3e1198d565e8d2161a4323e829ef4f74018916915ea3b5b0733e8120d2307b17

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Size

204KB
MD5

36f5f40cb2ae788e2316f43a765028ab
SHA1

d2fb504f4068b6f5b563fd1e51554734126c57ab
SHA256

3e1198d565e8d2161a4323e829ef4f74018916915ea3b5b0733e8120d2307b17
SHA512

f7c1139bedb407207c11701732a839f6efe57c9c79781203916e3e24dd2915d956ed6f17eb35894cb369f4fbd6b5a29e66a543ef456e5510a1b5887a829059ad
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a71-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000141a2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a71-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a71-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a71-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}\stubpath = "C:\\Windows\\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe"	{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06894B94-DC0B-47a2-827A-10907908FF02}\stubpath = "C:\\Windows\\{06894B94-DC0B-47a2-827A-10907908FF02}.exe"	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B567E42-E95A-4915-BB38-959EDD2A7741}\stubpath = "C:\\Windows\\{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe"	{06894B94-DC0B-47a2-827A-10907908FF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC75542-D184-4400-B3D7-B3B2C061F189}\stubpath = "C:\\Windows\\{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe"	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}\stubpath = "C:\\Windows\\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe"	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A46B585-7D11-4953-A638-AB91A4D9EF05}	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B567E42-E95A-4915-BB38-959EDD2A7741}	{06894B94-DC0B-47a2-827A-10907908FF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}\stubpath = "C:\\Windows\\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe"	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56F46252-0384-43f5-80D4-89D45D2CBE79}	{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C1D898-3928-44da-BBDA-0DE18EADE491}\stubpath = "C:\\Windows\\{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe"	{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}\stubpath = "C:\\Windows\\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe"	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56F46252-0384-43f5-80D4-89D45D2CBE79}\stubpath = "C:\\Windows\\{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe"	{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06894B94-DC0B-47a2-827A-10907908FF02}	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC75542-D184-4400-B3D7-B3B2C061F189}	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A46B585-7D11-4953-A638-AB91A4D9EF05}\stubpath = "C:\\Windows\\{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe"	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}	{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C1D898-3928-44da-BBDA-0DE18EADE491}	{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}\stubpath = "C:\\Windows\\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe"	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe
2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
2828	{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
2296	{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
2424	{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
1156	{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
File created	C:\Windows\{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe	{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
File created	C:\Windows\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe	{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
File created	C:\Windows\{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe	{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
File created	C:\Windows\{06894B94-DC0B-47a2-827A-10907908FF02}.exe	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
File created	C:\Windows\{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	{06894B94-DC0B-47a2-827A-10907908FF02}.exe
File created	C:\Windows\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
File created	C:\Windows\{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
File created	C:\Windows\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
File created	C:\Windows\{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
File created	C:\Windows\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe
Token: SeIncBasePriorityPrivilege	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
Token: SeIncBasePriorityPrivilege	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
Token: SeIncBasePriorityPrivilege	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
Token: SeIncBasePriorityPrivilege	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
Token: SeIncBasePriorityPrivilege	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
Token: SeIncBasePriorityPrivilege	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
Token: SeIncBasePriorityPrivilege	2828	{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
Token: SeIncBasePriorityPrivilege	2296	{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
Token: SeIncBasePriorityPrivilege	2424	{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3008	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	28
PID 2392 wrote to memory of 3008	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	28
PID 2392 wrote to memory of 3008	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	28
PID 2392 wrote to memory of 3008	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	28
PID 2392 wrote to memory of 2536	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	29
PID 2392 wrote to memory of 2536	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	29
PID 2392 wrote to memory of 2536	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	29
PID 2392 wrote to memory of 2536	2392	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	29
PID 3008 wrote to memory of 2584	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	30
PID 3008 wrote to memory of 2584	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	30
PID 3008 wrote to memory of 2584	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	30
PID 3008 wrote to memory of 2584	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	30
PID 3008 wrote to memory of 2660	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	31
PID 3008 wrote to memory of 2660	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	31
PID 3008 wrote to memory of 2660	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	31
PID 3008 wrote to memory of 2660	3008	{06894B94-DC0B-47a2-827A-10907908FF02}.exe	31
PID 2584 wrote to memory of 2052	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	32
PID 2584 wrote to memory of 2052	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	32
PID 2584 wrote to memory of 2052	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	32
PID 2584 wrote to memory of 2052	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	32
PID 2584 wrote to memory of 2940	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	33
PID 2584 wrote to memory of 2940	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	33
PID 2584 wrote to memory of 2940	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	33
PID 2584 wrote to memory of 2940	2584	{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe	33
PID 2052 wrote to memory of 2532	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	36
PID 2052 wrote to memory of 2532	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	36
PID 2052 wrote to memory of 2532	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	36
PID 2052 wrote to memory of 2532	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	36
PID 2052 wrote to memory of 2900	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	37
PID 2052 wrote to memory of 2900	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	37
PID 2052 wrote to memory of 2900	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	37
PID 2052 wrote to memory of 2900	2052	{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe	37
PID 2532 wrote to memory of 1696	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	38
PID 2532 wrote to memory of 1696	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	38
PID 2532 wrote to memory of 1696	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	38
PID 2532 wrote to memory of 1696	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	38
PID 2532 wrote to memory of 2632	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	39
PID 2532 wrote to memory of 2632	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	39
PID 2532 wrote to memory of 2632	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	39
PID 2532 wrote to memory of 2632	2532	{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe	39
PID 1696 wrote to memory of 2688	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	40
PID 1696 wrote to memory of 2688	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	40
PID 1696 wrote to memory of 2688	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	40
PID 1696 wrote to memory of 2688	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	40
PID 1696 wrote to memory of 2752	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	41
PID 1696 wrote to memory of 2752	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	41
PID 1696 wrote to memory of 2752	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	41
PID 1696 wrote to memory of 2752	1696	{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe	41
PID 2688 wrote to memory of 1764	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	42
PID 2688 wrote to memory of 1764	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	42
PID 2688 wrote to memory of 1764	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	42
PID 2688 wrote to memory of 1764	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	42
PID 2688 wrote to memory of 2544	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	43
PID 2688 wrote to memory of 2544	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	43
PID 2688 wrote to memory of 2544	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	43
PID 2688 wrote to memory of 2544	2688	{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe	43
PID 1764 wrote to memory of 2828	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	44
PID 1764 wrote to memory of 2828	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	44
PID 1764 wrote to memory of 2828	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	44
PID 1764 wrote to memory of 2828	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	44
PID 1764 wrote to memory of 2820	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	45
PID 1764 wrote to memory of 2820	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	45
PID 1764 wrote to memory of 2820	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	45
PID 1764 wrote to memory of 2820	1764	{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\{06894B94-DC0B-47a2-827A-10907908FF02}.exe
  C:\Windows\{06894B94-DC0B-47a2-827A-10907908FF02}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
    C:\Windows\{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
      C:\Windows\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
        
        C:\Windows\{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
        
        C:\Windows\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
        
        C:\Windows\{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
        
        C:\Windows\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
        
        C:\Windows\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
        
        C:\Windows\{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
        
        C:\Windows\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe
        
        C:\Windows\{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe
        12⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{929B6~1.EXE > nul
        12⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56F46~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC72~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1599E~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A46B~1.EXE > nul
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6061E~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC75~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C84F~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B567~1.EXE > nul
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06894~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06894B94-DC0B-47a2-827A-10907908FF02}.exe

Filesize
204KB

MD5
2a920891a2b5ca690abd35ceae8deaef

SHA1
980aa1a8704e2bb196cdbba1f2d619eb5ee26a08

SHA256
091159e36da9bc848f40960eb2015bb94ee8c2c1787ed5b247b38a1875939f9c

SHA512
0386ac8f9291e598e10d24d06f3035d40fe18b248d696fed1377e18164dbe3f1a37485d60e6bbc07588f1cf10221c1bc124bac65ab3b78e18cbf9036ef51b716

Download Submit
C:\Windows\{0AC75542-D184-4400-B3D7-B3B2C061F189}.exe

Filesize
204KB

MD5
dbf40ceb6139709c2b49ccf63e5b7ded

SHA1
e8347df11023716d996c0b351de735526b96e329

SHA256
b2198d323634f289030b253d099069907516852fc17d7941dec3437963b75c45

SHA512
4285b76ed4cc290b7e6d6f9d2eb45644fb38822a86f9ff2ff28ed6eecd3eb8bc43c70ddab8e1b48e0b4ddc004902fc8396692db62bcd2e1c1c29c2dcc3c331ac

Download Submit
C:\Windows\{1599E09D-FB84-4c73-9FEE-D6A0A6F2C178}.exe

Filesize
204KB

MD5
e5ca2de480462af85fe45db37dff4c60

SHA1
9e41d9d6d8afba66b551c0967d44607a10ef7e0d

SHA256
b0dc815079a230699ee676cd60865450296c5cd8db223cc02420adf6ea99f14e

SHA512
41bed309911734aad02e3defeb4609f50eb833758596d4136c8b35a2c7454e7188f8ba4eb79ad1c7e5179022b8fb93fd20b4f146ff64509585624b236679080b

Download Submit
C:\Windows\{1B567E42-E95A-4915-BB38-959EDD2A7741}.exe

Filesize
204KB

MD5
c85738f19f09737608809fedf8c734ee

SHA1
80e4f7fcc8d010e2249763a82c2e3079c1a7ac99

SHA256
1df43188c0ec75215079a3066b567e20f42f72297a03357e4530dde25e372b24

SHA512
368c559bbb563a2b3c4ccb229644bc3abcddadb8f363c4eddd84aa250c585620eff85f57711f257cb4c339ddaaabe1432656b0aec4b7a16397562da51efda83a

Download Submit
C:\Windows\{21C1D898-3928-44da-BBDA-0DE18EADE491}.exe

Filesize
204KB

MD5
42ca87fcbdc4fef5e463a0824205d9f8

SHA1
64cbeb6ca492c948175898b0b94233bb454f9d22

SHA256
8f3156a20fee26e6a350048fcefb51ac68ad99f09f8bc822fb7f270f288ceac6

SHA512
69f044503621bb02d34c9f89dcd4f7f399505267ee7e7cb2aecc8c3a8371ef32f9d318f09a59227896239a96d10d9560549486428bb407d45b600955ce1e93e2

Download Submit
C:\Windows\{56F46252-0384-43f5-80D4-89D45D2CBE79}.exe

Filesize
204KB

MD5
0435a5856544b9ba21cf2010b8ae5bed

SHA1
1c147d971650cb71c6b3729b832e0a0f52008a5b

SHA256
f684c2a90b3722934ac82a8065ca31f7fff63fbf187fc854cc50fdba23dcf63a

SHA512
7a6581c4b23bfb9041ee6d20a142d2495adae91e3bc313f7ddf298afcccf859fa8d0bb256ece4ac2d8f44584142b30950181d62a68be4ab13b5aa582d2637268

Download Submit
C:\Windows\{6061EF28-BAD2-4848-9CD3-0E03CB0EC692}.exe

Filesize
204KB

MD5
dccd437bbb3ae1ee0022715850c13706

SHA1
08cbd1b10b439afff145ded9024a5ca250c43f9f

SHA256
6ed3542e635cf626d6f8f2047a4311354f71e35c17503afdfb79c9367889bbc7

SHA512
b58318855955c004c8627973ef6b884bcd3d497144aea8efae31b85ea83b8c9c7a12663ad92af46066bbc1d7ceb0162a58e0b6ec5e57789ba2c5a42254cbd871

Download Submit
C:\Windows\{6CC7229A-54DD-430d-8EFC-C1FD9E16A182}.exe

Filesize
204KB

MD5
f1ff117b1382263b3963bb8c869b55f1

SHA1
a9635052d292308a6718b2acd7ccbeb0413b2d6e

SHA256
1f24e3a85471d4216349aa188a802a4dcb400a2db18fa6f32ee01ee71ca75be8

SHA512
e9704826234fb75e5398dd168d04fe4b1fd15c5617920a2389abb8770a59a16ee8266fbd3f7df6d92c41d9073c51bffc09726811ce78d046b63975d86df5c9c4

Download Submit
C:\Windows\{7A46B585-7D11-4953-A638-AB91A4D9EF05}.exe

Filesize
204KB

MD5
d2ad6428c6257e4b47e55e71b51a5d71

SHA1
1b08f4002519e1d68639d78683faaebf65a99225

SHA256
50e246aa837958b075cc674f91fd9b0b5cb61e7cfeeeba177fcda2f75b21136b

SHA512
d6ca99611a6f414302cad377065605eb405ebf4289c9084201700ceba7a52f42ef50c25ac4d4392e14281210927560f98a3b310b52e9824601129894f536aca7

Download Submit
C:\Windows\{8C84F64F-7E2E-4ad1-96B7-89EFE6E5E342}.exe

Filesize
204KB

MD5
edb11494841e1ca6dc8cdc04daaebc19

SHA1
26acbd3f53102fa6344c4e8b35c13377d276004d

SHA256
75cd7fab54bfcd42376e062fd0f9793afdeb6f9f01b93b36cf648090a924ec77

SHA512
63c9932f1fd1489a82ab069680cd764dc0133ca26138bc1de9a9d08f2f73deebdc4dd92dced338f14bef4a8151598f7753a25a90d331046776838cc044637b0f

Download Submit
C:\Windows\{929B6C6C-D60F-4a26-916F-0FD6C05A7B51}.exe

Filesize
204KB

MD5
1c65cda38031a25e4defcdd1a88d7ddb

SHA1
5f2c1349992535a88035148d733d0a313374f3b2

SHA256
c2e59c1c306c8fedf562971bef3923a5c552322789ed84ecd6ceae0a63a01b12

SHA512
d34013f4f2f4aeb318dc467310b7823ff8a8d7cc52cef663e1f532e4143c9ea0e51bef5e4f4d965f60194276abb269e0319d8a186ded223f57146e9f6dcab78a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads