726ad4976c5a73933c4c68e37d62af3a8ff039762c02769da26bd952d430b613

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe
Size

380KB
MD5

925db37e64ce50f8464d24e057f580cc
SHA1

0cd316396f158653171f720bbe0d8dd42fd4577f
SHA256

726ad4976c5a73933c4c68e37d62af3a8ff039762c02769da26bd952d430b613
SHA512

a42b81bc02cc728a66c6b2fa56aa45187e3bfd2167a5262321554f98a8a328b73b8cc77651422d17fdbcf1478ba15a5527955eac5d923feb7dfff46eeeea0169
SSDEEP

3072:mEGh0oXlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001274c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000015eb2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000015eb2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000016040-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015eb2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000016040-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19F76017-1BE4-402f-B121-4CD377275A55}\stubpath = "C:\\Windows\\{19F76017-1BE4-402f-B121-4CD377275A55}.exe"	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48882053-349A-4502-9AC2-214B8D37A35E}	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}	{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}\stubpath = "C:\\Windows\\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe"	{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}\stubpath = "C:\\Windows\\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe"	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48882053-349A-4502-9AC2-214B8D37A35E}\stubpath = "C:\\Windows\\{48882053-349A-4502-9AC2-214B8D37A35E}.exe"	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8701A927-84D4-4b18-B81C-04C681908FC7}	{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}\stubpath = "C:\\Windows\\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe"	{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}	{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}\stubpath = "C:\\Windows\\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe"	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}	{19F76017-1BE4-402f-B121-4CD377275A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}\stubpath = "C:\\Windows\\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe"	{19F76017-1BE4-402f-B121-4CD377275A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8701A927-84D4-4b18-B81C-04C681908FC7}\stubpath = "C:\\Windows\\{8701A927-84D4-4b18-B81C-04C681908FC7}.exe"	{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}\stubpath = "C:\\Windows\\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe"	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}\stubpath = "C:\\Windows\\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe"	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19F76017-1BE4-402f-B121-4CD377275A55}	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}	{48882053-349A-4502-9AC2-214B8D37A35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}\stubpath = "C:\\Windows\\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe"	{48882053-349A-4502-9AC2-214B8D37A35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe
1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe
548	{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
1696	{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
2136	{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
2044	{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	{19F76017-1BE4-402f-B121-4CD377275A55}.exe
File created	C:\Windows\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
File created	C:\Windows\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe	{48882053-349A-4502-9AC2-214B8D37A35E}.exe
File created	C:\Windows\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe	{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
File created	C:\Windows\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe	{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
File created	C:\Windows\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe
File created	C:\Windows\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
File created	C:\Windows\{48882053-349A-4502-9AC2-214B8D37A35E}.exe	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
File created	C:\Windows\{8701A927-84D4-4b18-B81C-04C681908FC7}.exe	{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
File created	C:\Windows\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
File created	C:\Windows\{19F76017-1BE4-402f-B121-4CD377275A55}.exe	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
Token: SeIncBasePriorityPrivilege	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
Token: SeIncBasePriorityPrivilege	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
Token: SeIncBasePriorityPrivilege	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe
Token: SeIncBasePriorityPrivilege	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
Token: SeIncBasePriorityPrivilege	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
Token: SeIncBasePriorityPrivilege	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe
Token: SeIncBasePriorityPrivilege	548	{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
Token: SeIncBasePriorityPrivilege	1696	{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
Token: SeIncBasePriorityPrivilege	2136	{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2336	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	28
PID 1684 wrote to memory of 2336	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	28
PID 1684 wrote to memory of 2336	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	28
PID 1684 wrote to memory of 2336	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	28
PID 1684 wrote to memory of 2548	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	29
PID 1684 wrote to memory of 2548	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	29
PID 1684 wrote to memory of 2548	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	29
PID 1684 wrote to memory of 2548	1684	2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe	29
PID 2336 wrote to memory of 2452	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	30
PID 2336 wrote to memory of 2452	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	30
PID 2336 wrote to memory of 2452	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	30
PID 2336 wrote to memory of 2452	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	30
PID 2336 wrote to memory of 2556	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	31
PID 2336 wrote to memory of 2556	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	31
PID 2336 wrote to memory of 2556	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	31
PID 2336 wrote to memory of 2556	2336	{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe	31
PID 2452 wrote to memory of 2516	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	34
PID 2452 wrote to memory of 2516	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	34
PID 2452 wrote to memory of 2516	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	34
PID 2452 wrote to memory of 2516	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	34
PID 2452 wrote to memory of 2716	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	35
PID 2452 wrote to memory of 2716	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	35
PID 2452 wrote to memory of 2716	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	35
PID 2452 wrote to memory of 2716	2452	{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe	35
PID 2516 wrote to memory of 344	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	36
PID 2516 wrote to memory of 344	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	36
PID 2516 wrote to memory of 344	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	36
PID 2516 wrote to memory of 344	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	36
PID 2516 wrote to memory of 676	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	37
PID 2516 wrote to memory of 676	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	37
PID 2516 wrote to memory of 676	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	37
PID 2516 wrote to memory of 676	2516	{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe	37
PID 344 wrote to memory of 1552	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	38
PID 344 wrote to memory of 1552	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	38
PID 344 wrote to memory of 1552	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	38
PID 344 wrote to memory of 1552	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	38
PID 344 wrote to memory of 1640	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	39
PID 344 wrote to memory of 1640	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	39
PID 344 wrote to memory of 1640	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	39
PID 344 wrote to memory of 1640	344	{19F76017-1BE4-402f-B121-4CD377275A55}.exe	39
PID 1552 wrote to memory of 856	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	40
PID 1552 wrote to memory of 856	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	40
PID 1552 wrote to memory of 856	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	40
PID 1552 wrote to memory of 856	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	40
PID 1552 wrote to memory of 2784	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	41
PID 1552 wrote to memory of 2784	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	41
PID 1552 wrote to memory of 2784	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	41
PID 1552 wrote to memory of 2784	1552	{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe	41
PID 856 wrote to memory of 2004	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	42
PID 856 wrote to memory of 2004	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	42
PID 856 wrote to memory of 2004	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	42
PID 856 wrote to memory of 2004	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	42
PID 856 wrote to memory of 240	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	43
PID 856 wrote to memory of 240	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	43
PID 856 wrote to memory of 240	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	43
PID 856 wrote to memory of 240	856	{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe	43
PID 2004 wrote to memory of 548	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	44
PID 2004 wrote to memory of 548	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	44
PID 2004 wrote to memory of 548	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	44
PID 2004 wrote to memory of 548	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	44
PID 2004 wrote to memory of 2836	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	45
PID 2004 wrote to memory of 2836	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	45
PID 2004 wrote to memory of 2836	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	45
PID 2004 wrote to memory of 2836	2004	{48882053-349A-4502-9AC2-214B8D37A35E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_925db37e64ce50f8464d24e057f580cc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
  C:\Windows\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
    C:\Windows\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
      C:\Windows\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{19F76017-1BE4-402f-B121-4CD377275A55}.exe
        
        C:\Windows\{19F76017-1BE4-402f-B121-4CD377275A55}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
      - C:\Windows\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
        
        C:\Windows\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
        
        C:\Windows\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{48882053-349A-4502-9AC2-214B8D37A35E}.exe
        
        C:\Windows\{48882053-349A-4502-9AC2-214B8D37A35E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
        
        C:\Windows\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
        
        C:\Windows\{8701A927-84D4-4b18-B81C-04C681908FC7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
        
        C:\Windows\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe
        
        C:\Windows\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90062~1.EXE > nul
        12⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8701A~1.EXE > nul
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B8D3~1.EXE > nul
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48882~1.EXE > nul
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76A3E~1.EXE > nul
        8⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDCA8~1.EXE > nul
        7⤵
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19F76~1.EXE > nul
        6⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48266~1.EXE > nul
        5⤵
        
        PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77D57~1.EXE > nul
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE5F~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19F76017-1BE4-402f-B121-4CD377275A55}.exe

Filesize
380KB

MD5
1eeb9f3fde94abcac1adb6c20f765c50

SHA1
cec132025fe8db9246c827751c58ff9314b3e6cf

SHA256
04c0c861ddc517fa823a9b18f49f85145854286b8791ca2468ed1ada2bf01f8a

SHA512
b60f4c03acc42e937b0f23f2582e82eb077ac5bb19540e78384edcd5d0a82dd8d758b919d8346680ceb39efde6809e7023de318556284e740529fa452438412a

Download Submit
C:\Windows\{48266CEE-D43B-4914-83CD-E9E3AC8B7B4F}.exe

Filesize
380KB

MD5
59475f51d844f03b9426078bd876a10b

SHA1
2e0fc280135dab59f101f87b88c3510d8c74c379

SHA256
de6facac8b18e9a88c9c1df83886dfc660813936440627e683b687e370662c4a

SHA512
03cdd3baf10d3c0ab6a1e5968f7e7f66fe9a1df7557645c0becbec90275d6c6d635154c8d2406263167a470ddfda5a944ad87860f63558b3db508c67ff28363e

Download Submit
C:\Windows\{48882053-349A-4502-9AC2-214B8D37A35E}.exe

Filesize
380KB

MD5
56b8c7cd11ef076843d96e63c91ae8fd

SHA1
8d93d6b887cd48db2e93c4f95c05b218cebd2668

SHA256
0ad5626bda0329050b42dc61bfa4f7d6ad43837ab2747cfdc87045fcd9fc9cac

SHA512
ce1232e71ba8754ae301b0a24b78ff7739a6eaef2df428d957ff71d19173e990f2e51f758ac25f8a1ccabaa6ed5e9e78a51110fe5deac4e139d374bfbb821ecb

Download Submit
C:\Windows\{76A3ED8F-370B-4329-94D8-C07F2988DCD9}.exe

Filesize
380KB

MD5
238aa92c3ba73b5fcadc6c31f4fa71f6

SHA1
96bd4d1d9712afc92c587869387a38c3e66daeb0

SHA256
67a6490e8bfff70f231c44995e4164b5ca34e6f1c0108a01136142f6f5924b31

SHA512
7d35443b966c2c0256dd9bfc168fa992481ba46f6b14edfbf46dca33a9c85e21bb67096fc6f71d5e2a40e7d20ead4c0a3f30a568fb4eaacb1ed5f551899d4ad0

Download Submit
C:\Windows\{77D57668-3EC3-4551-B4BA-37B4346EB3C3}.exe

Filesize
380KB

MD5
f4b27f6fe3987ac9989bd88662ac4722

SHA1
1186be578518e7038274ee3ac904a3f4c8e78075

SHA256
eba7f8349753d3726a832b1022932c02d171fc8ec718af5dbdd1814b7813ea89

SHA512
4d43948a04ef108152f883af3522e6a70e2592c407266ede0e0590fb1c34b39c4ed57525be58517754bd018d151ca03b6d139103999e605e606fadd3d3e25aab

Download Submit
C:\Windows\{7B8D3C8D-B90A-456e-804F-7146A59E3F14}.exe

Filesize
380KB

MD5
8e8872a573dc1c9032cda05cfa755171

SHA1
99323fbe7264facaccd723e09f66eab6217b39e1

SHA256
ecebd29337262c65c3ab16a2f0492a5659628053f6e7db9fc7db19dfa1e2e845

SHA512
33f04355a8c1fe194e360f9276e4922434d30ebc868d2c38e4e7f91209c80bdbc1e6e2eea05695cc5f47a620573c06b1c00d556a2211264499e3ca2ae529d0b2

Download Submit
C:\Windows\{8701A927-84D4-4b18-B81C-04C681908FC7}.exe

Filesize
380KB

MD5
194d069da97dbb5cce20f165078376ad

SHA1
ff343ea817bfcc99b598752b1ba8d3d416f729dd

SHA256
158c9f09ea20ad14c677c594f08f62e0b3683ea1e938a9b43c7c7dae2b9dbdf4

SHA512
c9628084a2d31936755c6bc9c428109155468b11c21c9534a00388b83ad2a64b32f1da75e973e4d29d73b0dedefb19c7eccb27a7bb1c0061fe2d990a49081bbd

Download Submit
C:\Windows\{90062A15-76E7-431e-AA55-1AE6C3E6FBD2}.exe

Filesize
380KB

MD5
d5f9abe54edd20a0e52ab7651b4c1d56

SHA1
a75b422dc1ee93ba2c851ea4006151bb706011f6

SHA256
1f5ffc4393fe80321bad3dc4a755dbb9c27001b7e4de7ff164176889da77eee6

SHA512
6c0f614844d0cb36eb9c5af5c40f19ade5c8d0dba81a7c6cf67b4d7e36b1d41c7df0390550e7de5d1588c43611cf2b6d67cb2c84b924e2739fe4a3ae1fb9b10c

Download Submit
C:\Windows\{ADE5FDD0-6358-4464-85AA-8040A347F6C8}.exe

Filesize
380KB

MD5
892e201c36dddfafd5ca039ccb649f3c

SHA1
76bb461c1c881342b592dcf0ea50fc3c565434fe

SHA256
b6c7f50d4f5531b8e140e6c6914246da64b4be4ef404a2a8e25f5b9c02196ff7

SHA512
c23615e6e02e61c232cda37b1cfe649150bd7516aab92cc3addcc56647a8d896818b67d96f580a0dacc263f2a58f14e9f9be444edfc277b3581e482bc54c7293

Download Submit
C:\Windows\{CDCA84E7-90A5-4dbf-93C8-D3E0483EC368}.exe

Filesize
380KB

MD5
7135821a06f9a709373bd9034c31fb46

SHA1
346164398bc96d90821e46dfa21eb7609d8f9463

SHA256
b1ec3476df3db8abe8b63bda4afd9dc35ba0ec958c89f41abe615bed25788340

SHA512
e1a6b9706b03a78ed9ccab2a68fd5d59224c8085ecf652a21978a9356b67cc7e7ca6eef4b034d86dabf4d9a41529d007e214370c09024a57c9ca71ddadd7f0b3

Download Submit
C:\Windows\{DB4DC3A7-8802-4dfa-9E4D-FB46C4F2E4A1}.exe

Filesize
380KB

MD5
181082a5ef64ca5ea48abd3a9b883856

SHA1
ee3bc4eae7b7fb5b535b9bf05e6a7fac66f53e61

SHA256
e64ed711a2f1b13c2605d7ed6b26ad6037e5872c36d8b191e1599331ea8df060

SHA512
17bbe74b7c638b5ba4d48d39df99d5aff14fe224f4697505380870df44c1d253dd6e6b6fc1f2379f01bbcaeade8bf1ce1db2cbc1103bc753ae3fd3f1b892aca8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads