3e403712421e430d21b7225a3bd24563f234344b7af3d08cf2aae0468ea864f0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Size

204KB
MD5

83e0e740ca8244b58ca48136f73bd600
SHA1

1e6a05d072007b7af3184b7a8039e33b0e5b05dd
SHA256

3e403712421e430d21b7225a3bd24563f234344b7af3d08cf2aae0468ea864f0
SHA512

f47a85b943b0d86999275fe6490ff3e475079d8c90cc976e90ff671e76e7331fa6d51dc2bcc49a7038c35849c46b8a192e4721b2086b0200df0ce7ad9dd45943
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012252-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012252-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012252-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4726999-3773-4ed3-9A25-BBAA69DE5481}	{8971CF60-D371-4eef-B545-B63071820DC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}\stubpath = "C:\\Windows\\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe"	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}\stubpath = "C:\\Windows\\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe"	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}\stubpath = "C:\\Windows\\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe"	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB86041-9E56-40ed-A74E-2644B853C168}\stubpath = "C:\\Windows\\{3EB86041-9E56-40ed-A74E-2644B853C168}.exe"	{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F049A13-5795-48e4-966C-7D15908B7162}\stubpath = "C:\\Windows\\{7F049A13-5795-48e4-966C-7D15908B7162}.exe"	{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}\stubpath = "C:\\Windows\\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe"	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8971CF60-D371-4eef-B545-B63071820DC5}	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8971CF60-D371-4eef-B545-B63071820DC5}\stubpath = "C:\\Windows\\{8971CF60-D371-4eef-B545-B63071820DC5}.exe"	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A96BBB-8606-437f-8B56-0C18DFFA6714}\stubpath = "C:\\Windows\\{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe"	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB86041-9E56-40ed-A74E-2644B853C168}	{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F049A13-5795-48e4-966C-7D15908B7162}	{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4726999-3773-4ed3-9A25-BBAA69DE5481}\stubpath = "C:\\Windows\\{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe"	{8971CF60-D371-4eef-B545-B63071820DC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A04E7-DB92-4d45-B1AF-5529EBB83865}	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A96BBB-8606-437f-8B56-0C18DFFA6714}	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A04E7-DB92-4d45-B1AF-5529EBB83865}\stubpath = "C:\\Windows\\{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe"	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F85C8F-3E45-4b62-ACED-5594F62718F7}	{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F85C8F-3E45-4b62-ACED-5594F62718F7}\stubpath = "C:\\Windows\\{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe"	{3EB86041-9E56-40ed-A74E-2644B853C168}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe
2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
2368	{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
2268	{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
2776	{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
1488	{7F049A13-5795-48e4-966C-7D15908B7162}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3EB86041-9E56-40ed-A74E-2644B853C168}.exe	{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
File created	C:\Windows\{7F049A13-5795-48e4-966C-7D15908B7162}.exe	{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
File created	C:\Windows\{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	{8971CF60-D371-4eef-B545-B63071820DC5}.exe
File created	C:\Windows\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
File created	C:\Windows\{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
File created	C:\Windows\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
File created	C:\Windows\{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe	{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
File created	C:\Windows\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
File created	C:\Windows\{8971CF60-D371-4eef-B545-B63071820DC5}.exe	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
File created	C:\Windows\{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
File created	C:\Windows\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
Token: SeIncBasePriorityPrivilege	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe
Token: SeIncBasePriorityPrivilege	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
Token: SeIncBasePriorityPrivilege	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
Token: SeIncBasePriorityPrivilege	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
Token: SeIncBasePriorityPrivilege	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
Token: SeIncBasePriorityPrivilege	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
Token: SeIncBasePriorityPrivilege	2368	{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
Token: SeIncBasePriorityPrivilege	2268	{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
Token: SeIncBasePriorityPrivilege	2776	{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2652	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	28
PID 2308 wrote to memory of 2652	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	28
PID 2308 wrote to memory of 2652	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	28
PID 2308 wrote to memory of 2652	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	28
PID 2308 wrote to memory of 2584	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	29
PID 2308 wrote to memory of 2584	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	29
PID 2308 wrote to memory of 2584	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	29
PID 2308 wrote to memory of 2584	2308	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	29
PID 2652 wrote to memory of 3024	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	30
PID 2652 wrote to memory of 3024	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	30
PID 2652 wrote to memory of 3024	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	30
PID 2652 wrote to memory of 3024	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	30
PID 2652 wrote to memory of 2764	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	31
PID 2652 wrote to memory of 2764	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	31
PID 2652 wrote to memory of 2764	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	31
PID 2652 wrote to memory of 2764	2652	{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe	31
PID 3024 wrote to memory of 2544	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	32
PID 3024 wrote to memory of 2544	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	32
PID 3024 wrote to memory of 2544	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	32
PID 3024 wrote to memory of 2544	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	32
PID 3024 wrote to memory of 2888	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	33
PID 3024 wrote to memory of 2888	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	33
PID 3024 wrote to memory of 2888	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	33
PID 3024 wrote to memory of 2888	3024	{8971CF60-D371-4eef-B545-B63071820DC5}.exe	33
PID 2544 wrote to memory of 2860	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	36
PID 2544 wrote to memory of 2860	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	36
PID 2544 wrote to memory of 2860	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	36
PID 2544 wrote to memory of 2860	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	36
PID 2544 wrote to memory of 1664	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	37
PID 2544 wrote to memory of 1664	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	37
PID 2544 wrote to memory of 1664	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	37
PID 2544 wrote to memory of 1664	2544	{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe	37
PID 2860 wrote to memory of 2736	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	38
PID 2860 wrote to memory of 2736	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	38
PID 2860 wrote to memory of 2736	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	38
PID 2860 wrote to memory of 2736	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	38
PID 2860 wrote to memory of 2840	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	39
PID 2860 wrote to memory of 2840	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	39
PID 2860 wrote to memory of 2840	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	39
PID 2860 wrote to memory of 2840	2860	{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe	39
PID 2736 wrote to memory of 1704	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	40
PID 2736 wrote to memory of 1704	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	40
PID 2736 wrote to memory of 1704	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	40
PID 2736 wrote to memory of 1704	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	40
PID 2736 wrote to memory of 1936	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	41
PID 2736 wrote to memory of 1936	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	41
PID 2736 wrote to memory of 1936	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	41
PID 2736 wrote to memory of 1936	2736	{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe	41
PID 1704 wrote to memory of 1660	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	42
PID 1704 wrote to memory of 1660	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	42
PID 1704 wrote to memory of 1660	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	42
PID 1704 wrote to memory of 1660	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	42
PID 1704 wrote to memory of 1968	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	43
PID 1704 wrote to memory of 1968	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	43
PID 1704 wrote to memory of 1968	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	43
PID 1704 wrote to memory of 1968	1704	{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe	43
PID 1660 wrote to memory of 2368	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	44
PID 1660 wrote to memory of 2368	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	44
PID 1660 wrote to memory of 2368	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	44
PID 1660 wrote to memory of 2368	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	44
PID 1660 wrote to memory of 1536	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	45
PID 1660 wrote to memory of 1536	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	45
PID 1660 wrote to memory of 1536	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	45
PID 1660 wrote to memory of 1536	1660	{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
  C:\Windows\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\{8971CF60-D371-4eef-B545-B63071820DC5}.exe
    C:\Windows\{8971CF60-D371-4eef-B545-B63071820DC5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
      C:\Windows\{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
        
        C:\Windows\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
        
        C:\Windows\{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
        
        C:\Windows\{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
        
        C:\Windows\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
        
        C:\Windows\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
        
        C:\Windows\{3EB86041-9E56-40ed-A74E-2644B853C168}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
        
        C:\Windows\{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{7F049A13-5795-48e4-966C-7D15908B7162}.exe
        
        C:\Windows\{7F049A13-5795-48e4-966C-7D15908B7162}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F85~1.EXE > nul
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB86~1.EXE > nul
        11⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DAC5~1.EXE > nul
        10⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468B1~1.EXE > nul
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522A0~1.EXE > nul
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A96~1.EXE > nul
        7⤵
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE48F~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4726~1.EXE > nul
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8971C~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A83ED~1.EXE > nul
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3EB86041-9E56-40ed-A74E-2644B853C168}.exe

Filesize
204KB

MD5
37f9fc4d5e506da5b45cff49a0ba1d89

SHA1
cbfe82368d92af14755ea826e87ccf448d0cee50

SHA256
d4b14e2bb25862e2a07c95d96114604ee53e3ea5905ceb4d548b0722357b679d

SHA512
b531dd7ec19c8208666bd6691ab497ff310bdc6e609fd6704f8d46a7b3a7403f393c8fe05ccb4ea572d9e264d758887781190f6fac8d3f5a422c7568e8d3d798

Download Submit
C:\Windows\{41F85C8F-3E45-4b62-ACED-5594F62718F7}.exe

Filesize
204KB

MD5
17dd3ee08eebe2f0dc6d1882850c5009

SHA1
3858f91ed780f192684379d7738cbd47c21f8c9a

SHA256
357c85e4f0a5b96b62490870430ac86a70b1f0963dee3529face3fa695901638

SHA512
e2ab71567190ba594edaae09ba4dfaf6ad0c1669645de3f4a220a348759de602ad2890e6ff0f092e48d979ed0208f93c2329d9368b34bc33e30638a6c87b382e

Download Submit
C:\Windows\{468B1B00-0AD9-41fb-89EC-07BCB8C44A18}.exe

Filesize
204KB

MD5
4198c170f8324004e1446493cb4ffd0c

SHA1
8840c61e1d8c6c1a32b522c24054d096395b149b

SHA256
eb162eafcbe298eaa9feb5481f36783e3246639328cbd0844a94d5020b2448a6

SHA512
0155190fc8ac1078f34283dc5d154ca397a7d7adef4fce55e90e075de993e6bb752e3ee9b291aad7226073a5aa0cbe03a87eb005131105cb9ca2f3b8a08cce11

Download Submit
C:\Windows\{522A04E7-DB92-4d45-B1AF-5529EBB83865}.exe

Filesize
204KB

MD5
3a4fec7a5f648d3a5142bd8a2e18774d

SHA1
e4df171301c07a965262d82cdff884439610a2fe

SHA256
2ba280035265d56d0cae546acb77b9c882ce97d2671f77454810630dab71ffef

SHA512
7d8db8cc37db2e19a14522120b6daf32208ed3f04f18e9d191a1302df38ccbe131458143dcd263bfc1cfbf4fc1c3d8404c880fbe031b9e40f653f37d99fae795

Download Submit
C:\Windows\{66A96BBB-8606-437f-8B56-0C18DFFA6714}.exe

Filesize
204KB

MD5
4732d222af410d2fc31425d207678911

SHA1
2c47043011b4bb4041f3d53a7f66c790af51a6d8

SHA256
b9c9fe2257ad4964983e7e7c08f90b4e994f4d1513e994dd13b4b77e87159e31

SHA512
4420802a8765506a43c33b2729ebf9e60469d69cdb45bfa06253404ad5a3dff3f905a4b2dd768f06d9ef8ea53f2f724ec71d2fe9118ecddbf6a86d227e7e6d3b

Download Submit
C:\Windows\{7F049A13-5795-48e4-966C-7D15908B7162}.exe

Filesize
204KB

MD5
23cad36a604af556770e1bf4de48bd9e

SHA1
84cce6fd48883c1091374b408e989d03c5daa7c3

SHA256
c57a64a6611161d174454796674a502d016bb57da0364db5e5ebeb3957bd777d

SHA512
26cf36792ec46dd16279f6db441bb06b665b5f3d9cfc87fd38cf3260200fb59a2514c535023f1ae5239c2a7aeedeb2c39e34d8e5c4e43b127b14135b088e1dad

Download Submit
C:\Windows\{8971CF60-D371-4eef-B545-B63071820DC5}.exe

Filesize
204KB

MD5
dbf9f28b7547d6cd8ecea242e280f6e6

SHA1
963b6aa1e25a15e1d315568855cc0964fc05f6cf

SHA256
80415764a4906c1213480133ec4dd166f6eb3aa70094f47d21e4480bec7bc2a6

SHA512
6b8662660b1c58b427b4e37c09105bc7788545df901fb8f2e873bf565dd0f9ad2bb5d36acac1f980e0ce6c1dd6f0c840fad4cb782847656e35725283e0ce3aa9

Download Submit
C:\Windows\{8DAC5D6E-BAF6-4d1e-A59E-BD7E55DC619A}.exe

Filesize
204KB

MD5
5097af41f4f084d627e01837684e08de

SHA1
1fa911d2de2cb7366eafb8a23e60010190ed80b8

SHA256
34c614de002e7f1b02a591d64a133260e5294d0e88ef59a27b351ae45e5a8e69

SHA512
a346c4e70a6e685e26cf041192c5848f311077846af7ffd419aeff9570c6cbf618ae8b2405ea0d968b58125877b0316eb8e73a38339c91f30b4489403aa91b24

Download Submit
C:\Windows\{A83ED554-56C8-4a65-98BC-F20E342E0DA5}.exe

Filesize
204KB

MD5
35cc1632ec1b7dc54f0b1045622b7aac

SHA1
8a9ee0bf005d72cd0be1186485178d6779a71444

SHA256
4536a72e1dce95ce0bdca6fb48533a922269fc33a2d4119ffca023ec577ea91a

SHA512
dd0cb5c99ecdbed81133276f4c318e00a696360d9be96c892c9ea28a732a9799d003b393222023e2f8c4123924fc42854dd90a6f516e3d726b448af5f15cc1be

Download Submit
C:\Windows\{B4726999-3773-4ed3-9A25-BBAA69DE5481}.exe

Filesize
204KB

MD5
2737439b2f97c1ba5e38366c8e858013

SHA1
8defaa0b5bc1f2c76311217306dd8896f8ec1fb0

SHA256
c174ad85f02251d0d36639c90a31d5473fc5dc7e6074c03a36803a2873c2b67d

SHA512
ff8e74e37d7eee75fc8c91637a743a5abbe648c4caf7b30128fa72d7473303f8df256202b1da1e32f7ed16ded1f30944675e8c292eb55baa94f6bd0cfb829c2b

Download Submit
C:\Windows\{BE48F0CA-A2A3-4563-B187-5BDCD1BF2E96}.exe

Filesize
204KB

MD5
3cecf30e05a8c6d09093855793e1178b

SHA1
e4d702b7c6ed458ccfad064756f78261b6077bc0

SHA256
291fbbac108c987bf8d11973bbe652df83a2acfbedc1c5a0dd03644a2aeda95c

SHA512
98f3ee383f372c2d7f49b4fa9208cea11d173055172d73cb33b2f2ddae778c70c0d250b2e00e4773442b1cbd6d2c14f7a241727482d05f66175019e03f706af7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads