b8d895e683e189930d9625d2ce972e5274a9fccb29a2755ab3ea684cb2381ba0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Size

216KB
MD5

9b8b77226735127bc2b90856a560fc2b
SHA1

f73e4b0d935d6d96516c8721b5e2307be721cca1
SHA256

b8d895e683e189930d9625d2ce972e5274a9fccb29a2755ab3ea684cb2381ba0
SHA512

b1f2b977a4862dc968b3342c6a7e8b90ec149381641545c46a369abde474dd5deca7a057454ff5d7b84a3caa02d94fb703c7d0cb9f0080cc09b90dd996305cb5
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014b70-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014ef8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014b70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015616-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014b70-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b70-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014b70-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58860A64-384E-479c-AF29-CB6660E60247}\stubpath = "C:\\Windows\\{58860A64-384E-479c-AF29-CB6660E60247}.exe"	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}	{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}	{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05AEA305-F476-4241-9E94-D988F0EA9D32}\stubpath = "C:\\Windows\\{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe"	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}\stubpath = "C:\\Windows\\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe"	{58860A64-384E-479c-AF29-CB6660E60247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}\stubpath = "C:\\Windows\\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe"	{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}	{58860A64-384E-479c-AF29-CB6660E60247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B49C96-1880-4229-8748-9B11BDDEE1B7}	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B49C96-1880-4229-8748-9B11BDDEE1B7}\stubpath = "C:\\Windows\\{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe"	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}	{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426CB7DD-8D61-444d-B1A5-4015689F9F23}	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}\stubpath = "C:\\Windows\\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe"	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05AEA305-F476-4241-9E94-D988F0EA9D32}	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58860A64-384E-479c-AF29-CB6660E60247}	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}\stubpath = "C:\\Windows\\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe"	{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}\stubpath = "C:\\Windows\\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe"	{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426CB7DD-8D61-444d-B1A5-4015689F9F23}\stubpath = "C:\\Windows\\{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe"	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FDFC999-6671-469e-9E58-666B4BA56C1E}	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FDFC999-6671-469e-9E58-666B4BA56C1E}\stubpath = "C:\\Windows\\{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe"	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}\stubpath = "C:\\Windows\\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe"	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe

Executes dropped EXE 11 IoCs

pid	Process
1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe
2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
1880	{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
1640	{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
2056	{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe
600	{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe	{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
File created	C:\Windows\{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
File created	C:\Windows\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
File created	C:\Windows\{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
File created	C:\Windows\{58860A64-384E-479c-AF29-CB6660E60247}.exe	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
File created	C:\Windows\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	{58860A64-384E-479c-AF29-CB6660E60247}.exe
File created	C:\Windows\{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
File created	C:\Windows\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
File created	C:\Windows\{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
File created	C:\Windows\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe	{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
File created	C:\Windows\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe	{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
Token: SeIncBasePriorityPrivilege	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
Token: SeIncBasePriorityPrivilege	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
Token: SeIncBasePriorityPrivilege	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
Token: SeIncBasePriorityPrivilege	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
Token: SeIncBasePriorityPrivilege	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe
Token: SeIncBasePriorityPrivilege	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
Token: SeIncBasePriorityPrivilege	1880	{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
Token: SeIncBasePriorityPrivilege	1640	{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
Token: SeIncBasePriorityPrivilege	2056	{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1268	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	28
PID 1368 wrote to memory of 1268	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	28
PID 1368 wrote to memory of 1268	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	28
PID 1368 wrote to memory of 1268	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	28
PID 1368 wrote to memory of 2840	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	29
PID 1368 wrote to memory of 2840	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	29
PID 1368 wrote to memory of 2840	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	29
PID 1368 wrote to memory of 2840	1368	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	29
PID 1268 wrote to memory of 2784	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	30
PID 1268 wrote to memory of 2784	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	30
PID 1268 wrote to memory of 2784	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	30
PID 1268 wrote to memory of 2784	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	30
PID 1268 wrote to memory of 2640	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	31
PID 1268 wrote to memory of 2640	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	31
PID 1268 wrote to memory of 2640	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	31
PID 1268 wrote to memory of 2640	1268	{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe	31
PID 2784 wrote to memory of 2688	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	32
PID 2784 wrote to memory of 2688	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	32
PID 2784 wrote to memory of 2688	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	32
PID 2784 wrote to memory of 2688	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	32
PID 2784 wrote to memory of 1184	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	33
PID 2784 wrote to memory of 1184	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	33
PID 2784 wrote to memory of 1184	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	33
PID 2784 wrote to memory of 1184	2784	{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe	33
PID 2688 wrote to memory of 2508	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	36
PID 2688 wrote to memory of 2508	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	36
PID 2688 wrote to memory of 2508	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	36
PID 2688 wrote to memory of 2508	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	36
PID 2688 wrote to memory of 2788	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	37
PID 2688 wrote to memory of 2788	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	37
PID 2688 wrote to memory of 2788	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	37
PID 2688 wrote to memory of 2788	2688	{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe	37
PID 2508 wrote to memory of 2484	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	38
PID 2508 wrote to memory of 2484	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	38
PID 2508 wrote to memory of 2484	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	38
PID 2508 wrote to memory of 2484	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	38
PID 2508 wrote to memory of 2148	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	39
PID 2508 wrote to memory of 2148	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	39
PID 2508 wrote to memory of 2148	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	39
PID 2508 wrote to memory of 2148	2508	{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe	39
PID 2484 wrote to memory of 1072	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	40
PID 2484 wrote to memory of 1072	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	40
PID 2484 wrote to memory of 1072	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	40
PID 2484 wrote to memory of 1072	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	40
PID 2484 wrote to memory of 1476	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	41
PID 2484 wrote to memory of 1476	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	41
PID 2484 wrote to memory of 1476	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	41
PID 2484 wrote to memory of 1476	2484	{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe	41
PID 1072 wrote to memory of 2832	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	42
PID 1072 wrote to memory of 2832	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	42
PID 1072 wrote to memory of 2832	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	42
PID 1072 wrote to memory of 2832	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	42
PID 1072 wrote to memory of 2808	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	43
PID 1072 wrote to memory of 2808	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	43
PID 1072 wrote to memory of 2808	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	43
PID 1072 wrote to memory of 2808	1072	{58860A64-384E-479c-AF29-CB6660E60247}.exe	43
PID 2832 wrote to memory of 1880	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	44
PID 2832 wrote to memory of 1880	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	44
PID 2832 wrote to memory of 1880	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	44
PID 2832 wrote to memory of 1880	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	44
PID 2832 wrote to memory of 2276	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	45
PID 2832 wrote to memory of 2276	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	45
PID 2832 wrote to memory of 2276	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	45
PID 2832 wrote to memory of 2276	2832	{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
  C:\Windows\{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
    C:\Windows\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
      C:\Windows\{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
        
        C:\Windows\{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
        
        C:\Windows\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{58860A64-384E-479c-AF29-CB6660E60247}.exe
        
        C:\Windows\{58860A64-384E-479c-AF29-CB6660E60247}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
        
        C:\Windows\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
        
        C:\Windows\{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
        
        C:\Windows\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe
        
        C:\Windows\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe
        
        C:\Windows\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe
        12⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E00D~1.EXE > nul
        12⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1AAE~1.EXE > nul
        11⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B49~1.EXE > nul
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B933~1.EXE > nul
        9⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58860~1.EXE > nul
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8FDF~1.EXE > nul
        7⤵
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FDFC~1.EXE > nul
        6⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05AEA~1.EXE > nul
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{192C8~1.EXE > nul
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{426CB~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05AEA305-F476-4241-9E94-D988F0EA9D32}.exe

Filesize
216KB

MD5
a91384bf6cb14bc476b0ce3d788201ed

SHA1
0d3e90aa512ccad201c6c60b81cfe271adb66324

SHA256
1b410445de22742e38a1e6094599c7f178fc1085f6bf8cde90a6dbdfbee30afe

SHA512
630a791556cbdb48086cb367450ef544259ce8a1999bf4b405c8ebcfeb7c8850805b7edcfbc5f8170e1b3dbc8b04ddb7efe0e9744f0bb39803d4b31b792d6b95

Download Submit
C:\Windows\{192C89A2-3E63-4cb7-B319-D3DBCB2B9450}.exe

Filesize
216KB

MD5
6adb1c8afd92b6f3f9c42359d2d7cfba

SHA1
52cdbd25273a78e412b62a54aa6a0eb1b5116e32

SHA256
cc8e52e8433243cf158d946feb87fb9092fb510f7153b1787f7591edc67c939c

SHA512
0ff9b0dbed08223e7cda87c22a311cc32fa8621769c401ccf401616772358919e44b285bbdbac23ff558f9b884a1dc2d0e18bed201610477cc5f506e681d772a

Download Submit
C:\Windows\{2B933C75-0B8E-4522-B24C-D72BE3B1F6A3}.exe

Filesize
216KB

MD5
dc980a73d6259b037dc9a2189847a48c

SHA1
87768508aacc1a6f865abf1f5d37320f11b335ba

SHA256
024302496a0f4988c16ec3f5e785f1f443058d5912de3d923adf17dcd93840d9

SHA512
4caf8dfbb240ff5a6495a22ce214c35b7af0e46abacd98fa2cfc3c6b15138a2bc80e117163c18ca82f13f665166039b196ec874c1dc1f2111887db948f8ef6f6

Download Submit
C:\Windows\{3E00DA5E-F14A-4782-99E3-A1FACAEAEA38}.exe

Filesize
216KB

MD5
3d1ac50922352df0fcc0cf9686e9296a

SHA1
510257c061b76ab0b894fd272e414c4099e3b832

SHA256
719d3da36fa19b1d50d2f51a617668095136e19aa94aa696508a219891da6ac4

SHA512
037ac493ce1a9f9626ae4e2360b5c7dab97b0d88e31ab185125a18effa9b8c1c8f0c3e6e74c4249e09a940bfa00a981cd7d9b22d25c1941ff4745342880a3754

Download Submit
C:\Windows\{426CB7DD-8D61-444d-B1A5-4015689F9F23}.exe

Filesize
216KB

MD5
e610da433feee1ce2823af4d920cb228

SHA1
5e4523c84fb049628b12b14d82200731b3b4e3d5

SHA256
93d2538c7e950f02a5992b8c295683e6076363e7883f5aa7f7984336ff3317ef

SHA512
971b1ca3c8a4f42b79c930395d7ec2746cf2338121c81b934d55a2ee198e1e8b94292dc88d2121c500d0b12e3532243229d9007711e99b018aa909ac2405351d

Download Submit
C:\Windows\{58860A64-384E-479c-AF29-CB6660E60247}.exe

Filesize
216KB

MD5
4bd81d2e149c52062e4f5b5e70534594

SHA1
bc5158cbf6f3f855cc01989711783a4d7ee9db23

SHA256
64f6fdbf600a0c8d6c052a10a215dc00b107144c30683cf55dd560b1eb2c44f8

SHA512
24eb71be45453bf105dfa8265cf676c8ca83b49d842383608397bc29d2ad172fef340461f9298b7c03b75b2463f3a4107d098d7fe5cd1695540fd475b1d1747e

Download Submit
C:\Windows\{61B49C96-1880-4229-8748-9B11BDDEE1B7}.exe

Filesize
216KB

MD5
3d7a67de1ce3f13672770cdac3a1a562

SHA1
febfaf9f5c800a48f041e84805fbba9c98b6bd23

SHA256
e80e2cc45c9588d6070e66e660a390780fc894549cb5bb5e100cad4f391043a3

SHA512
67cbe919646aaa2015e70b1ee13bafda096396a43f07d32fcc11af9a27d69dbc7a94dbb9eb7ebfe6e2233cc1b5ce5e91057b5b967de91b58381c33456f1b99ec

Download Submit
C:\Windows\{7C6FA8DC-9BC8-4ad0-8A3A-068F38279A4B}.exe

Filesize
216KB

MD5
d2b33dc6561c2bc9cdfb9fe0290d6d9f

SHA1
ebbbc7f4013da2c7b865549551acce06a46687b9

SHA256
6a219fa1f04052ff88a4c46eff3044d1b3f58ac6026685442a885665da6cff1a

SHA512
9cfdfa0f4eaacfc020dd2c006ea527c83a34458a88669427a385baf1e1454e438c7d6eaa2ec77699c59ac3388d2552b5e144208aa75ca263d59567225d3f73b4

Download Submit
C:\Windows\{9FDFC999-6671-469e-9E58-666B4BA56C1E}.exe

Filesize
216KB

MD5
c7afcde8a8def653b574211a2ba2c502

SHA1
8b986101b26816985aac037c26d177a8919ae7d9

SHA256
83c38f4ca3692d430596778bf3ba322a807bdcd495c5cb972e38e5d2266c7da1

SHA512
d4ea5905ccea836f0f8e9e6d39a85337ca2cd1e30c149b3ab9300cb069b72a0d0b354fcbabd439f5f76cc036b74e3c6c4d8353d8d5d880b7b86c11d40b6150ee

Download Submit
C:\Windows\{E1AAE395-4A81-4363-8FAB-0C5A0E6D69AB}.exe

Filesize
216KB

MD5
74a2d8d17dc7e105be080cae1a4a6632

SHA1
8082b56e821b38cf10d24ff262133e8aa1d5fe36

SHA256
ef3ddb19b3b4e686d3fad48e8046863beb436501d7eab637d63c279fba7762e1

SHA512
7e86caf93657adf2faa98a3906f55aea153f22c5924b2d4e82b02cf84a570d6b120ac132ff6cba6aad177fb64462bf3069abbdcf0f84f551ae47e2de98a7d765

Download Submit
C:\Windows\{F8FDFBDC-C585-4671-97AF-941CD815BCB0}.exe

Filesize
216KB

MD5
90061825ddd87d52c0b8181613c3757c

SHA1
c5fcb0ec1a0bbfee618e523818b3d5708530b30a

SHA256
7eaabd6d724b856d87c0e7c9c8e1e8323e40dbcf6f4fa753acf614a4d5b8c2f3

SHA512
5b4d4823f234ce4c85450ec0033196fa3ceda78356482759ad20f2e55fae71d5912f03fdc5db8b225284fe4086eb91d8b03757f7922ff347fe43d747e5890ace

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads