fb191647efa2823ed17b899d37c1a2f9ef42b9f5c36ca8cf6ac94f0fcd4f0e47

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
Size

216KB
MD5

26848e9d5f96b5253b7ed800ab8349a0
SHA1

29d7a0def64f60c6e02cbb42bea269d77289c89f
SHA256

fb191647efa2823ed17b899d37c1a2f9ef42b9f5c36ca8cf6ac94f0fcd4f0e47
SHA512

91d639389a457d4837982a0c87b6f16a1a917df75637729161231897a00f6c096efda08d9e5e2d6446c755184dca6895f9c430af9f8d5e78c98dbce6eeed9e44
SSDEEP

3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001444f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014701-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001444f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001470b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001444f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001444f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001444f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6243108-388C-4084-B55C-76DCD7865C53}	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}	{F6243108-388C-4084-B55C-76DCD7865C53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}	{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E138EE0-A057-446f-8581-15D97DF9D5AE}	{232D46BC-2B79-42ff-A829-238D6B919331}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}\stubpath = "C:\\Windows\\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe"	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}\stubpath = "C:\\Windows\\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe"	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36EB65A-7B4E-4211-8E6F-17DE51671236}	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36EB65A-7B4E-4211-8E6F-17DE51671236}\stubpath = "C:\\Windows\\{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe"	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1165CA3-3097-4d5d-9E39-C63553673E1C}	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1165CA3-3097-4d5d-9E39-C63553673E1C}\stubpath = "C:\\Windows\\{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe"	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232D46BC-2B79-42ff-A829-238D6B919331}\stubpath = "C:\\Windows\\{232D46BC-2B79-42ff-A829-238D6B919331}.exe"	{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8B636-1169-422c-B6C8-3108ADA024DA}\stubpath = "C:\\Windows\\{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe"	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6243108-388C-4084-B55C-76DCD7865C53}\stubpath = "C:\\Windows\\{F6243108-388C-4084-B55C-76DCD7865C53}.exe"	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}\stubpath = "C:\\Windows\\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe"	{F6243108-388C-4084-B55C-76DCD7865C53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}\stubpath = "C:\\Windows\\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe"	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232D46BC-2B79-42ff-A829-238D6B919331}	{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E138EE0-A057-446f-8581-15D97DF9D5AE}\stubpath = "C:\\Windows\\{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe"	{232D46BC-2B79-42ff-A829-238D6B919331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8B636-1169-422c-B6C8-3108ADA024DA}	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}\stubpath = "C:\\Windows\\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe"	{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe

Executes dropped EXE 11 IoCs

pid	Process
2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe
1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
1436	{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
1616	{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
688	{232D46BC-2B79-42ff-A829-238D6B919331}.exe
560	{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	{F6243108-388C-4084-B55C-76DCD7865C53}.exe
File created	C:\Windows\{232D46BC-2B79-42ff-A829-238D6B919331}.exe	{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
File created	C:\Windows\{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe	{232D46BC-2B79-42ff-A829-238D6B919331}.exe
File created	C:\Windows\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
File created	C:\Windows\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
File created	C:\Windows\{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
File created	C:\Windows\{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
File created	C:\Windows\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe	{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
File created	C:\Windows\{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
File created	C:\Windows\{F6243108-388C-4084-B55C-76DCD7865C53}.exe	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
File created	C:\Windows\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
Token: SeIncBasePriorityPrivilege	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
Token: SeIncBasePriorityPrivilege	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
Token: SeIncBasePriorityPrivilege	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
Token: SeIncBasePriorityPrivilege	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe
Token: SeIncBasePriorityPrivilege	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
Token: SeIncBasePriorityPrivilege	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
Token: SeIncBasePriorityPrivilege	1436	{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
Token: SeIncBasePriorityPrivilege	1616	{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
Token: SeIncBasePriorityPrivilege	688	{232D46BC-2B79-42ff-A829-238D6B919331}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2052	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	28
PID 2156 wrote to memory of 2052	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	28
PID 2156 wrote to memory of 2052	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	28
PID 2156 wrote to memory of 2052	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	28
PID 2156 wrote to memory of 2628	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	29
PID 2156 wrote to memory of 2628	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	29
PID 2156 wrote to memory of 2628	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	29
PID 2156 wrote to memory of 2628	2156	2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe	29
PID 2052 wrote to memory of 3008	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	30
PID 2052 wrote to memory of 3008	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	30
PID 2052 wrote to memory of 3008	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	30
PID 2052 wrote to memory of 3008	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	30
PID 2052 wrote to memory of 2588	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	31
PID 2052 wrote to memory of 2588	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	31
PID 2052 wrote to memory of 2588	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	31
PID 2052 wrote to memory of 2588	2052	{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe	31
PID 3008 wrote to memory of 2580	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	32
PID 3008 wrote to memory of 2580	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	32
PID 3008 wrote to memory of 2580	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	32
PID 3008 wrote to memory of 2580	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	32
PID 3008 wrote to memory of 2412	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	33
PID 3008 wrote to memory of 2412	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	33
PID 3008 wrote to memory of 2412	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	33
PID 3008 wrote to memory of 2412	3008	{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe	33
PID 2580 wrote to memory of 2668	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	36
PID 2580 wrote to memory of 2668	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	36
PID 2580 wrote to memory of 2668	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	36
PID 2580 wrote to memory of 2668	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	36
PID 2580 wrote to memory of 2772	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	37
PID 2580 wrote to memory of 2772	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	37
PID 2580 wrote to memory of 2772	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	37
PID 2580 wrote to memory of 2772	2580	{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe	37
PID 2668 wrote to memory of 356	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	38
PID 2668 wrote to memory of 356	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	38
PID 2668 wrote to memory of 356	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	38
PID 2668 wrote to memory of 356	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	38
PID 2668 wrote to memory of 1508	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	39
PID 2668 wrote to memory of 1508	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	39
PID 2668 wrote to memory of 1508	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	39
PID 2668 wrote to memory of 1508	2668	{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe	39
PID 356 wrote to memory of 1956	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	40
PID 356 wrote to memory of 1956	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	40
PID 356 wrote to memory of 1956	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	40
PID 356 wrote to memory of 1956	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	40
PID 356 wrote to memory of 1668	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	41
PID 356 wrote to memory of 1668	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	41
PID 356 wrote to memory of 1668	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	41
PID 356 wrote to memory of 1668	356	{F6243108-388C-4084-B55C-76DCD7865C53}.exe	41
PID 1956 wrote to memory of 2472	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	42
PID 1956 wrote to memory of 2472	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	42
PID 1956 wrote to memory of 2472	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	42
PID 1956 wrote to memory of 2472	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	42
PID 1956 wrote to memory of 1504	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	43
PID 1956 wrote to memory of 1504	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	43
PID 1956 wrote to memory of 1504	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	43
PID 1956 wrote to memory of 1504	1956	{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe	43
PID 2472 wrote to memory of 1436	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	44
PID 2472 wrote to memory of 1436	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	44
PID 2472 wrote to memory of 1436	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	44
PID 2472 wrote to memory of 1436	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	44
PID 2472 wrote to memory of 1964	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	45
PID 2472 wrote to memory of 1964	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	45
PID 2472 wrote to memory of 1964	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	45
PID 2472 wrote to memory of 1964	2472	{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_26848e9d5f96b5253b7ed800ab8349a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
  C:\Windows\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
    C:\Windows\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
      C:\Windows\{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
        
        C:\Windows\{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{F6243108-388C-4084-B55C-76DCD7865C53}.exe
        
        C:\Windows\{F6243108-388C-4084-B55C-76DCD7865C53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
        
        C:\Windows\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
        
        C:\Windows\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
        
        C:\Windows\{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
        
        C:\Windows\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{232D46BC-2B79-42ff-A829-238D6B919331}.exe
        
        C:\Windows\{232D46BC-2B79-42ff-A829-238D6B919331}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe
        
        C:\Windows\{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe
        12⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{232D4~1.EXE > nul
        12⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A448~1.EXE > nul
        11⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1165~1.EXE > nul
        10⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECBAD~1.EXE > nul
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA45~1.EXE > nul
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6243~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA8B~1.EXE > nul
        6⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E36EB~1.EXE > nul
        5⤵
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75FD0~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A151E~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{232D46BC-2B79-42ff-A829-238D6B919331}.exe

Filesize
216KB

MD5
6553651e96f7f92bf2eb49e01f21285c

SHA1
c987343156609d36b607f234da1d702bcbf9b358

SHA256
ab3dec77862be305425727582dce7308bd1359ebc0529c462b99f60728dc045f

SHA512
1e4ef89e46e0d2cf49fc7ff143f75875aa5dea9c7581501a1f9035940456f5c4d94e5c06795b512274d5660c933e3bc7a32593d8c5c5e2eca4d6462594e426fa

Download Submit
C:\Windows\{4A448D89-13D7-4a7b-AD95-666EE2E8EEB2}.exe

Filesize
216KB

MD5
5bb19e05fc89b07a757fb391ea82f310

SHA1
f8512b05831284c0c41899568f8ee2ebedac86bf

SHA256
8d4ccd7ef7c02405484999b3593247ecfb30cec545aa1053f607698441fa9e2f

SHA512
913bc0dfaf75bf354c99db78f2cd8b567d8fb3bb452bc7c820a8995fb2c274672566b9b98870b668526b9d0ab4a1d55b838b385a42fecd2aeebc233924e2fa8d

Download Submit
C:\Windows\{75FD078C-5DB2-48e8-9143-0D4D4F237BF3}.exe

Filesize
216KB

MD5
0172bbe8cd93c5aecd49f2cb9a8d2874

SHA1
0cfd4b0c2e280064e343e726f75e50c204a7aa80

SHA256
100afc0d409b9db2a6edd3dc7c5148d467525b49b43b38f7e3c6de19fa1aad1e

SHA512
ca9902c8d93c29529ba21cc7eab9bc0656d7a9660094e03e277e5132f84778e20a97b7115df364b9cc74c7b4d081d8fcfb853ee19a1519eb42320c925948e212

Download Submit
C:\Windows\{8EA8B636-1169-422c-B6C8-3108ADA024DA}.exe

Filesize
216KB

MD5
84652929e00b024c66ec8eb3d06a804d

SHA1
66c5460484791c7d69bb0f0baa44d77f4c50ce05

SHA256
d0ffbbae524010888ae0ec54bb569c066e4846bac01256f22f80da10f837d897

SHA512
e85ef4ebd1c3cdcbb27efd197e88c3bd74101c7b98dbc338c730dba4999dd75d92e3dd79dd3fcd2cdcff0335bfc7b9229b3ff2ff8f9872c23a4b81218e8e4dba

Download Submit
C:\Windows\{9AA4562B-BCAC-44c0-841F-C5A9A67A8111}.exe

Filesize
216KB

MD5
2a6fd3dbba6acff7dcf94504de50faa9

SHA1
e1936ac31c546a255c48b6ef78dab7b80eac4924

SHA256
05083d52b5558ddc8ed6b6c9e6884bff15a068f7e5e4360dcee1594c6143d79d

SHA512
61209578c64b5cfea2441876e7e200dec2574d727973f6c8b69f24f136199bcc12f647a4bf7601af72fd988126da3155326420f1bf6b2d45da4d894840246284

Download Submit
C:\Windows\{9E138EE0-A057-446f-8581-15D97DF9D5AE}.exe

Filesize
216KB

MD5
a9feb47a7e791676339acfc39fa3edc2

SHA1
d31dfcd26ff8020e5a05b080b604be2750093419

SHA256
4ae5912becb7dc1baf51ecb084eb9398fc480c705c1e055c225f5415e1b2b756

SHA512
c1bc85bdd7b1171352a968b254c2429a63288d9faec9944b7501473ea0ae4ed6e484f2af6741fe5d05b4538f046ba0fae9a83f839ba369a015fbb15c1e59d627

Download Submit
C:\Windows\{A151E8C0-FD47-4474-B06F-94964D3BFFA8}.exe

Filesize
216KB

MD5
5f6fd3f1130d03410f57d7a3b14d7496

SHA1
2be5d1d724c6f8aa8445936be576722c1e2540e6

SHA256
4ec5f1b54cd89d88c2bc06d4d3c1815432064064821f4ac5150cbf7410d85864

SHA512
00ce2295a4e3da6e9ee0d452c4cf6fe096704e7b94f966acff6a473b8ab790deabf3ed7acfb0c5e4fcc46cd79f738fde2e23aa403d7c65789fb21327bf2a3e0b

Download Submit
C:\Windows\{D1165CA3-3097-4d5d-9E39-C63553673E1C}.exe

Filesize
216KB

MD5
15e3b59fddbed79913e9fcb4a4f04fe2

SHA1
35e3008fd06e7f4f770f2c0da6bee04793e668a7

SHA256
20f4df5f5728cf0444770950fc76fcb519e759b666e2dbc39ddcd3677cbdf42e

SHA512
3b9b5206ab500d447ed3ed695f03ea9131cc9d919e93e9e8d1533658a24deaed3703e29db97cb2ef30f0bf98bc624d6b9f2cd7ec331f3991719fda2c37e6387a

Download Submit
C:\Windows\{E36EB65A-7B4E-4211-8E6F-17DE51671236}.exe

Filesize
216KB

MD5
f97ad402815e1138e95c48c590a94aaa

SHA1
46d92e7b4e6da49a0d585b8e9827a05ed253ce71

SHA256
c94d0c559dd5dfa544bf954972c7bb8f3f1ef2b802c7cf28679b44c06e7b7d84

SHA512
06b13fffd5ea28d31f813bc999af1e895932cf63882e8cb63dd8eb7468caf51e00cbbd538f3645a4da71a1a9d5307d1bb186e6c72ed983bd9c1e68df664b7a59

Download Submit
C:\Windows\{ECBADF5B-2FA4-4de1-83BF-82EDF7B46205}.exe

Filesize
216KB

MD5
1366250cdb7b7ddc03b6ba4c72048ad7

SHA1
f877a18e4510090e9b40baa5dbe6ac7bb0bb8c5f

SHA256
a52f05e6fcfc2ed15d415f6a98bb667af97eea852f9c09aa9e4af79930083a43

SHA512
9378903ce550cce0b511c5de5d20fb1c56162d37791c3684061c0b00dd47c07ec2567179668541adc8202889127eb88ce6f8630ee15f15eeb61b316b7d623b99

Download Submit
C:\Windows\{F6243108-388C-4084-B55C-76DCD7865C53}.exe

Filesize
216KB

MD5
20bd1b2963644aacb6137b1542f2e4a6

SHA1
56633cd6c3df290fd912b8a2e40c7a0613c1932c

SHA256
e664ed31a8d9b342261c34f0e7e53c2d578f3abc1818308558e4ff453b7b7097

SHA512
b19adcd3237a16e0fcbb0827d736cbb1f7bc97f7a62457058a3418cdc604214b9107ad23e1025e113a9c9b634f6e0a5bf14245ed498487d413bbed8889ea88b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads