54061a9f4cef58fbcfb360fd57d49fb4e5e22c96d0f72f4ce8b2a4885e3efae4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Size

168KB
MD5

b85ac041d0abbfc99832f93813141631
SHA1

ac9602a7a45f2d3754404728f249093cd1895b63
SHA256

54061a9f4cef58fbcfb360fd57d49fb4e5e22c96d0f72f4ce8b2a4885e3efae4
SHA512

ab6d8f3a76beffc6bf66166f6a1adc9d65b45f13c01857bfc3a970997e236ee4e870c0f144dca55bf4cb267902969a9384706cfc713923df119aca7b0023c4ce
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012352-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012352-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c6f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012352-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012352-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012352-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}	{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}\stubpath = "C:\\Windows\\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe"	{71E41675-1387-4267-AE40-D8136004ECD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA746F05-8E0C-455b-9217-34ECCF5306EB}\stubpath = "C:\\Windows\\{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe"	{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908220BB-3E2B-40a4-998E-FFFCA6828002}\stubpath = "C:\\Windows\\{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe"	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{509A49D7-AE14-477a-AE70-DD66F4411839}\stubpath = "C:\\Windows\\{509A49D7-AE14-477a-AE70-DD66F4411839}.exe"	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}	{71E41675-1387-4267-AE40-D8136004ECD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}\stubpath = "C:\\Windows\\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe"	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908220BB-3E2B-40a4-998E-FFFCA6828002}	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83E9D97-EA21-48b3-A049-0D0F459177BD}\stubpath = "C:\\Windows\\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe"	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{509A49D7-AE14-477a-AE70-DD66F4411839}	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07566484-C83F-4538-A831-27A3DFAE8FE9}\stubpath = "C:\\Windows\\{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe"	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D4D381-3846-475b-955D-0467DDF94B6B}	{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}\stubpath = "C:\\Windows\\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe"	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E41675-1387-4267-AE40-D8136004ECD3}	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83E9D97-EA21-48b3-A049-0D0F459177BD}	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA746F05-8E0C-455b-9217-34ECCF5306EB}	{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}\stubpath = "C:\\Windows\\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe"	{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D4D381-3846-475b-955D-0467DDF94B6B}\stubpath = "C:\\Windows\\{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe"	{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E41675-1387-4267-AE40-D8136004ECD3}\stubpath = "C:\\Windows\\{71E41675-1387-4267-AE40-D8136004ECD3}.exe"	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07566484-C83F-4538-A831-27A3DFAE8FE9}	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe
2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
2164	{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
1808	{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
2620	{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
1176	{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{71E41675-1387-4267-AE40-D8136004ECD3}.exe	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
File created	C:\Windows\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	{71E41675-1387-4267-AE40-D8136004ECD3}.exe
File created	C:\Windows\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
File created	C:\Windows\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
File created	C:\Windows\{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
File created	C:\Windows\{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
File created	C:\Windows\{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
File created	C:\Windows\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
File created	C:\Windows\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe	{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
File created	C:\Windows\{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe	{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
File created	C:\Windows\{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe	{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
Token: SeIncBasePriorityPrivilege	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe
Token: SeIncBasePriorityPrivilege	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
Token: SeIncBasePriorityPrivilege	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
Token: SeIncBasePriorityPrivilege	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
Token: SeIncBasePriorityPrivilege	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
Token: SeIncBasePriorityPrivilege	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
Token: SeIncBasePriorityPrivilege	2164	{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
Token: SeIncBasePriorityPrivilege	1808	{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
Token: SeIncBasePriorityPrivilege	2620	{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2300	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	28
PID 2956 wrote to memory of 2300	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	28
PID 2956 wrote to memory of 2300	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	28
PID 2956 wrote to memory of 2300	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	28
PID 2956 wrote to memory of 2084	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	29
PID 2956 wrote to memory of 2084	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	29
PID 2956 wrote to memory of 2084	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	29
PID 2956 wrote to memory of 2084	2956	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	29
PID 2300 wrote to memory of 2920	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	30
PID 2300 wrote to memory of 2920	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	30
PID 2300 wrote to memory of 2920	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	30
PID 2300 wrote to memory of 2920	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	30
PID 2300 wrote to memory of 2564	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	31
PID 2300 wrote to memory of 2564	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	31
PID 2300 wrote to memory of 2564	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	31
PID 2300 wrote to memory of 2564	2300	{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe	31
PID 2920 wrote to memory of 2464	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	32
PID 2920 wrote to memory of 2464	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	32
PID 2920 wrote to memory of 2464	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	32
PID 2920 wrote to memory of 2464	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	32
PID 2920 wrote to memory of 2832	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	33
PID 2920 wrote to memory of 2832	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	33
PID 2920 wrote to memory of 2832	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	33
PID 2920 wrote to memory of 2832	2920	{71E41675-1387-4267-AE40-D8136004ECD3}.exe	33
PID 2464 wrote to memory of 2256	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	36
PID 2464 wrote to memory of 2256	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	36
PID 2464 wrote to memory of 2256	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	36
PID 2464 wrote to memory of 2256	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	36
PID 2464 wrote to memory of 2172	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	37
PID 2464 wrote to memory of 2172	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	37
PID 2464 wrote to memory of 2172	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	37
PID 2464 wrote to memory of 2172	2464	{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe	37
PID 2256 wrote to memory of 2996	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	38
PID 2256 wrote to memory of 2996	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	38
PID 2256 wrote to memory of 2996	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	38
PID 2256 wrote to memory of 2996	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	38
PID 2256 wrote to memory of 2252	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	39
PID 2256 wrote to memory of 2252	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	39
PID 2256 wrote to memory of 2252	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	39
PID 2256 wrote to memory of 2252	2256	{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe	39
PID 2996 wrote to memory of 1996	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	40
PID 2996 wrote to memory of 1996	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	40
PID 2996 wrote to memory of 1996	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	40
PID 2996 wrote to memory of 1996	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	40
PID 2996 wrote to memory of 2412	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	41
PID 2996 wrote to memory of 2412	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	41
PID 2996 wrote to memory of 2412	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	41
PID 2996 wrote to memory of 2412	2996	{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe	41
PID 1996 wrote to memory of 2704	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	42
PID 1996 wrote to memory of 2704	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	42
PID 1996 wrote to memory of 2704	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	42
PID 1996 wrote to memory of 2704	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	42
PID 1996 wrote to memory of 2536	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	43
PID 1996 wrote to memory of 2536	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	43
PID 1996 wrote to memory of 2536	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	43
PID 1996 wrote to memory of 2536	1996	{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe	43
PID 2704 wrote to memory of 2164	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	44
PID 2704 wrote to memory of 2164	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	44
PID 2704 wrote to memory of 2164	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	44
PID 2704 wrote to memory of 2164	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	44
PID 2704 wrote to memory of 1544	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	45
PID 2704 wrote to memory of 1544	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	45
PID 2704 wrote to memory of 1544	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	45
PID 2704 wrote to memory of 1544	2704	{509A49D7-AE14-477a-AE70-DD66F4411839}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
  C:\Windows\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{71E41675-1387-4267-AE40-D8136004ECD3}.exe
    C:\Windows\{71E41675-1387-4267-AE40-D8136004ECD3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
      C:\Windows\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
        
        C:\Windows\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
        
        C:\Windows\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
        
        C:\Windows\{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
        
        C:\Windows\{509A49D7-AE14-477a-AE70-DD66F4411839}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
        
        C:\Windows\{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
        
        C:\Windows\{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
        
        C:\Windows\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe
        
        C:\Windows\{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1268B~1.EXE > nul
        12⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA746~1.EXE > nul
        11⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07566~1.EXE > nul
        10⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{509A4~1.EXE > nul
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90822~1.EXE > nul
        8⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E83E9~1.EXE > nul
        7⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40A8C~1.EXE > nul
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4FC~1.EXE > nul
        5⤵
        
        PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{71E41~1.EXE > nul
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B95C~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07566484-C83F-4538-A831-27A3DFAE8FE9}.exe

Filesize
168KB

MD5
97d7ce7eb0b27fe0b333470da0ae1bb9

SHA1
fb8a81db2ffe5db2945cebfad38a757fcbe10128

SHA256
7f0ab29673323ad2ccf5ff6dd361e0c945d521a270f0ba42c219790694ebf033

SHA512
ce8d706e9ba853c5f13e7c955fd0d82da0272bea91870172b9c2e11d7b4c89fe0e2c7b6fe4e0ff55d315533b8453cce2d7fdd42cd2dcdab94b81cb47f57070fe

Download Submit
C:\Windows\{1268BB45-F36D-49a9-9CEE-D1E0F96D0CF3}.exe

Filesize
168KB

MD5
20970c87115adfaaa5bc5768669c6213

SHA1
f56be5c324bd77995bc2a96a5b716e6c682d6909

SHA256
25c3931801631b510840ac80761bd53ed9f185e9131aca0dd4086bf769d781a6

SHA512
73b5d10099a0591035795b86c9feb84be383fa2e01d4d748249e7b75e9320e767ea6cfd769604693263f2330d8bf9ad2b513f324e6a8f2d478b9141c13434247

Download Submit
C:\Windows\{1B95CC78-467F-4991-A3B8-A2AC3CB7024B}.exe

Filesize
168KB

MD5
a03d9699cb662b5e62be8716e5744043

SHA1
ea12a42cf920f294bad95dec8f7a4011fa9c1f86

SHA256
eebf07c572734f952099511a702388ee1dfcc6e6985f8526e62c9882f6d12352

SHA512
f2b1c87e0e7cf46ee8134d0bc9d0d71454771c25aea1c52d14e16f5726aafc43d8002b5402107df8141c1bd1aec08a04b8a1d88e738e6a82918458ed2af17b81

Download Submit
C:\Windows\{40A8CDF2-7B72-4176-98CD-46149AFF1E2E}.exe

Filesize
168KB

MD5
9fece3e5be04691ceae602a5a32e6537

SHA1
d61194a5a7f5a504ee371f1a79b745a80f2c49a8

SHA256
04f2d8458a96e06834590708a9be3eabb4e10dc894d4cf21d5c538c620b3544f

SHA512
12cb6fd3c99b7a79762023c27145edbb496ddd3a2d524765470c18993d33024ad4707477e2de2adead2cb131832051d703e10531c81dfe93cb2331203d168897

Download Submit
C:\Windows\{509A49D7-AE14-477a-AE70-DD66F4411839}.exe

Filesize
168KB

MD5
353aefcfb515983aeeec85fed9b9dadb

SHA1
384b8cc344947877c9ec765ca144464a74dd516b

SHA256
5af69e8a50fa9eca5ccfef823b4fdd714c8a6c88453e8956a88577e31a123346

SHA512
b8af08f238b067bfc37f0eb6a0b32aedea1d930f90edb25929bb8c515a556fb7c730e2f0f8ab9fcb495ab9a7253056692f1db354ccc820cebb1782522742742e

Download Submit
C:\Windows\{71E41675-1387-4267-AE40-D8136004ECD3}.exe

Filesize
168KB

MD5
836ad49904f44d7d95b9424afc160440

SHA1
2e0c2c894eee58d85b23773a1e29cca61461c180

SHA256
aff5bf6b09900117a29fb3d53fee30876d585251b8663a093776745ba2ad8fbb

SHA512
65fad3ad4eedae5a2417e3de6914ad03b3e0247757e2a2d2b6f5d5c3c321fe189adb71bee4a02681502c691ad3fdd84836a4a2294d4f74a403d240ca2137fddd

Download Submit
C:\Windows\{908220BB-3E2B-40a4-998E-FFFCA6828002}.exe

Filesize
168KB

MD5
2c7e285b0ec2fac44507040600c15ae9

SHA1
b039a1af374abcf717f5bea649abe4837bd80667

SHA256
d268d1c747eca681519e410ef44fb62b6d85585ff48bf28011ab454641e09acb

SHA512
2ebcd44ee254ea39ee2d31019ee070cc8db4bff984b597466114667390bc4e2037750fd640bfbf9cdac43036ddb19ea5f3b31416290c7100e508db503c0262e3

Download Submit
C:\Windows\{9A4FCC9D-9635-4d4c-A199-4C9A8616E9A0}.exe

Filesize
168KB

MD5
ebddba6edaafb22022a04c9bc48252d2

SHA1
94ab6b7e7a6bec01d2f53efd757aa38c291db593

SHA256
fba1dfd74e50e15c894dabbc50d944bc674e4680598ee5383618e6d6c509a868

SHA512
f3b4bc0773711d9bb21831db533e6f0f2675367280397102a5728629727d31bc303777339ec38e3f4cfb9d7c392c97c9716e0611d3775fa4c2a2bf54c8970883

Download Submit
C:\Windows\{C7D4D381-3846-475b-955D-0467DDF94B6B}.exe

Filesize
168KB

MD5
207cee5612c6016898a4ab1224949793

SHA1
71a50854d68e499c5d74f24ba491caebef1b318f

SHA256
4b4f6e8761022fe3167425bb35c7a5359e1153867ced10dc7ed8f6e10f55c74e

SHA512
ffb0be19e865a223a3c5911a5b0f5c0b23f0b6ace83fef0db3851afb199cb20a940d382d0d5d8cd0833d113e3cec529aed6a45259f3f1567232b88a0a51a4676

Download Submit
C:\Windows\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe

Filesize
168KB

MD5
eae953affca60a1419202289d16fd53c

SHA1
2760359a7d58760c87d94710d97e507d1f556c4a

SHA256
62ae87ac5b794f73150b11c03133e10559d81b8f0477ba09a78962b85d060c0e

SHA512
b5e288b17a259da6932e6cee59f271adc28efdcda079c4d48dbba4d320fede1eb9d2a2f8bc1f2c2e75d4167f1f6582a5e645e382fb24259216b03ecc74b883be

Download Submit
C:\Windows\{E83E9D97-EA21-48b3-A049-0D0F459177BD}.exe

Filesize
125KB

MD5
b2941ed0173057cb4c1543ff488191e6

SHA1
41612cdb89bae33c793e794257c47d5d994017df

SHA256
f9b6dec0d9d281098220e526adf25b5d00667db14c0411f50b8d90dfb8ff1eaa

SHA512
7b068cec97de565d4f0d85160313c5174286ad13029dbabd1b4d5a4df5603d6601ae31399244806e81d7d984f770a82f04c3722b554ea1d407a5a16ef6b68ad1

Download Submit
C:\Windows\{FA746F05-8E0C-455b-9217-34ECCF5306EB}.exe

Filesize
168KB

MD5
5c8c0e11cc5e1c3348864f474b24c0f0

SHA1
b48e816b14cb3f95e25ed90901e17ed89669bcdd

SHA256
5b94d7ce83fb61d2357b106bbcfa30daddb9a27363f4aa5e4d6fb0300d866027

SHA512
564cc0a5aa63d4600ea79f859a132587407814100d7081b0e321c0dbc77f5e2e20dc0e73c7f5999e275304ad1be5db445353803834d8d8d1e1ef336f801964b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads