

Download Submit
C:\Windows\{B3CFD0CA-8518-4e1d-96FE-B113832912D0}.exe

Filesize
408KB

MD5
69dbc296bf5dde7c5a6a10f33edfa894

SHA1
8a5109d02515697d97ac1cb317f4e1dea8e6a0c9

SHA256
2d9f62a15205dce748c4fc9b1ea5e59b344faf945f32817873f82ca6f7d2d28e

SHA512
f0b23b5294da0063a1d6035907baaff2365bd769ec9870a5e2c4c34f438664586028b0f698044976ce673bf1e24afae499bcf3d6fb4af6c268c897fe6fdac520

Download Submit
C:\Windows\{C028A79D-7F68-4507-A7F1-8BC398D10809}.exe

Filesize
408KB

MD5
e7e748463b3786248e56944dbbae186d

SHA1
1234ffd8a592661fa7d9e50d0a3a7ecd0207161d

SHA256
c6f62f794051771dfab7a06e9e14b23feab2c7c03b729e8d1da34a638ef715cf

SHA512
870c476154e5c779099a1e3b500a14ddd9ec186e24d5791e7c81e5897c76695288522ad3b2ccdca8013c94be6b9f7626f643cd0484f85ea236eb8b540fed3e25

Download Submit
C:\Windows\{CFBBADF0-A208-4585-875C-C91F4D193941}.exe

Filesize
408KB

MD5
bee447394fa8f9746798a9c32ef54e84

SHA1
fe231f3131459cdd843edcfa9dd1579705c0b5ac

SHA256
6643c5106ad211201f1deff402612f054e21fd62decb2a6d67fff6b377352071

SHA512
da7dec4b872fa4cab5085146d2d8f6ad49b15f22aa4232d7c76cdb6f435af57db4516633e7806cf3da392cbd4cc49c815fd38fef26af3aa5867a86c61d735c9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads