7be7764447e22519d2c39a1c1ead3a421f678b91e9cf6b82d5d9a19a2ba61dc1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Size

204KB
MD5

de5a6479cf631935338912a19b7d81cd
SHA1

ed2d3742586add5d1d29e1d84398f6a641b0a130
SHA256

7be7764447e22519d2c39a1c1ead3a421f678b91e9cf6b82d5d9a19a2ba61dc1
SHA512

9cfe368e4021ab9f3f3af38f824e1872b4904fd7f27fd4f09ddef1d1a20710da72dd3e44c3f20710f45c07d5d7849c6241b0a005b37ddb0f9c1b85d4e515a13c
SSDEEP

1536:1EGh0o6l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o6l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015c81-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00050000000130fc-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000130fc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000130fc-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}\stubpath = "C:\\Windows\\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe"	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83791859-F3B9-4d74-8C24-28823832F01C}	{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}	{1488E36F-4076-42dd-90EA-9A6517A00068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}\stubpath = "C:\\Windows\\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe"	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}\stubpath = "C:\\Windows\\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe"	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12836285-64F9-47e4-9E27-26DC25EB7A96}\stubpath = "C:\\Windows\\{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe"	{945DC325-1721-4917-B994-E580D6FE1130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83791859-F3B9-4d74-8C24-28823832F01C}\stubpath = "C:\\Windows\\{83791859-F3B9-4d74-8C24-28823832F01C}.exe"	{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1488E36F-4076-42dd-90EA-9A6517A00068}	{83791859-F3B9-4d74-8C24-28823832F01C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}\stubpath = "C:\\Windows\\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe"	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945DC325-1721-4917-B994-E580D6FE1130}	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945DC325-1721-4917-B994-E580D6FE1130}\stubpath = "C:\\Windows\\{945DC325-1721-4917-B994-E580D6FE1130}.exe"	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}\stubpath = "C:\\Windows\\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe"	{1488E36F-4076-42dd-90EA-9A6517A00068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54024B9A-049E-4484-A006-7146C7FB7A9C}	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54024B9A-049E-4484-A006-7146C7FB7A9C}\stubpath = "C:\\Windows\\{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe"	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}\stubpath = "C:\\Windows\\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe"	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12836285-64F9-47e4-9E27-26DC25EB7A96}	{945DC325-1721-4917-B994-E580D6FE1130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1488E36F-4076-42dd-90EA-9A6517A00068}\stubpath = "C:\\Windows\\{1488E36F-4076-42dd-90EA-9A6517A00068}.exe"	{83791859-F3B9-4d74-8C24-28823832F01C}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe
2712	{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
1316	{83791859-F3B9-4d74-8C24-28823832F01C}.exe
1616	{1488E36F-4076-42dd-90EA-9A6517A00068}.exe
1656	{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
File created	C:\Windows\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
File created	C:\Windows\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
File created	C:\Windows\{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe	{945DC325-1721-4917-B994-E580D6FE1130}.exe
File created	C:\Windows\{1488E36F-4076-42dd-90EA-9A6517A00068}.exe	{83791859-F3B9-4d74-8C24-28823832F01C}.exe
File created	C:\Windows\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
File created	C:\Windows\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
File created	C:\Windows\{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
File created	C:\Windows\{945DC325-1721-4917-B994-E580D6FE1130}.exe	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
File created	C:\Windows\{83791859-F3B9-4d74-8C24-28823832F01C}.exe	{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
File created	C:\Windows\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe	{1488E36F-4076-42dd-90EA-9A6517A00068}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
Token: SeIncBasePriorityPrivilege	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
Token: SeIncBasePriorityPrivilege	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
Token: SeIncBasePriorityPrivilege	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
Token: SeIncBasePriorityPrivilege	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
Token: SeIncBasePriorityPrivilege	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
Token: SeIncBasePriorityPrivilege	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe
Token: SeIncBasePriorityPrivilege	2712	{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
Token: SeIncBasePriorityPrivilege	1316	{83791859-F3B9-4d74-8C24-28823832F01C}.exe
Token: SeIncBasePriorityPrivilege	1616	{1488E36F-4076-42dd-90EA-9A6517A00068}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2500	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	28
PID 1008 wrote to memory of 2500	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	28
PID 1008 wrote to memory of 2500	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	28
PID 1008 wrote to memory of 2500	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	28
PID 1008 wrote to memory of 2576	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	29
PID 1008 wrote to memory of 2576	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	29
PID 1008 wrote to memory of 2576	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	29
PID 1008 wrote to memory of 2576	1008	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	29
PID 2500 wrote to memory of 2784	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	30
PID 2500 wrote to memory of 2784	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	30
PID 2500 wrote to memory of 2784	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	30
PID 2500 wrote to memory of 2784	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	30
PID 2500 wrote to memory of 2396	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	31
PID 2500 wrote to memory of 2396	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	31
PID 2500 wrote to memory of 2396	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	31
PID 2500 wrote to memory of 2396	2500	{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe	31
PID 2784 wrote to memory of 2616	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	34
PID 2784 wrote to memory of 2616	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	34
PID 2784 wrote to memory of 2616	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	34
PID 2784 wrote to memory of 2616	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	34
PID 2784 wrote to memory of 2880	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	35
PID 2784 wrote to memory of 2880	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	35
PID 2784 wrote to memory of 2880	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	35
PID 2784 wrote to memory of 2880	2784	{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe	35
PID 2616 wrote to memory of 440	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	36
PID 2616 wrote to memory of 440	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	36
PID 2616 wrote to memory of 440	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	36
PID 2616 wrote to memory of 440	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	36
PID 2616 wrote to memory of 1464	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	37
PID 2616 wrote to memory of 1464	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	37
PID 2616 wrote to memory of 1464	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	37
PID 2616 wrote to memory of 1464	2616	{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe	37
PID 440 wrote to memory of 2856	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	38
PID 440 wrote to memory of 2856	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	38
PID 440 wrote to memory of 2856	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	38
PID 440 wrote to memory of 2856	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	38
PID 440 wrote to memory of 3040	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	39
PID 440 wrote to memory of 3040	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	39
PID 440 wrote to memory of 3040	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	39
PID 440 wrote to memory of 3040	440	{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe	39
PID 2856 wrote to memory of 2020	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	40
PID 2856 wrote to memory of 2020	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	40
PID 2856 wrote to memory of 2020	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	40
PID 2856 wrote to memory of 2020	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	40
PID 2856 wrote to memory of 1612	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	41
PID 2856 wrote to memory of 1612	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	41
PID 2856 wrote to memory of 1612	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	41
PID 2856 wrote to memory of 1612	2856	{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe	41
PID 2020 wrote to memory of 2656	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	42
PID 2020 wrote to memory of 2656	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	42
PID 2020 wrote to memory of 2656	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	42
PID 2020 wrote to memory of 2656	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	42
PID 2020 wrote to memory of 1888	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	43
PID 2020 wrote to memory of 1888	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	43
PID 2020 wrote to memory of 1888	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	43
PID 2020 wrote to memory of 1888	2020	{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe	43
PID 2656 wrote to memory of 2712	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	44
PID 2656 wrote to memory of 2712	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	44
PID 2656 wrote to memory of 2712	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	44
PID 2656 wrote to memory of 2712	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	44
PID 2656 wrote to memory of 2272	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	45
PID 2656 wrote to memory of 2272	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	45
PID 2656 wrote to memory of 2272	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	45
PID 2656 wrote to memory of 2272	2656	{945DC325-1721-4917-B994-E580D6FE1130}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
  C:\Windows\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
    C:\Windows\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
      C:\Windows\{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
        
        C:\Windows\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
        
        C:\Windows\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
        
        C:\Windows\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{945DC325-1721-4917-B994-E580D6FE1130}.exe
        
        C:\Windows\{945DC325-1721-4917-B994-E580D6FE1130}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
        
        C:\Windows\{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{83791859-F3B9-4d74-8C24-28823832F01C}.exe
        
        C:\Windows\{83791859-F3B9-4d74-8C24-28823832F01C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\{1488E36F-4076-42dd-90EA-9A6517A00068}.exe
        
        C:\Windows\{1488E36F-4076-42dd-90EA-9A6517A00068}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe
        
        C:\Windows\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1488E~1.EXE > nul
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83791~1.EXE > nul
        11⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12836~1.EXE > nul
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{945DC~1.EXE > nul
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68F41~1.EXE > nul
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21E86~1.EXE > nul
        7⤵
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{958CD~1.EXE > nul
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54024~1.EXE > nul
        5⤵
        
        PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64A2E~1.EXE > nul
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5EEB3~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12836285-64F9-47e4-9E27-26DC25EB7A96}.exe

Filesize
204KB

MD5
09a25f96a2bbde8a3fe8e8c7b9da5be3

SHA1
1bcf8db79a402fbfff1191c92ee3aa90959f736e

SHA256
d97c0363e8f6d459be08ed0c96dbc75321c03a469b91a18b89854634ba7f45d7

SHA512
a929ca9cc46e942ded41871b487a1dba708aaede8bac5b57844ceb5ebf08f5301df46943d84d39b7a043bae5ef286a48e2a0b4df8e6b5cbbda8d8826fcd3ccfb

Download Submit
C:\Windows\{1488E36F-4076-42dd-90EA-9A6517A00068}.exe

Filesize
204KB

MD5
cc774467d6e9ab106c11f4e07022aa99

SHA1
795f2b87aaa16aded15fbc112bd07d5c39dfe03d

SHA256
b35eca1a5d4f8e5c0a79632a9d1b44de3609cf85b1b0a6fdcf7508fdcc02d9a9

SHA512
2240a77916824735b66c72f4bf21bb5e987e2be9a2cb71465a856524e542170996265657af02b693aad7c9a4f298a46f48f0c7823ef2d0bf160881dfac0019e5

Download Submit
C:\Windows\{21E869B7-2752-47d0-BA01-C8B3DEEC46A0}.exe

Filesize
204KB

MD5
9300dfe3da94b3bde8acb91c787e7478

SHA1
ec9fe4640358782c731bd295c0718770a0717639

SHA256
dc712eb63bff3be7f0b2757d9890716783ca95e8a11d1a730a9599920aa7dd01

SHA512
d9c884a53a115298d24b33072767cc531bd70168d792c15cf51fed117a4f05fcbe8f797fb9e5756296c1cda6816853e1bdefa05d91bd263cdc43ff446b6efdfd

Download Submit
C:\Windows\{53C69ADA-75CB-49cb-B779-1F0C61374D1E}.exe

Filesize
204KB

MD5
d59486c585b49b47c1da901a8839e2d1

SHA1
ff5ce30f5aba389f010ad8dcd7b0f5ede8f49ce3

SHA256
61076537c6f2b0f2ca7244a6bd62e58141e8fb09fa121fa6cd11aa1bd8cc8a46

SHA512
7daa1f1027a04121262241451891675d110c14d6133145d6fad0d39f5b20aa69f4244fedf03e52846c7fa6f791e938b81621d12b66477c2d68bae6f70a17b248

Download Submit
C:\Windows\{54024B9A-049E-4484-A006-7146C7FB7A9C}.exe

Filesize
204KB

MD5
73ea94fc1f61f9f582c20007cc92a243

SHA1
247b512f5138767d8a22884c4b63a030c13863ba

SHA256
f992ce57c559e29c92fb5f4000e666157ecf180d64450c473b9dec267f82f897

SHA512
161867ab898509f233ddb89b862767dcc60578c1b51090dd9afa5cf1b290714f7538ce87d9c37eb6cc9ec7acf99076be9a73db2965863f6cd78a7022d002925e

Download Submit
C:\Windows\{5EEB3E4D-07D1-43f2-A974-846B664D8E4B}.exe

Filesize
204KB

MD5
4a0f1f6ddfca8f663fcba2409c565d01

SHA1
06ad7978f4b69b9e3e1445b3c385db52610ac68f

SHA256
4b7657a568900872016df79ab8e5bb90b950c9c85f7bae36fb5a2df35ffb22f3

SHA512
347ca14ca1c9b3e91039e07d9bea4efe27de4c243d9a902bdf944a26e090c9374768a45db2aa80783c05aad3c0ce94d99369308ed8049aadc4b95671d395f29a

Download Submit
C:\Windows\{64A2E5E4-CBED-47e5-ADB0-D59B81E84E6F}.exe

Filesize
204KB

MD5
d03a4e1e471401fae2abcd9c59ac0d90

SHA1
638c18ba99d5d0fc874af5f8a163f3e965e7288b

SHA256
70faa6e6ae5640c3dd17a301f8f293ef757fc16b5d9c3e97d0fd078df640ad2f

SHA512
2d52ea24579cc6558fe5dde0274a21d62973be13a1c114e6c30829df4a63e6a1519ff6649d401a740daa6010d844888b7de9271cc3bf2522737b7659fe5b13ec

Download Submit
C:\Windows\{68F41411-A5DF-49d8-8CBC-A83B9AF46F00}.exe

Filesize
204KB

MD5
a490ed3583e95f91035e9ed916eec270

SHA1
fc055391b45a9b810bda57905d0196d931854884

SHA256
c4016759dc879a383bcd97d1e782b57639b49f51347a686a4adffeeeb946f6ad

SHA512
0dc4ea2576e187f0623486aa23eb992756cce09b689bf5d75e60968efb4888cc9ded2a79bc0ab80abb42713a1ac6ff68e3d04e82ca1496bbe59ae2429ae2fe5d

Download Submit
C:\Windows\{83791859-F3B9-4d74-8C24-28823832F01C}.exe

Filesize
204KB

MD5
d54fad9ef55f5ed1b83ffa9742dcb6b5

SHA1
bb846b6f502f451d6b937dbeecdf36724b9d0164

SHA256
281e1589f056bd207073062c0a96a1f5ff316bdb1bc92d10427b61972abed405

SHA512
5de0b5a4837e6db457da2ebda151393ee53074d127ebd4af433501ce2124bf7a3266750cda89d2ac60dbdba990ee243a1e0a021e25a3ef05e158ab07cfac1284

Download Submit
C:\Windows\{945DC325-1721-4917-B994-E580D6FE1130}.exe

Filesize
204KB

MD5
1e874ff01a15089187adfbc449790b0b

SHA1
3b0465c2c6f174dfc017a8f8be2a6e6a1282b79e

SHA256
40a0ab511e0c9e602e9c07183f778f1778f8e9fbad97c55162c91c8826cd3778

SHA512
2b155979b9be3794a652fcdc039365a3d0804fbb28632e2040e63c3c089f0f9b314b8ba0590f5acfa5b37d443fc95e367e96ef6c5d436cae486ef90a1117457a

Download Submit
C:\Windows\{958CD2CA-3C17-49cc-88C0-CA9598E59AC1}.exe

Filesize
204KB

MD5
945717f118b49e6543b06b287836fbc3

SHA1
77f856cba4da4bdab786e9894d8d516c70bc6009

SHA256
c385fe49ad298270a019f0703c3400a69833fc893a0bef21b04b3d55b4d037a4

SHA512
cc814f321a6a10a5cd3d6eabdcb76b9e75e78158b3d913216e228fbc60024a4377c11d0f64a77306215e2495be85824eadc81e9dfee281e912ec4bcf98e17da4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads