9815e6c33aeff4e3a0a1eec0feea25ee0eee8da8fef7ecf560650d11be7be909

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Size

168KB
MD5

ef46ef420bb1268618af4fc848316ab3
SHA1

abe787fd5f0aa4f0b5b54e45074047fb6b5af532
SHA256

9815e6c33aeff4e3a0a1eec0feea25ee0eee8da8fef7ecf560650d11be7be909
SHA512

74d9295b855663a102fd7e1dee6b571b0342e331869ceefa3a5ece2879bfd989b730c6cb3599de186e958e501768071efdbf5ec52b37ecc07217a88e3af5822e
SSDEEP

1536:1EGh0oBli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oBliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012266-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012266-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012266-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012266-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012266-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012266-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7161720B-8B14-4526-B18C-84155D6665A9}\stubpath = "C:\\Windows\\{7161720B-8B14-4526-B18C-84155D6665A9}.exe"	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}	{7161720B-8B14-4526-B18C-84155D6665A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5FE403-E43C-46c5-A849-75838F096E1D}	{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}	{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}\stubpath = "C:\\Windows\\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe"	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C719FC-46B2-47d4-B44C-092F7694F651}	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7161720B-8B14-4526-B18C-84155D6665A9}	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}\stubpath = "C:\\Windows\\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe"	{7161720B-8B14-4526-B18C-84155D6665A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}	{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}\stubpath = "C:\\Windows\\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe"	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C719FC-46B2-47d4-B44C-092F7694F651}\stubpath = "C:\\Windows\\{92C719FC-46B2-47d4-B44C-092F7694F651}.exe"	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5FE403-E43C-46c5-A849-75838F096E1D}\stubpath = "C:\\Windows\\{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe"	{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}\stubpath = "C:\\Windows\\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe"	{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}\stubpath = "C:\\Windows\\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe"	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}\stubpath = "C:\\Windows\\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe"	{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}\stubpath = "C:\\Windows\\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe"	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}\stubpath = "C:\\Windows\\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe"	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe
880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
2876	{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
1352	{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
2252	{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
2272	{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
File created	C:\Windows\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe	{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
File created	C:\Windows\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe	{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
File created	C:\Windows\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
File created	C:\Windows\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
File created	C:\Windows\{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
File created	C:\Windows\{7161720B-8B14-4526-B18C-84155D6665A9}.exe	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
File created	C:\Windows\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	{7161720B-8B14-4526-B18C-84155D6665A9}.exe
File created	C:\Windows\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
File created	C:\Windows\{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe	{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
File created	C:\Windows\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
Token: SeIncBasePriorityPrivilege	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
Token: SeIncBasePriorityPrivilege	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
Token: SeIncBasePriorityPrivilege	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
Token: SeIncBasePriorityPrivilege	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe
Token: SeIncBasePriorityPrivilege	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
Token: SeIncBasePriorityPrivilege	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
Token: SeIncBasePriorityPrivilege	2876	{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
Token: SeIncBasePriorityPrivilege	1352	{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
Token: SeIncBasePriorityPrivilege	2252	{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2960	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	28
PID 1680 wrote to memory of 2960	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	28
PID 1680 wrote to memory of 2960	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	28
PID 1680 wrote to memory of 2960	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	28
PID 1680 wrote to memory of 3032	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	29
PID 1680 wrote to memory of 3032	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	29
PID 1680 wrote to memory of 3032	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	29
PID 1680 wrote to memory of 3032	1680	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	29
PID 2960 wrote to memory of 2804	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	30
PID 2960 wrote to memory of 2804	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	30
PID 2960 wrote to memory of 2804	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	30
PID 2960 wrote to memory of 2804	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	30
PID 2960 wrote to memory of 2560	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	31
PID 2960 wrote to memory of 2560	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	31
PID 2960 wrote to memory of 2560	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	31
PID 2960 wrote to memory of 2560	2960	{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe	31
PID 2804 wrote to memory of 2448	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	32
PID 2804 wrote to memory of 2448	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	32
PID 2804 wrote to memory of 2448	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	32
PID 2804 wrote to memory of 2448	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	32
PID 2804 wrote to memory of 2652	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	33
PID 2804 wrote to memory of 2652	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	33
PID 2804 wrote to memory of 2652	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	33
PID 2804 wrote to memory of 2652	2804	{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe	33
PID 2448 wrote to memory of 2404	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	36
PID 2448 wrote to memory of 2404	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	36
PID 2448 wrote to memory of 2404	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	36
PID 2448 wrote to memory of 2404	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	36
PID 2448 wrote to memory of 2488	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	37
PID 2448 wrote to memory of 2488	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	37
PID 2448 wrote to memory of 2488	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	37
PID 2448 wrote to memory of 2488	2448	{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe	37
PID 2404 wrote to memory of 2712	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	38
PID 2404 wrote to memory of 2712	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	38
PID 2404 wrote to memory of 2712	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	38
PID 2404 wrote to memory of 2712	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	38
PID 2404 wrote to memory of 664	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	39
PID 2404 wrote to memory of 664	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	39
PID 2404 wrote to memory of 664	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	39
PID 2404 wrote to memory of 664	2404	{92C719FC-46B2-47d4-B44C-092F7694F651}.exe	39
PID 2712 wrote to memory of 880	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	40
PID 2712 wrote to memory of 880	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	40
PID 2712 wrote to memory of 880	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	40
PID 2712 wrote to memory of 880	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	40
PID 2712 wrote to memory of 1988	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	41
PID 2712 wrote to memory of 1988	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	41
PID 2712 wrote to memory of 1988	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	41
PID 2712 wrote to memory of 1988	2712	{7161720B-8B14-4526-B18C-84155D6665A9}.exe	41
PID 880 wrote to memory of 2332	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	42
PID 880 wrote to memory of 2332	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	42
PID 880 wrote to memory of 2332	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	42
PID 880 wrote to memory of 2332	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	42
PID 880 wrote to memory of 1624	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	43
PID 880 wrote to memory of 1624	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	43
PID 880 wrote to memory of 1624	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	43
PID 880 wrote to memory of 1624	880	{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe	43
PID 2332 wrote to memory of 2876	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	44
PID 2332 wrote to memory of 2876	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	44
PID 2332 wrote to memory of 2876	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	44
PID 2332 wrote to memory of 2876	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	44
PID 2332 wrote to memory of 2412	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	45
PID 2332 wrote to memory of 2412	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	45
PID 2332 wrote to memory of 2412	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	45
PID 2332 wrote to memory of 2412	2332	{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
  C:\Windows\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
    C:\Windows\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
      C:\Windows\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
        
        C:\Windows\{92C719FC-46B2-47d4-B44C-092F7694F651}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\{7161720B-8B14-4526-B18C-84155D6665A9}.exe
        
        C:\Windows\{7161720B-8B14-4526-B18C-84155D6665A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
        
        C:\Windows\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
        
        C:\Windows\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
        
        C:\Windows\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
        
        C:\Windows\{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
        
        C:\Windows\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe
        
        C:\Windows\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe
        12⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D985E~1.EXE > nul
        12⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5FE~1.EXE > nul
        11⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDF8A~1.EXE > nul
        10⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69B06~1.EXE > nul
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71F8D~1.EXE > nul
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71617~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92C71~1.EXE > nul
        6⤵
        
        PID:664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81577~1.EXE > nul
        5⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A92B4~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD3F~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F5FE403-E43C-46c5-A849-75838F096E1D}.exe

Filesize
168KB

MD5
299139a6f4b824c143e6c75950723a78

SHA1
3159a70a16f7d4956ab54c66af8f8c525c4810f5

SHA256
ecb319e261c5f88f142acec36c5bb6e22c1ee56d854726dbfe4ec497d31070a2

SHA512
99657dfff4b02d19561540b9360aeca0271b35b081312afac7afa6f361dc2064b25f2c5af938cdbde8281089e695f4ddcf802f6bce3676c1f528af21f4e19a28

Download Submit
C:\Windows\{69B06B50-8F19-45e1-A78B-6334A3AE0C5E}.exe

Filesize
168KB

MD5
72196802cccaee8ebabedaf7c4938e7b

SHA1
3d0bdfbffc0207a7dbedc553bb757a8981d3766c

SHA256
49f3e0d5227cd9b46c7048c7356acc48e5d88e8ce07fb30c7c0b8ef38f1863cc

SHA512
f1c015847cb8d544e82b8b3652933e7fea25af7c127889f3eba2019ad60b3ae6201853dbc80e04d2cc9941afb70cbbaa8e94d1f741d004de645273cba09e116a

Download Submit
C:\Windows\{7161720B-8B14-4526-B18C-84155D6665A9}.exe

Filesize
168KB

MD5
7c5c3bb534172adb705e82584609e0c1

SHA1
2a028e618feedf5623d181e739d75bb82423d7e9

SHA256
d737660462025aaf8631a939ab8bab809e1c25c12d8dcf24a87906e72479a630

SHA512
ea54de75afbda07049900c74b370f7e2748acfb535a5299394779238bc8a9370ad0671cdcf0f4edb7ab8f883e4b279c9aea27013cec85d24ec5b553104f4ed4f

Download Submit
C:\Windows\{71F8D5A7-35E3-4a5c-BF13-4E3A1AD36765}.exe

Filesize
168KB

MD5
74b0197c870c71ade6d05e1d28463efe

SHA1
aa84de92f98de80512a50d4a3e7e8403e653b5fa

SHA256
11aea5a57104d120075ec143248f5ecbab47da85ea46762024a2b613971c47d1

SHA512
adff2991d5b4a62a5b66b55b31ff3b8c8400d64b3d3d8b59de105816d54c47ecbb12cb5e8f961bf2093d0404a00ae40784a4c1c2786398499c401c7c4cb58ad2

Download Submit
C:\Windows\{81577FE5-928E-4ef9-97CC-4CDD8BDC39EA}.exe

Filesize
168KB

MD5
45ece2cd4ea50dc861e5e4f1e64fbeb7

SHA1
4dbccb453de55b661e77e9a02dc45cb48f1d4689

SHA256
53ccaf9c6d2d744c695fd37363af93ca19a4e5376dc4ee633fc404faa5a92097

SHA512
7224bb2ae8416443f664ea29ad2a6961278dc601ac9062dd950c3c4451e9bbe49658b931a6a9188df2e5effff04672de23a6c8e2196136c98ea144472cadc88c

Download Submit
C:\Windows\{92C719FC-46B2-47d4-B44C-092F7694F651}.exe

Filesize
168KB

MD5
8f3a086ed1196012785c5d2655778751

SHA1
7e3f1cfff74e0e332e3a1a66f44a2e705419aca3

SHA256
40391324fd5c171d4b4b8d0284ac615baaf6b29ec02f7a3288ff44a9973d9aa6

SHA512
6a933c726e08ae4571ce690b40374bfe842f63faf8cf00e553b4b50c7fa0c962241928db6473d950b542763861ccf04c91b5010be768472ac6a31ab5a57bedcf

Download Submit
C:\Windows\{9DD3FFE4-A22F-4608-A7BF-BC070185FD75}.exe

Filesize
168KB

MD5
04d820cafa465c6e490e92b78cc94212

SHA1
44c997345ad810567aa4f3c8703a47c6d3fd0aea

SHA256
82f351f48f643477438cdc7830fede4a41ae3a9e920fabbe464f71ffaa0fd093

SHA512
dd933649615dd72a4633b8af87e56e6ae94bd0f7a4815841b9ad1d17bb3bd51772536a59f08ff9572d7d8f384f512835da17ed505d5f6573b3e8794480d98e21

Download Submit
C:\Windows\{A92B43BD-FA14-47f2-AD5C-A6BDA621B1E2}.exe

Filesize
168KB

MD5
1b794b24a9aa92c101712a8fc161e837

SHA1
99bab40af8de695b87b53daf004382088f849b02

SHA256
be9697efafd55afd7f4d0f24e3a22e7203771ce6a26a4eefc49de743bffd46f9

SHA512
81b3d35b24b11fe9fdc964232660d99558fe96503de27c191f56f6c3bfface7821c675eb6ec840a822ac9f1ce649e524fb2ec54c1389b159d92d5b1bf0996205

Download Submit
C:\Windows\{C72D7B8A-7DFA-4704-8AEB-D269EE4DA684}.exe

Filesize
168KB

MD5
288c4d5d6af37ffc47d2189bdc101872

SHA1
61e0f0e8ad004dc6a2d652c3adae71fe62eab8a2

SHA256
e3c8395941bd589dd587c9302ce5e51131282a327742d5218cc1ede2cf4b91c0

SHA512
d45acb195ea97f08a1e17d5fcd0ffe943666973d0ffb9f4cc9be462cb887dfe78c0ee3724ba4a85938e0ff8af1f3dab07f020752d249991cb415b3ae78281884

Download Submit
C:\Windows\{CDF8ADAE-D15E-4012-AB9C-44E6A4E66390}.exe

Filesize
168KB

MD5
ca3721604c5daf9c63c08ffe81fc41d4

SHA1
66bb0a05621c3929ce282c49ba101ceedf43594e

SHA256
1ae0b23abe60bcae19a91f5ee76aa116cb26bf6309482942d4e03d7670a79ea5

SHA512
b93c32f9ead4494906400223602678c804056c4b673da15f843844ab3afc094cf8f6b37003dde2a49f1e93b9e5f27fb266b6f84a6c613ff867c1b6851a227176

Download Submit
C:\Windows\{D985E439-5DFE-45e0-933C-6FB612FFCBC1}.exe

Filesize
168KB

MD5
60ab4b6c3a70badb202cb0d76f61515f

SHA1
8e3570fc09d3bc73e3257ea313b1132c421256f8

SHA256
57fd34209fa194dba1eb4202795da0e993c6d190146843a447c8c805eb0ab104

SHA512
43d052881c0a501c9e6a338365bce96c1328932eec7a5bd1a30f15623c61689611a5d60d1c810a94e198960f415ee749a26abde5bd19ccc36123fc42a0a46043

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads