80cff6c6a11d7ea476a8d0863a0e70e369ef6a841a0462f679d24b422d01715e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe
Size

216KB
MD5

856ca56e5fbc8d2bbab859f798420c20
SHA1

083e7a153bcbea1f3ecd0db8ebb6c87b6a3d2468
SHA256

80cff6c6a11d7ea476a8d0863a0e70e369ef6a841a0462f679d24b422d01715e
SHA512

5e6b9939641a4f2cb6a4aca2b5533e9a77e51095e6f21e0769d99c4015b8e94b2bb20d9fcceb79b28e8380d31f717a7c9334592c049c1ca1af6c1300265155f7
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGblEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015df1-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015f7a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015df1-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016a29-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015df1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015df1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015df1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}\stubpath = "C:\\Windows\\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe"	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D0E0458-7F61-4191-9365-E6774534794D}\stubpath = "C:\\Windows\\{0D0E0458-7F61-4191-9365-E6774534794D}.exe"	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}\stubpath = "C:\\Windows\\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe"	{0D0E0458-7F61-4191-9365-E6774534794D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}\stubpath = "C:\\Windows\\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe"	{E05B3545-5182-4292-8759-51847B4C20E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}\stubpath = "C:\\Windows\\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe"	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}	{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B05E893-A4EA-45c5-A85F-A2D35472B276}\stubpath = "C:\\Windows\\{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe"	{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}\stubpath = "C:\\Windows\\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe"	{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E05B3545-5182-4292-8759-51847B4C20E6}	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}	{0D0E0458-7F61-4191-9365-E6774534794D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}\stubpath = "C:\\Windows\\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe"	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}\stubpath = "C:\\Windows\\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe"	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}\stubpath = "C:\\Windows\\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe"	{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D0E0458-7F61-4191-9365-E6774534794D}	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}	{E05B3545-5182-4292-8759-51847B4C20E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B05E893-A4EA-45c5-A85F-A2D35472B276}	{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}	{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E05B3545-5182-4292-8759-51847B4C20E6}\stubpath = "C:\\Windows\\{E05B3545-5182-4292-8759-51847B4C20E6}.exe"	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe
2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe
3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
960	{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
1276	{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
588	{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe
576	{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	{E05B3545-5182-4292-8759-51847B4C20E6}.exe
File created	C:\Windows\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
File created	C:\Windows\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
File created	C:\Windows\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe	{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
File created	C:\Windows\{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe	{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
File created	C:\Windows\{E05B3545-5182-4292-8759-51847B4C20E6}.exe	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe
File created	C:\Windows\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
File created	C:\Windows\{0D0E0458-7F61-4191-9365-E6774534794D}.exe	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
File created	C:\Windows\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	{0D0E0458-7F61-4191-9365-E6774534794D}.exe
File created	C:\Windows\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
File created	C:\Windows\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe	{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe
Token: SeIncBasePriorityPrivilege	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
Token: SeIncBasePriorityPrivilege	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
Token: SeIncBasePriorityPrivilege	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe
Token: SeIncBasePriorityPrivilege	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
Token: SeIncBasePriorityPrivilege	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
Token: SeIncBasePriorityPrivilege	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
Token: SeIncBasePriorityPrivilege	960	{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
Token: SeIncBasePriorityPrivilege	1276	{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
Token: SeIncBasePriorityPrivilege	588	{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2992	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	28
PID 2968 wrote to memory of 2020	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe	29
PID 2992 wrote to memory of 2700	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	30
PID 2992 wrote to memory of 2700	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	30
PID 2992 wrote to memory of 2700	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	30
PID 2992 wrote to memory of 2700	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	30
PID 2992 wrote to memory of 2624	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	31
PID 2992 wrote to memory of 2624	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	31
PID 2992 wrote to memory of 2624	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	31
PID 2992 wrote to memory of 2624	2992	{E05B3545-5182-4292-8759-51847B4C20E6}.exe	31
PID 2700 wrote to memory of 2776	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	32
PID 2700 wrote to memory of 2776	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	32
PID 2700 wrote to memory of 2776	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	32
PID 2700 wrote to memory of 2776	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	32
PID 2700 wrote to memory of 2840	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	33
PID 2700 wrote to memory of 2840	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	33
PID 2700 wrote to memory of 2840	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	33
PID 2700 wrote to memory of 2840	2700	{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe	33
PID 2776 wrote to memory of 3032	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	36
PID 2776 wrote to memory of 3032	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	36
PID 2776 wrote to memory of 3032	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	36
PID 2776 wrote to memory of 3032	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	36
PID 2776 wrote to memory of 2112	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	37
PID 2776 wrote to memory of 2112	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	37
PID 2776 wrote to memory of 2112	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	37
PID 2776 wrote to memory of 2112	2776	{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe	37
PID 3032 wrote to memory of 3064	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	38
PID 3032 wrote to memory of 3064	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	38
PID 3032 wrote to memory of 3064	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	38
PID 3032 wrote to memory of 3064	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	38
PID 3032 wrote to memory of 2336	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	39
PID 3032 wrote to memory of 2336	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	39
PID 3032 wrote to memory of 2336	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	39
PID 3032 wrote to memory of 2336	3032	{0D0E0458-7F61-4191-9365-E6774534794D}.exe	39
PID 3064 wrote to memory of 2860	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	40
PID 3064 wrote to memory of 2860	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	40
PID 3064 wrote to memory of 2860	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	40
PID 3064 wrote to memory of 2860	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	40
PID 3064 wrote to memory of 2752	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	41
PID 3064 wrote to memory of 2752	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	41
PID 3064 wrote to memory of 2752	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	41
PID 3064 wrote to memory of 2752	3064	{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe	41
PID 2860 wrote to memory of 2988	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	42
PID 2860 wrote to memory of 2988	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	42
PID 2860 wrote to memory of 2988	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	42
PID 2860 wrote to memory of 2988	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	42
PID 2860 wrote to memory of 3000	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	43
PID 2860 wrote to memory of 3000	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	43
PID 2860 wrote to memory of 3000	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	43
PID 2860 wrote to memory of 3000	2860	{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe	43
PID 2988 wrote to memory of 960	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	44
PID 2988 wrote to memory of 960	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	44
PID 2988 wrote to memory of 960	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	44
PID 2988 wrote to memory of 960	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	44
PID 2988 wrote to memory of 2272	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	45
PID 2988 wrote to memory of 2272	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	45
PID 2988 wrote to memory of 2272	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	45
PID 2988 wrote to memory of 2272	2988	{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_856ca56e5fbc8d2bbab859f798420c20_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{E05B3545-5182-4292-8759-51847B4C20E6}.exe
  C:\Windows\{E05B3545-5182-4292-8759-51847B4C20E6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
    C:\Windows\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
      C:\Windows\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{0D0E0458-7F61-4191-9365-E6774534794D}.exe
        
        C:\Windows\{0D0E0458-7F61-4191-9365-E6774534794D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
        
        C:\Windows\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
        
        C:\Windows\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
        
        C:\Windows\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
        
        C:\Windows\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
        
        C:\Windows\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe
        
        C:\Windows\{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe
        
        C:\Windows\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B05E~1.EXE > nul
        12⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9DFD~1.EXE > nul
        11⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25A2B~1.EXE > nul
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A81E0~1.EXE > nul
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA79F~1.EXE > nul
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{702BC~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D0E0~1.EXE > nul
        6⤵
        
        PID:2336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F267F~1.EXE > nul
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD11~1.EXE > nul
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E05B3~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D0E0458-7F61-4191-9365-E6774534794D}.exe

Filesize
216KB

MD5
3f4d855c1ea62cf58a16ce90e1096d84

SHA1
5a42516b70e9c1c39db48c3b58e85c82f905cdb8

SHA256
a88c5d2776ce183e83404c44bffcbed70a92924b0c5d9effe28200fdbf96ba4f

SHA512
5e221281fde9769ad2fb614c41f854fdf724549dd320df46d364d6bbbb299129ab2cbe5402b642fc79406a92bde1e2b772f6a962c9d85c40b9e4d9cf4a514cd9

Download Submit
C:\Windows\{25A2B11C-7A5E-4b69-BCD1-479211E11E60}.exe

Filesize
216KB

MD5
9067f6d19d18cfd794fb55c9360068b6

SHA1
0899f5edae88cdcac2e82c888dd84d28fb145e18

SHA256
ce0ca0dbb8d479c7acdd7bf5fb4b29bc8766cb5b1c058d25938058d51b8ab743

SHA512
4f89048f9440e62d930a59fea034d855c3c98c4be7e1ab240936e4d5d457dcf3575b0e96a4a8754351301e631f4c3ec5e04faf8b3956ddf717a784a7434c00be

Download Submit
C:\Windows\{5F268721-BFE0-47f7-A59D-FA1587BB8D8D}.exe

Filesize
216KB

MD5
3d349d303e0637a193ef8fa196a1e7ad

SHA1
cc037047d21dbd8fca2b274ece6e515391fb70a9

SHA256
0f1912fb2b897014966501ff8094234284548496a2d2081da199e3d9d2f67810

SHA512
d28b2d79f000a363c022168ea7db472d21de07041f02d7fdbaeb571179c0a608bcb080537c02375db1c3395e5a1eeb142ffe193c3edafac98d09586c17ec326a

Download Submit
C:\Windows\{702BCC4C-4B1B-461a-9B06-AC9C7C7E8331}.exe

Filesize
216KB

MD5
5e8a48814cb80f09567a461169db4ee7

SHA1
0d0d4c78d4a5a98304569c1680ab6429819b0532

SHA256
a12ca438c16b2d719b09f9dbae6750fb673d6f93d9089a40f28b1ccb4dd4371e

SHA512
c284c4dddf6ebab22e2d0698c46b67b4e6ee211f4cb2eb41a4de6a331062e971db4d937d2139b52e79e1bee43faa84ab764221571fc25e6809d99a8c1239cffe

Download Submit
C:\Windows\{9B05E893-A4EA-45c5-A85F-A2D35472B276}.exe

Filesize
216KB

MD5
eaf6ad268e36016b2d36800ef0487a1e

SHA1
647f7b8fe0851b3dd512b79bb4fa703d3890c76e

SHA256
b66f109e50023ff205a535bdec8512aaa8c3fc033c680fdb9d0d8b8c2b48267a

SHA512
793747ac88527101d31407c2334ab08e7fb8e5110b38a924abd6ebd0abd1abe51651de21b8e1d6f994fb3b18518428963967ff127922006017244a4ca9047a68

Download Submit
C:\Windows\{A81E0511-A34E-4b68-8C39-AA5791CDFBEE}.exe

Filesize
216KB

MD5
ba83db55c412a5e7ec00d64cf58739e4

SHA1
737180b6b7e377620669e5d0383b3aed61024774

SHA256
11ccc3a14b0db46ca3e7373228bc5c572fe512e44f2a19956049b5f55f680822

SHA512
59288c6f75725f669bf66f1252b9817390402ff25839133107756bbdd262aa4f21a80cd04b31fb2d26d4f97b510bbcd3c8630ffeff4808835b229e6ac38d7c3f

Download Submit
C:\Windows\{DA79F16D-0D54-46e5-9C16-561CCDE9A10E}.exe

Filesize
216KB

MD5
35f8883242822397fad83b95562cdf6d

SHA1
c3d6fbd3911124d10968eb54a98ada41c34f2fd5

SHA256
80cdff3fe529410a57e675299dd15bfe1275e66a6c139e7d26470b0262f9fde2

SHA512
1ae6a6eb3c91cf0bcc23cfe0036b3140b7751f4f5dbf8bf56ead6a9a5fc3cd33f48d08e5bc4123109b8779eb38a50d561326311ba09d9867509ea32598875386

Download Submit
C:\Windows\{DFD11D3D-9742-4b23-8CCA-C856AB3983C7}.exe

Filesize
216KB

MD5
ed6311a8425624ac0f6e8141ab060d66

SHA1
a00ab40599f9ac1d78e3847656c3caeac756ce3a

SHA256
99fd84517c0e9065ad3348fea7fc1868c12e861e446db986ed768aaa13ee4c2a

SHA512
deead0fbbe87cb5fc635b4b977e00df4b1f9d6c8308dd0b57f4f7efc0128364fc24f3987dd61030b27e6c8e4de75769a8b7dad5b77356398c698fac0f2401140

Download Submit
C:\Windows\{E05B3545-5182-4292-8759-51847B4C20E6}.exe

Filesize
216KB

MD5
c3d435e9407b60f3639b52f4a63988ee

SHA1
8abc742d14a9142e223b64b42f0a285f6b56be69

SHA256
f4bb274d8e78429994062fea016a18074b7924751d142de5eafdd197df384edd

SHA512
84ce6a54a4d4a71eb2c948446dae829ab1b527fd40ab8323824c288ff4c76cf4076513f4cd45d8e0da6d5566b4884007c8cda9a302acb5e4adf0fbd350abab71

Download Submit
C:\Windows\{E9DFDB37-211D-4f9f-9B90-B7B2471C29B2}.exe

Filesize
216KB

MD5
c4710316a357dffc1d30289164b2a517

SHA1
2f266e872f6c1c20bacf872b1db2c4da942fd026

SHA256
863f12771e67c0b51afe9e216a6c97c131da64edb0fe64e963840702fd989790

SHA512
451646769a0a6e4ac6e38e15e8bd7795e202678ad720920ffac6d4ec3341be2529e1b075c30e7269229547ce7978040fadaef163949c0ddd33f1648becc04292

Download Submit
C:\Windows\{F267F49F-E5D3-4beb-85F8-37226D57A7CC}.exe

Filesize
216KB

MD5
ca03ece16d2353d3089f1ca26e4185ca

SHA1
4ed384599accef14c14a7a36ab3db8adcf088c45

SHA256
f3ccb66d2569ce9b0db95f578ed04160513c1f3ce8ccf39c77945173cf351364

SHA512
0f26baec2a55e19434e6096ca5440e8eabe9a921eb3f166b3602ff508b2243d3bcaa4e911534c532deb72fed28d6cf2acbdfca2abcfe7f96c0d046835021147a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads