efacb24c634c91b214dc4fde1e578971738bdd4049665a6ff1610d1b5e832e13

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
Size

180KB
MD5

80076a495274e5e9e48358e8ed02831f
SHA1

dffa96fd6a681f15b26ac82f10176231b45ae4c8
SHA256

efacb24c634c91b214dc4fde1e578971738bdd4049665a6ff1610d1b5e832e13
SHA512

8f2d85ce106ca0f8e2901cd1a79ae096bdf1695fa85810def84d71e7d32074d12249609828f8e2ed9312893caff8131fb9f3803fad8616a03ac92246106a1d5a
SSDEEP

3072:jEGh0oIlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000001507e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001227e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}\stubpath = "C:\\Windows\\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe"	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54262AFD-FB51-43f6-B13E-46A11405F3B4}	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7616D3F1-8F25-4973-864F-6E09DCF892D1}\stubpath = "C:\\Windows\\{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe"	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8285546-90CC-4626-8366-5BDF5B549BB9}	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8285546-90CC-4626-8366-5BDF5B549BB9}\stubpath = "C:\\Windows\\{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe"	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}	{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}\stubpath = "C:\\Windows\\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe"	{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCE83D9-3539-4b49-A86B-05656AD971B4}\stubpath = "C:\\Windows\\{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe"	{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}\stubpath = "C:\\Windows\\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe"	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}\stubpath = "C:\\Windows\\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe"	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}\stubpath = "C:\\Windows\\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe"	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}	{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}\stubpath = "C:\\Windows\\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe"	{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCE83D9-3539-4b49-A86B-05656AD971B4}	{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7616D3F1-8F25-4973-864F-6E09DCF892D1}	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E1F6284-5365-4f5b-9B38-01B301448A02}	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E1F6284-5365-4f5b-9B38-01B301448A02}\stubpath = "C:\\Windows\\{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe"	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54262AFD-FB51-43f6-B13E-46A11405F3B4}\stubpath = "C:\\Windows\\{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe"	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
1064	{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
2124	{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
2856	{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe
840	{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
File created	C:\Windows\{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
File created	C:\Windows\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
File created	C:\Windows\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
File created	C:\Windows\{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
File created	C:\Windows\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe	{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
File created	C:\Windows\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe	{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
File created	C:\Windows\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
File created	C:\Windows\{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
File created	C:\Windows\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
File created	C:\Windows\{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe	{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
Token: SeIncBasePriorityPrivilege	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
Token: SeIncBasePriorityPrivilege	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
Token: SeIncBasePriorityPrivilege	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
Token: SeIncBasePriorityPrivilege	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
Token: SeIncBasePriorityPrivilege	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
Token: SeIncBasePriorityPrivilege	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
Token: SeIncBasePriorityPrivilege	1064	{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
Token: SeIncBasePriorityPrivilege	2124	{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
Token: SeIncBasePriorityPrivilege	2856	{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2544	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	28
PID 2000 wrote to memory of 2544	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	28
PID 2000 wrote to memory of 2544	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	28
PID 2000 wrote to memory of 2544	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	28
PID 2000 wrote to memory of 2636	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	29
PID 2000 wrote to memory of 2636	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	29
PID 2000 wrote to memory of 2636	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	29
PID 2000 wrote to memory of 2636	2000	2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe	29
PID 2544 wrote to memory of 2568	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	30
PID 2544 wrote to memory of 2568	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	30
PID 2544 wrote to memory of 2568	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	30
PID 2544 wrote to memory of 2568	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	30
PID 2544 wrote to memory of 2552	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	31
PID 2544 wrote to memory of 2552	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	31
PID 2544 wrote to memory of 2552	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	31
PID 2544 wrote to memory of 2552	2544	{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe	31
PID 2568 wrote to memory of 320	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	32
PID 2568 wrote to memory of 320	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	32
PID 2568 wrote to memory of 320	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	32
PID 2568 wrote to memory of 320	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	32
PID 2568 wrote to memory of 2436	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	33
PID 2568 wrote to memory of 2436	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	33
PID 2568 wrote to memory of 2436	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	33
PID 2568 wrote to memory of 2436	2568	{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe	33
PID 320 wrote to memory of 2756	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	36
PID 320 wrote to memory of 2756	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	36
PID 320 wrote to memory of 2756	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	36
PID 320 wrote to memory of 2756	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	36
PID 320 wrote to memory of 2760	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	37
PID 320 wrote to memory of 2760	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	37
PID 320 wrote to memory of 2760	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	37
PID 320 wrote to memory of 2760	320	{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe	37
PID 2756 wrote to memory of 2776	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	38
PID 2756 wrote to memory of 2776	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	38
PID 2756 wrote to memory of 2776	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	38
PID 2756 wrote to memory of 2776	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	38
PID 2756 wrote to memory of 2496	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	39
PID 2756 wrote to memory of 2496	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	39
PID 2756 wrote to memory of 2496	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	39
PID 2756 wrote to memory of 2496	2756	{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe	39
PID 2776 wrote to memory of 2220	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	40
PID 2776 wrote to memory of 2220	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	40
PID 2776 wrote to memory of 2220	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	40
PID 2776 wrote to memory of 2220	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	40
PID 2776 wrote to memory of 1748	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	41
PID 2776 wrote to memory of 1748	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	41
PID 2776 wrote to memory of 1748	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	41
PID 2776 wrote to memory of 1748	2776	{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe	41
PID 2220 wrote to memory of 584	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	42
PID 2220 wrote to memory of 584	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	42
PID 2220 wrote to memory of 584	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	42
PID 2220 wrote to memory of 584	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	42
PID 2220 wrote to memory of 820	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	43
PID 2220 wrote to memory of 820	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	43
PID 2220 wrote to memory of 820	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	43
PID 2220 wrote to memory of 820	2220	{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe	43
PID 584 wrote to memory of 1064	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	44
PID 584 wrote to memory of 1064	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	44
PID 584 wrote to memory of 1064	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	44
PID 584 wrote to memory of 1064	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	44
PID 584 wrote to memory of 1708	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	45
PID 584 wrote to memory of 1708	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	45
PID 584 wrote to memory of 1708	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	45
PID 584 wrote to memory of 1708	584	{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_80076a495274e5e9e48358e8ed02831f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
  C:\Windows\{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
    C:\Windows\{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
      C:\Windows\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
        
        C:\Windows\{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
        
        C:\Windows\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
        
        C:\Windows\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
        
        C:\Windows\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
        
        C:\Windows\{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
        
        C:\Windows\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe
        
        C:\Windows\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe
        
        C:\Windows\{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe
        12⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BDF5~1.EXE > nul
        12⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AAA7~1.EXE > nul
        11⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8285~1.EXE > nul
        10⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FED6~1.EXE > nul
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F264C~1.EXE > nul
        8⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B4DC~1.EXE > nul
        7⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E1F6~1.EXE > nul
        6⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43D00~1.EXE > nul
        5⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7616D~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{54262~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E1F6284-5365-4f5b-9B38-01B301448A02}.exe

Filesize
180KB

MD5
97de97ce51b4b0798ab5143a28d274d1

SHA1
293895fabe4a61147e12fc41ba2c340a882ac8b5

SHA256
422f21ad4b0d768cf4370c81ba8de5437ff2e58e1e37109664c2c5ce8260291b

SHA512
4d54bfc6b7ccfab2b03a824e78427759c16c13757810c23ad9ffdad52366071946e0df759ed803e39f99c893fc1e44dbb62e29c9bae80d58d4db16b5778a2cb9

Download Submit
C:\Windows\{2FED693F-B354-4c1c-8A86-0C6BF2C69C30}.exe

Filesize
180KB

MD5
a3566d0265ff7bf50404fd19e35e9d20

SHA1
1b3d42c8bb469a24753adc64e14f5424762cbc95

SHA256
2ff5891ce9f041c598d601a22a511f02de2ddcaba169e9f8e2f182e3afe23ebf

SHA512
500d1480da8f13ef265c445200f898d4282135cf324b1ddc52ad5c7032ab379000818e2d5aa7395c696094187d622c1467723fdcf985b89404c98f29b837be4b

Download Submit
C:\Windows\{3BCE83D9-3539-4b49-A86B-05656AD971B4}.exe

Filesize
180KB

MD5
ded55a54db71fda31bcdb5fbc40a09bb

SHA1
558fe6acdf1366a1c14da2511429533e89a0e7e3

SHA256
3955afb9f9269b5cb7b280ba897177dda185d3c45e8c417c9b4aeab86d3cfe27

SHA512
f67579e14688d1e4abe348dab5e7b0ba1d8861da955eb3eee89ca316a29f0a4ab590919d5c6173ab917aff5055fdf880fd0bdbe4754515f94a60ad7302873322

Download Submit
C:\Windows\{43D00AAE-27D7-424c-A3A5-A13B33EC5C25}.exe

Filesize
180KB

MD5
2507c75547b7419f8328a2e20f7fd14c

SHA1
a8f9ad7cea3b246758689aa286d3c8c92a858abe

SHA256
fbe2846d6876c44f147f7c79f9c3081324e96ba4698b3f8050701c4e498f05a2

SHA512
1f3f6ef394965f444c2362dcdefcbe796e61966b41915c05696fe7691b568312407e1707227ab6263438be9bf134fc6bc1be9ac096de3b8c2b189e118cd285f8

Download Submit
C:\Windows\{4BDF5767-ADA9-4962-8FCF-96E276E4DCA8}.exe

Filesize
180KB

MD5
d9a420a3980be93a06a231cfc343ae6c

SHA1
73b19a2a58afb2c065f023d8f602222d63706956

SHA256
545ebd90710355a393f255e6aa74ab0c035306a7d7edce315f845aa46c2fb91e

SHA512
e548bcd3a9d7c8efc918e79354fa232abce13ed960e68532eda34db6f1765a2328a394bd593a924260fea4b89302155cf81007e9602d83abdf4bca484a69ec89

Download Submit
C:\Windows\{54262AFD-FB51-43f6-B13E-46A11405F3B4}.exe

Filesize
180KB

MD5
121f2caf03bb5cebaa1995ec125515e5

SHA1
6967e305f613aa85098b1379911cede0e3af3936

SHA256
90dae03cea946db0934392a7fa7ada418f6a79b0ff4c44ae5660dd96f6efff78

SHA512
68095979ce2b6e4007537da9d6ef6ed5a09ef472f438ce0931b9460a5dadbe73d81c89943f6a946dcb58d04ff61e4f1e0dfa99f5037ee6ffd48a9233807a0c31

Download Submit
C:\Windows\{7616D3F1-8F25-4973-864F-6E09DCF892D1}.exe

Filesize
180KB

MD5
a18b47a8e20485ecbb1461e6c46059ad

SHA1
2f321f927636c6564285e1b42630aae5e7f1e73f

SHA256
e8732c0ee8228d787a4aa02e488600d5bbbf25791fc5f7f924f367e4a1053f98

SHA512
cf4bd05e2ec27fa5082780d6e3ca0fa05a0a352b3c42676f316163b11d3b09b5d4380bea4b669f4c90dae10ab5fb41f4bebc1352dd926785481211ba6a89ffe4

Download Submit
C:\Windows\{7B4DC079-4715-4ac4-B9D1-20CAC1709B45}.exe

Filesize
180KB

MD5
621f9ae280029a10ad1623dc6784d161

SHA1
a389d82cf0ec168f8a5effb53a382689f1107b81

SHA256
248093eeca73201e0fec71133dba6643050e2ab27adbaadb133aec3d7aad17d6

SHA512
2fe1b570c198a7de8bdd4896054db74a859b280a53cf1049986df835e6f0d22a4e34de8acd80484b2c12d62b70862845c35b5cc9765e80c4d5ae57af65404560

Download Submit
C:\Windows\{8AAA75EF-ABA2-47fe-911D-90C88B8839BB}.exe

Filesize
180KB

MD5
dcde32a16c4ecaf1d7e929d505ef9cb6

SHA1
ad4f5aae06dbfb76b0c6e3b07ba27e717ed61208

SHA256
802f37512a8af7523e8199436240c5501c05111e3be4b0d445dfcdd714320913

SHA512
e415274013d1410f015e9eb9ccc7f15fe8bbadd20dc37da763f15edafaf4221bd769e1e948cdfa0d62c9855f5c7b46cb399e003845354b7f83131571539d70bb

Download Submit
C:\Windows\{E8285546-90CC-4626-8366-5BDF5B549BB9}.exe

Filesize
180KB

MD5
002764f23321131ab842d10a3b497b3d

SHA1
803c5ac68efe393d3a817396fc08e48f72097923

SHA256
a3fff6e09c42bdb6c8a88cfd0209e4388905bd3862bbdf0a3f60889462804fa9

SHA512
0fe37957d4c4b94bac87d1ba1e312b8ccc846ce829845157a370d7aa0e46f4d25531467b0de3ec5fef7535bdefd042ee159d2c2a36a0354823185110a90642eb

Download Submit
C:\Windows\{F264CC84-2AB5-4805-849B-C3DDA341E3CB}.exe

Filesize
180KB

MD5
5936bef17299784140ad21082740615d

SHA1
38ba2299a77f090f82ba1de8abff7d772239d456

SHA256
9e1d1be9db9edde382272ffd64f3bbcae94c8cfd1c3233cfd8f57ff686e43970

SHA512
5eae4dd5ef7fff33c81bf67914d65d4a836b82120163778b8bdaeae267bc5ee40e6453bf2b715c48a07314376520af1515e014e83ae3e7dc0c29c3d9ffb80cbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads