e83bf0cf116d18b94e3c3fa22dbfeb9dfc3c42ae9422255c8fecb8f72ed17d37

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
Size

380KB
MD5

e0b5ece033bd174b9743bedaa694a2f7
SHA1

3db09ed2652d745e0244aa45332715dd191c46f3
SHA256

e83bf0cf116d18b94e3c3fa22dbfeb9dfc3c42ae9422255c8fecb8f72ed17d37
SHA512

9a4a623f861efe49f7c5244172fb3a9ebafef494dfa98974b2cba6449a8307697c4ee3dae645914cf9b02c8c171153177d96d15099218de3be1e757f911ebfe8
SSDEEP

3072:mEGh0oGlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGQl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012262-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001466c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012262-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001466c-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012262-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001466c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012262-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014738-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012262-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014738-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727EE580-A64A-4782-B7D7-C0500756E86A}	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727EE580-A64A-4782-B7D7-C0500756E86A}\stubpath = "C:\\Windows\\{727EE580-A64A-4782-B7D7-C0500756E86A}.exe"	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35D3D0B-4A09-4250-964F-5110936E2425}\stubpath = "C:\\Windows\\{F35D3D0B-4A09-4250-964F-5110936E2425}.exe"	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4598A304-0322-4bf2-95E5-3CBD607E506A}\stubpath = "C:\\Windows\\{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe"	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}\stubpath = "C:\\Windows\\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe"	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC831265-B2CF-40a9-B68F-5B7742BF007C}	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4598A304-0322-4bf2-95E5-3CBD607E506A}	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}	{111BB288-631A-41d5-93DE-0941F20B9343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC831265-B2CF-40a9-B68F-5B7742BF007C}\stubpath = "C:\\Windows\\{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe"	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}\stubpath = "C:\\Windows\\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe"	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111BB288-631A-41d5-93DE-0941F20B9343}	{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35D3D0B-4A09-4250-964F-5110936E2425}	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}\stubpath = "C:\\Windows\\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe"	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}\stubpath = "C:\\Windows\\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe"	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}	{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}\stubpath = "C:\\Windows\\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe"	{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111BB288-631A-41d5-93DE-0941F20B9343}\stubpath = "C:\\Windows\\{111BB288-631A-41d5-93DE-0941F20B9343}.exe"	{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}\stubpath = "C:\\Windows\\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe"	{111BB288-631A-41d5-93DE-0941F20B9343}.exe

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
2000	{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
1644	{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
2304	{111BB288-631A-41d5-93DE-0941F20B9343}.exe
588	{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe	{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
File created	C:\Windows\{111BB288-631A-41d5-93DE-0941F20B9343}.exe	{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
File created	C:\Windows\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
File created	C:\Windows\{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
File created	C:\Windows\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
File created	C:\Windows\{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
File created	C:\Windows\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
File created	C:\Windows\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe	{111BB288-631A-41d5-93DE-0941F20B9343}.exe
File created	C:\Windows\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
File created	C:\Windows\{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
File created	C:\Windows\{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
Token: SeIncBasePriorityPrivilege	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
Token: SeIncBasePriorityPrivilege	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
Token: SeIncBasePriorityPrivilege	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
Token: SeIncBasePriorityPrivilege	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
Token: SeIncBasePriorityPrivilege	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
Token: SeIncBasePriorityPrivilege	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
Token: SeIncBasePriorityPrivilege	2000	{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
Token: SeIncBasePriorityPrivilege	1644	{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
Token: SeIncBasePriorityPrivilege	2304	{111BB288-631A-41d5-93DE-0941F20B9343}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2352	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	28
PID 1612 wrote to memory of 2352	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	28
PID 1612 wrote to memory of 2352	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	28
PID 1612 wrote to memory of 2352	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	28
PID 1612 wrote to memory of 2916	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	29
PID 1612 wrote to memory of 2916	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	29
PID 1612 wrote to memory of 2916	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	29
PID 1612 wrote to memory of 2916	1612	2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe	29
PID 2352 wrote to memory of 2540	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	32
PID 2352 wrote to memory of 2540	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	32
PID 2352 wrote to memory of 2540	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	32
PID 2352 wrote to memory of 2540	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	32
PID 2352 wrote to memory of 2732	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	33
PID 2352 wrote to memory of 2732	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	33
PID 2352 wrote to memory of 2732	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	33
PID 2352 wrote to memory of 2732	2352	{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe	33
PID 2540 wrote to memory of 2680	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	34
PID 2540 wrote to memory of 2680	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	34
PID 2540 wrote to memory of 2680	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	34
PID 2540 wrote to memory of 2680	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	34
PID 2540 wrote to memory of 2444	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	35
PID 2540 wrote to memory of 2444	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	35
PID 2540 wrote to memory of 2444	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	35
PID 2540 wrote to memory of 2444	2540	{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe	35
PID 2680 wrote to memory of 2848	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	36
PID 2680 wrote to memory of 2848	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	36
PID 2680 wrote to memory of 2848	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	36
PID 2680 wrote to memory of 2848	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	36
PID 2680 wrote to memory of 2408	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	37
PID 2680 wrote to memory of 2408	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	37
PID 2680 wrote to memory of 2408	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	37
PID 2680 wrote to memory of 2408	2680	{727EE580-A64A-4782-B7D7-C0500756E86A}.exe	37
PID 2848 wrote to memory of 1628	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	38
PID 2848 wrote to memory of 1628	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	38
PID 2848 wrote to memory of 1628	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	38
PID 2848 wrote to memory of 1628	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	38
PID 2848 wrote to memory of 1732	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	39
PID 2848 wrote to memory of 1732	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	39
PID 2848 wrote to memory of 1732	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	39
PID 2848 wrote to memory of 1732	2848	{F35D3D0B-4A09-4250-964F-5110936E2425}.exe	39
PID 1628 wrote to memory of 2492	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	40
PID 1628 wrote to memory of 2492	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	40
PID 1628 wrote to memory of 2492	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	40
PID 1628 wrote to memory of 2492	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	40
PID 1628 wrote to memory of 2740	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	41
PID 1628 wrote to memory of 2740	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	41
PID 1628 wrote to memory of 2740	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	41
PID 1628 wrote to memory of 2740	1628	{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe	41
PID 2492 wrote to memory of 632	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	42
PID 2492 wrote to memory of 632	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	42
PID 2492 wrote to memory of 632	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	42
PID 2492 wrote to memory of 632	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	42
PID 2492 wrote to memory of 1980	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	43
PID 2492 wrote to memory of 1980	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	43
PID 2492 wrote to memory of 1980	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	43
PID 2492 wrote to memory of 1980	2492	{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe	43
PID 632 wrote to memory of 2000	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	44
PID 632 wrote to memory of 2000	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	44
PID 632 wrote to memory of 2000	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	44
PID 632 wrote to memory of 2000	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	44
PID 632 wrote to memory of 2252	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	45
PID 632 wrote to memory of 2252	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	45
PID 632 wrote to memory of 2252	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	45
PID 632 wrote to memory of 2252	632	{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_e0b5ece033bd174b9743bedaa694a2f7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
  C:\Windows\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
    C:\Windows\{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
      C:\Windows\{727EE580-A64A-4782-B7D7-C0500756E86A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
        
        C:\Windows\{F35D3D0B-4A09-4250-964F-5110936E2425}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
        
        C:\Windows\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
        
        C:\Windows\{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
        
        C:\Windows\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
        
        C:\Windows\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
        
        C:\Windows\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{111BB288-631A-41d5-93DE-0941F20B9343}.exe
        
        C:\Windows\{111BB288-631A-41d5-93DE-0941F20B9343}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe
        
        C:\Windows\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{111BB~1.EXE > nul
        12⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{519BB~1.EXE > nul
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72E07~1.EXE > nul
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB94A~1.EXE > nul
        9⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4598A~1.EXE > nul
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD1C9~1.EXE > nul
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F35D3~1.EXE > nul
        6⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{727EE~1.EXE > nul
        5⤵
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC831~1.EXE > nul
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8A0EE~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{111BB288-631A-41d5-93DE-0941F20B9343}.exe

Filesize
380KB

MD5
e1c5521a9496ca5033e8ddfcb97393da

SHA1
0795a4a8a3fdbc34254f14672d245eb02fa1dbf4

SHA256
345249c389a9d92856dedb30ba5ce08d06d4e384e3037b63300e78e91b2cc8de

SHA512
1c0b41dbafb9229e4e365cb839ba381165e2ce0842b7bb02c47fbe382d4f58f9b3cdd11baaf31660c88e6f992c21f38414995ecfb367572b177b76aa39a801b3

Download Submit
C:\Windows\{2BA9B09F-9B30-4039-888A-2B582B1E4A04}.exe

Filesize
380KB

MD5
0b1691914fb0390cb75a2553cdb264b4

SHA1
6ce1909664cf6d5d8963c2c033690c358d3dc734

SHA256
9144d1b47aac1f82e395e7098a6544081f9b9d2b6469c890cba3a0faa2d6ac3c

SHA512
28b711e52e8d7ce03a3934c928d5b1499d6eb81cba9eb1cb73a152df111cece8ad0758c3f4af5989b75bf466025735718ce7fee1693ac6837cd9111d6341141a

Download Submit
C:\Windows\{4598A304-0322-4bf2-95E5-3CBD607E506A}.exe

Filesize
380KB

MD5
689245f7eeb210003d60bc8f6de39468

SHA1
266be332a2528805f03b125a8d15e8271b47f5ef

SHA256
52d490320f6d08dffcce67ec21f977847895eb24ec399e6e449eafc6160cfc8e

SHA512
3071281c38ccbec8607b30a044b8054a9d81b0a04bb7aea2f63d95f9c624182979bd84bc96b4d505d3e0465ae0ec222836d6cb13ca74e9152a6ee980188ceb60

Download Submit
C:\Windows\{519BB0E1-30F0-40fc-BE7C-382EB20910AA}.exe

Filesize
380KB

MD5
0e3e3ca2bb5c43675ef60324f14175be

SHA1
f66d87f758f456a1608856ccd2795f518fe2c207

SHA256
f4998a8fcb0253e8370a5d1462ee495c74490a2a48dbce419fef25b9a397cbbd

SHA512
8c6478c5b3737bc96fbcd4b0195ea122fa4dec7d16226cd59e269c2554b47d238d4f6128adc677f64c8f21452bbbdef3f7787c3f7c3d273fbad7ac986df3c242

Download Submit
C:\Windows\{727EE580-A64A-4782-B7D7-C0500756E86A}.exe

Filesize
380KB

MD5
725abc2e7f79279c0055ce2c357f92af

SHA1
e8fabe7a6883c36ad590a293d8602341eacd28af

SHA256
6f4b42368ab28318f700936e8773b45072ce923b7f336759d196f72e863b60e3

SHA512
0c88568dbd067e69992d15b5dfa90f203e4c618c6fd7617dce9e6ebe92962606374e043018f2de13d7b46873a85554750f4e51896c2ecd39d8533a8f49a6f056

Download Submit
C:\Windows\{72E077A6-2CB5-42c2-866C-1DF91405BC9D}.exe

Filesize
380KB

MD5
c8fef0b2bb2074243f49e7a2dacf8b0a

SHA1
7dc82622718fb02cc34938c22ad18f8a2d1fb064

SHA256
529df8b5aab424ab0093e64acbebf802b56e144070a0634ac887fc81bbcbad28

SHA512
908b55d8ef36cbd7b4d5b239439ad33fe1e0b6f7707bf0236a87ef113ab0cd69fb0f89172431a25a55b9596c51086e4d00a0eeda2146252117df83f093674154

Download Submit
C:\Windows\{8A0EE2CC-5AEE-4cd5-BA1A-EC74F0484900}.exe

Filesize
380KB

MD5
b4c9085123b86422580fb717b6ae31e4

SHA1
71b2077f19f4669f657d60738d1b9bbc8bc1d6f7

SHA256
5f689646a2fa07d1732f3b5f5c3906a9c1dcf22800afdd888ca938916fcb884e

SHA512
214a34ec59937fad2c60ae687dcc24ff2a1f168417e09c34699028950ff331b7816b908cf3a8f40ca9dee498e99b5b0078eaadbf7b89fe4c7bed14eaf44acd1a

Download Submit
C:\Windows\{DC831265-B2CF-40a9-B68F-5B7742BF007C}.exe

Filesize
380KB

MD5
2dff7439034bbe20ac8de2e508bd5316

SHA1
fb115c8e6564c566f3b6e2a827b9395f9b415158

SHA256
7a46904d7a41f783fe63d46a303453a0fd1e74e2ca24c18cc55c4d8e1743d8f4

SHA512
6ef0d2abdf9468ce6395268127553314342c7012e7f2cf8f71126e387ed3690a33759bdda043f2cf69a348c0eb4102cf1571a48276cd07d4a56b35b672910629

Download Submit
C:\Windows\{EB94ABA3-ECB6-4e14-9447-80039B65BF41}.exe

Filesize
380KB

MD5
b4ff593b8478b5c438ef99c534c60f46

SHA1
9de2dddf335d2dc0587b66eb2e8d865f586ea07b

SHA256
c7e0c14aea207bc3073d7d38b4e65983238fab938b603574d1d2fa0bd7d2faad

SHA512
d62cf88ce709138ccb927de23b642fd590308977d9fe12ea9f85ee6395a1f814e0bf3044d34f7d57818e726dfb0063a296787a544eadf36559ad793e4887216c

Download Submit
C:\Windows\{F35D3D0B-4A09-4250-964F-5110936E2425}.exe

Filesize
380KB

MD5
d64de7f2e377fa9ef20fd71a88e58f01

SHA1
7bc50dad82d308e10b0f87bda2db2477d6205515

SHA256
bb72ab611f419bccc72c932139e4b1d1afcdf91a017e788e99b76efdcb804fd6

SHA512
9fcb3c9595e801db5f6f48db73d2aa2af190591e463c3b114aa29f1ef4bf5f4a5d57bc47fabd82bfef7148cfa80fde8f082f86576bceb4309d805ad2d99d52fb

Download Submit
C:\Windows\{FD1C9762-D733-4c5a-B4CF-DD368A16B9A9}.exe

Filesize
380KB

MD5
33eccb110e6acd09f2542d03573f11d0

SHA1
abc2d20374443336d1ade21e4532931bd2b1f3d1

SHA256
2a6cf6f109c5844a7eef8a1fbe44bdfe6eaae59b5a6c096eccab01acb273a435

SHA512
3d2f55f6090d012c254d74569ad41f370a5686356e8852ba0d4b5c97ad23733325fca9a643482881d0c658b8bfa1492f1af795666350565bdb223ba89b7300c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads