ca812f3efb73d71f9bd9009f9499574193a465209cdc1fe8df2234793d0bf812

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Size

168KB
MD5

3d938cf1cf3819b7ade33ae44c0af079
SHA1

78a46a9758095990867ef2dea90b88decd89ce80
SHA256

ca812f3efb73d71f9bd9009f9499574193a465209cdc1fe8df2234793d0bf812
SHA512

5752345fc39307675e18a49519c42b455a6b1f9b9f092a4e0f631fc4857939166cbce00eeef54721cdf3a3bf626ef2cb8381cff97083c4d5fd3042a971225c95
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000121c5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000121c5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121c5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000121c5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000121c5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}\stubpath = "C:\\Windows\\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe"	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9783608-50B1-48b0-AFF1-6D824AE74290}\stubpath = "C:\\Windows\\{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe"	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}\stubpath = "C:\\Windows\\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe"	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E2FED2-2E60-4ff3-BF36-6777735F5358}	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}\stubpath = "C:\\Windows\\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe"	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24CDC2BA-55A8-4553-9128-30BB27820F1A}	{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4884E83C-5E55-44ea-8C6B-D824A580C560}\stubpath = "C:\\Windows\\{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe"	{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}\stubpath = "C:\\Windows\\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe"	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9783608-50B1-48b0-AFF1-6D824AE74290}	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6090EBC7-73AB-4877-AE91-A189393D4BC6}\stubpath = "C:\\Windows\\{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe"	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24CDC2BA-55A8-4553-9128-30BB27820F1A}\stubpath = "C:\\Windows\\{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe"	{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}	{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}\stubpath = "C:\\Windows\\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe"	{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{482DEFD8-DC00-44dc-BC77-2556F32798A2}	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4884E83C-5E55-44ea-8C6B-D824A580C560}	{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E2FED2-2E60-4ff3-BF36-6777735F5358}\stubpath = "C:\\Windows\\{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe"	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6090EBC7-73AB-4877-AE91-A189393D4BC6}	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{482DEFD8-DC00-44dc-BC77-2556F32798A2}\stubpath = "C:\\Windows\\{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe"	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
660	{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
840	{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
1480	{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
2200	{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
File created	C:\Windows\{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
File created	C:\Windows\{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
File created	C:\Windows\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe	{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
File created	C:\Windows\{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe	{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
File created	C:\Windows\{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
File created	C:\Windows\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
File created	C:\Windows\{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
File created	C:\Windows\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
File created	C:\Windows\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
File created	C:\Windows\{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe	{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
Token: SeIncBasePriorityPrivilege	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
Token: SeIncBasePriorityPrivilege	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
Token: SeIncBasePriorityPrivilege	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
Token: SeIncBasePriorityPrivilege	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
Token: SeIncBasePriorityPrivilege	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
Token: SeIncBasePriorityPrivilege	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
Token: SeIncBasePriorityPrivilege	660	{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
Token: SeIncBasePriorityPrivilege	840	{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
Token: SeIncBasePriorityPrivilege	1480	{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1716	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	28
PID 2124 wrote to memory of 2288	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	29
PID 1716 wrote to memory of 2512	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	30
PID 1716 wrote to memory of 2512	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	30
PID 1716 wrote to memory of 2512	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	30
PID 1716 wrote to memory of 2512	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	30
PID 1716 wrote to memory of 2608	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	31
PID 1716 wrote to memory of 2608	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	31
PID 1716 wrote to memory of 2608	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	31
PID 1716 wrote to memory of 2608	1716	{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe	31
PID 2512 wrote to memory of 2960	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	32
PID 2512 wrote to memory of 2960	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	32
PID 2512 wrote to memory of 2960	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	32
PID 2512 wrote to memory of 2960	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	32
PID 2512 wrote to memory of 2592	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	33
PID 2512 wrote to memory of 2592	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	33
PID 2512 wrote to memory of 2592	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	33
PID 2512 wrote to memory of 2592	2512	{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe	33
PID 2960 wrote to memory of 2904	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	36
PID 2960 wrote to memory of 2904	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	36
PID 2960 wrote to memory of 2904	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	36
PID 2960 wrote to memory of 2904	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	36
PID 2960 wrote to memory of 2892	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	37
PID 2960 wrote to memory of 2892	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	37
PID 2960 wrote to memory of 2892	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	37
PID 2960 wrote to memory of 2892	2960	{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe	37
PID 2904 wrote to memory of 2760	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	38
PID 2904 wrote to memory of 2760	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	38
PID 2904 wrote to memory of 2760	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	38
PID 2904 wrote to memory of 2760	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	38
PID 2904 wrote to memory of 1656	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	39
PID 2904 wrote to memory of 1656	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	39
PID 2904 wrote to memory of 1656	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	39
PID 2904 wrote to memory of 1656	2904	{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe	39
PID 2760 wrote to memory of 2020	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	40
PID 2760 wrote to memory of 2020	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	40
PID 2760 wrote to memory of 2020	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	40
PID 2760 wrote to memory of 2020	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	40
PID 2760 wrote to memory of 312	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	41
PID 2760 wrote to memory of 312	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	41
PID 2760 wrote to memory of 312	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	41
PID 2760 wrote to memory of 312	2760	{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe	41
PID 2020 wrote to memory of 1732	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	42
PID 2020 wrote to memory of 1732	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	42
PID 2020 wrote to memory of 1732	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	42
PID 2020 wrote to memory of 1732	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	42
PID 2020 wrote to memory of 1896	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	43
PID 2020 wrote to memory of 1896	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	43
PID 2020 wrote to memory of 1896	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	43
PID 2020 wrote to memory of 1896	2020	{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe	43
PID 1732 wrote to memory of 660	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	44
PID 1732 wrote to memory of 660	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	44
PID 1732 wrote to memory of 660	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	44
PID 1732 wrote to memory of 660	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	44
PID 1732 wrote to memory of 1076	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	45
PID 1732 wrote to memory of 1076	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	45
PID 1732 wrote to memory of 1076	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	45
PID 1732 wrote to memory of 1076	1732	{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
  C:\Windows\{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
    C:\Windows\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
      C:\Windows\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
        
        C:\Windows\{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
        
        C:\Windows\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
        
        C:\Windows\{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
        
        C:\Windows\{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
        
        C:\Windows\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
        
        C:\Windows\{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
        
        C:\Windows\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe
        
        C:\Windows\{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe
        12⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38A75~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24CDC~1.EXE > nul
        11⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7DB1~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6090E~1.EXE > nul
        9⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66E2F~1.EXE > nul
        8⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C36~1.EXE > nul
        7⤵
        
        PID:312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9783~1.EXE > nul
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E362A~1.EXE > nul
        5⤵
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DE353~1.EXE > nul
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{482DE~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24CDC2BA-55A8-4553-9128-30BB27820F1A}.exe

Filesize
168KB

MD5
820d40d03251292009eb7162957a4d1d

SHA1
921e01247b3c13e1e5e3911ce88e0edc6eaf1e1c

SHA256
ed28aac524c64be0c6ba08793d710f8e97ef24d7fe57c9748837770c76f3477a

SHA512
3ef9a7174f9782466573e2f5bfb661ea5292612de847b5df855ffaff904c2994bb9d76895fe9a0d46ad0f2c7ec1a555b41d2d1dd18b8783d85814367a91ebdf0

Download Submit
C:\Windows\{38A7530E-AEFC-4bd7-911D-7D2EB008A9EA}.exe

Filesize
168KB

MD5
19b87f5a0f4b7d0a8beb136ffb3ffd52

SHA1
fdbfc7ab7e842eca1fd5c4caad95c6510c792b48

SHA256
a0e94a45246362c45c358e7752032d74431bf2b7cae3a1c37cbe7428de95c02a

SHA512
7104b5a0e79d96f85bb81167fd0accbbc971ffb914ee5f984db0097b2970157ef6ebbefffabfd77d80ac15a26eddf42609a3c5bc076fd765b0764a84635df8fa

Download Submit
C:\Windows\{482DEFD8-DC00-44dc-BC77-2556F32798A2}.exe

Filesize
168KB

MD5
e3e5f157a212949e7de86ae72caf93e5

SHA1
3b95af3a395761725196ca30e37e909cd760ce28

SHA256
50e49e22dae68cea5f4f940739dc12233ca6932e04a84022986c3e9ec9b06fd4

SHA512
9983b0b880431560aa0b97633b8a851abbaea82cd3fee2ab3648d6cdfdf50d359d72d7381c169315c34b316fd8b21a615b56398bc1e4a400cffb48fdd52d4b9a

Download Submit
C:\Windows\{4884E83C-5E55-44ea-8C6B-D824A580C560}.exe

Filesize
168KB

MD5
9bb7de3e1ca95b6f930fc6b0710306e8

SHA1
89ab3740b1a3e31152171a2726f52f222d4631f7

SHA256
88c41d1bc2136c819b2c817e78b5d1db5ed19e4cf9ce8d6badddb21f0116ce75

SHA512
c80e2bf89b4c203977e2488264bada4c7a4c7320fe1ba53377a262db10f716b28442605fff8f1dd738f82d407ecce688c721b00bf13531475da78cc2fda2124b

Download Submit
C:\Windows\{6090EBC7-73AB-4877-AE91-A189393D4BC6}.exe

Filesize
168KB

MD5
6f4abe5728aea6fb9bd517c7b08672ec

SHA1
15a7cb217c4683e5b5debee5abd9f60a76756d5f

SHA256
0e26600592be668b2406c590c43fb1d125ab35f6b17aa80cc17545d1a40b6f2c

SHA512
591d6ba9d65d315f80b7a94260b36d0dbc5a60fa6a182993da9e728f87aafca14eb627c8967e3844f0c387f37fbf2de2909c8bc98042f5a98f9b237e00947a65

Download Submit
C:\Windows\{66E2FED2-2E60-4ff3-BF36-6777735F5358}.exe

Filesize
168KB

MD5
4bcd20aa7284720b4e289f633da27a64

SHA1
c0134a83c1aa9feb012c321375178cfbeb9704a6

SHA256
6a5798aee396313d474daf0b54858b5f9603816efb84ab4c1cd77cd95e6a2d06

SHA512
b2207d82e7a45837055d5dd3c4e885275f3b594f3f437cc97d35c420a90f49820084c3a1c687a3059d9c41c024e4db73fae62c76cd4315b511e816797e073e82

Download Submit
C:\Windows\{DE353A76-D345-4d65-B68F-1E3C6FBCF817}.exe

Filesize
168KB

MD5
2e45c15fbdb3c1e3dc0685cad6948f30

SHA1
9cad6e00a557752ba77010fd0b97ad1184adf763

SHA256
8590bbd930063debf297d5cdd80b15d48af2df59c701c822ffee7de20cd7b1f2

SHA512
f4c72de9befa339e3ceef44e5f900269971808cda8e65dc2024d23bea95acf29d2a2206d7a677ce0f75c69b1894790d9d3c64e303e5af788919290b69589be7a

Download Submit
C:\Windows\{E362A69F-AFCD-4cb4-A819-B58EE91FD10C}.exe

Filesize
168KB

MD5
97255cb37e6532e9d6e7a15fcaf9204a

SHA1
86a61f450605a5f9dbd5d7d36e366797fe3887f8

SHA256
6a024e4acfae9a9c1f89142f649e40bdb3dc42dfca7fcb9991fd59ff46475a47

SHA512
9321e740da567ecfb5936b07c4d5f2639e91c4306624207e1158dfc7fe4838a31f7ab5d7ba8f5f123fd2fe4d10623a381acf3ba63b1921ef74bdf2cfd4af660d

Download Submit
C:\Windows\{E9783608-50B1-48b0-AFF1-6D824AE74290}.exe

Filesize
168KB

MD5
829e4f727add7cad2eff659c0cd747cb

SHA1
537f3ec2aa56cc5fd603f2fb9e5f2a232ca0605f

SHA256
dfec712bdcad9780de8178fcdfa0a6b111c987e850b6624d7bed52912c4d8db3

SHA512
026d593681dc6b8590384aa6fea1e81d069ff223e2ebcc2485c17518ff9dd9c5d637f1e258ae73ab70030a9b7c763dd7dcdc7777b9b407816f868cf356cc395b

Download Submit
C:\Windows\{F6C36F0A-BC99-4544-AA42-5D89BBB885E2}.exe

Filesize
168KB

MD5
b4dfb2a6c49198bd319abf2fc49ccef6

SHA1
979982a12c42fa2a5f6df7fada8f4e6ea6eb2c01

SHA256
579e1475e5af1cc048556b94f844e48b7b7a9b47f800dd612b90ee7add5378bf

SHA512
41f287497f1dffb58ac30bdc554d68ba1e5e10cfa29636bed09f0213f97387c14d014e3cedb25783b4b78ea302ffb7eccbabe6281474a4af7129f8ec5bab9778

Download Submit
C:\Windows\{F7DB10FD-2071-4a65-B0E1-C87655BA72EF}.exe

Filesize
168KB

MD5
b8bcd96029d325f6f3aff3e8c69b7e11

SHA1
32a9f9c580acca01d20fa49a4e06082fb907ad51

SHA256
c4fad8f7f6455a5e1d3f410e78519ae696071cbcf09a218fd40ce4834d874f9d

SHA512
68bd37be0926c780b5419ac90ff18f8c451b160746e9adc31be14046994bf291a74185b661228f4b4c6dbc31bdf9c78692fd888424aec2460692af31a7afe9ab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads