a15e9139c6b7fcdabf3ed41d83b54806eb0410d2da6902d9300f2b5dbd2185b6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Size

204KB
MD5

15b5cace224c58021da8f962de4f3657
SHA1

7e22e8e979d37e296ba600640f88ce56c17437b7
SHA256

a15e9139c6b7fcdabf3ed41d83b54806eb0410d2da6902d9300f2b5dbd2185b6
SHA512

d74971c98013d3a56b66574d55ccb90990f7f6fb5415425eaf65563d80b23869fb9e47c7787332eb8d239c4f366863247a9815a1457a8fe109a6be0ade2920f7
SSDEEP

1536:1EGh0oml15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oml1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014b3c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}\stubpath = "C:\\Windows\\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe"	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814841D4-069C-4fa9-9B51-E43F30E426BD}	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}\stubpath = "C:\\Windows\\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe"	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6526947E-E599-4895-B8C5-BA940F46946A}	{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}\stubpath = "C:\\Windows\\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe"	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}\stubpath = "C:\\Windows\\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe"	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F356984-11C2-4bac-A22F-4C90C19F2633}	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F356984-11C2-4bac-A22F-4C90C19F2633}\stubpath = "C:\\Windows\\{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe"	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2C7FCB-C581-440b-93FE-2451659882C2}\stubpath = "C:\\Windows\\{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe"	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C62BF54-5E04-4963-A18D-BDEE408B2487}\stubpath = "C:\\Windows\\{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe"	{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6526947E-E599-4895-B8C5-BA940F46946A}\stubpath = "C:\\Windows\\{6526947E-E599-4895-B8C5-BA940F46946A}.exe"	{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}	{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2C7FCB-C581-440b-93FE-2451659882C2}	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}\stubpath = "C:\\Windows\\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe"	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}\stubpath = "C:\\Windows\\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe"	{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814841D4-069C-4fa9-9B51-E43F30E426BD}\stubpath = "C:\\Windows\\{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe"	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C62BF54-5E04-4963-A18D-BDEE408B2487}	{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
2708	{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
1600	{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
2136	{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
2612	{6526947E-E599-4895-B8C5-BA940F46946A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
File created	C:\Windows\{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe	{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
File created	C:\Windows\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
File created	C:\Windows\{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
File created	C:\Windows\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
File created	C:\Windows\{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
File created	C:\Windows\{6526947E-E599-4895-B8C5-BA940F46946A}.exe	{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
File created	C:\Windows\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
File created	C:\Windows\{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
File created	C:\Windows\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
File created	C:\Windows\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe	{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
Token: SeIncBasePriorityPrivilege	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
Token: SeIncBasePriorityPrivilege	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
Token: SeIncBasePriorityPrivilege	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
Token: SeIncBasePriorityPrivilege	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
Token: SeIncBasePriorityPrivilege	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
Token: SeIncBasePriorityPrivilege	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
Token: SeIncBasePriorityPrivilege	2708	{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
Token: SeIncBasePriorityPrivilege	1600	{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
Token: SeIncBasePriorityPrivilege	2136	{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3060	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	28
PID 2088 wrote to memory of 3060	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	28
PID 2088 wrote to memory of 3060	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	28
PID 2088 wrote to memory of 3060	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	28
PID 2088 wrote to memory of 1644	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	29
PID 2088 wrote to memory of 1644	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	29
PID 2088 wrote to memory of 1644	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	29
PID 2088 wrote to memory of 1644	2088	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	29
PID 3060 wrote to memory of 2876	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	30
PID 3060 wrote to memory of 2876	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	30
PID 3060 wrote to memory of 2876	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	30
PID 3060 wrote to memory of 2876	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	30
PID 3060 wrote to memory of 2552	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	31
PID 3060 wrote to memory of 2552	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	31
PID 3060 wrote to memory of 2552	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	31
PID 3060 wrote to memory of 2552	3060	{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe	31
PID 2876 wrote to memory of 2816	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	32
PID 2876 wrote to memory of 2816	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	32
PID 2876 wrote to memory of 2816	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	32
PID 2876 wrote to memory of 2816	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	32
PID 2876 wrote to memory of 2596	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	33
PID 2876 wrote to memory of 2596	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	33
PID 2876 wrote to memory of 2596	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	33
PID 2876 wrote to memory of 2596	2876	{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe	33
PID 2816 wrote to memory of 2408	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	36
PID 2816 wrote to memory of 2408	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	36
PID 2816 wrote to memory of 2408	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	36
PID 2816 wrote to memory of 2408	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	36
PID 2816 wrote to memory of 2828	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	37
PID 2816 wrote to memory of 2828	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	37
PID 2816 wrote to memory of 2828	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	37
PID 2816 wrote to memory of 2828	2816	{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe	37
PID 2408 wrote to memory of 3020	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	38
PID 2408 wrote to memory of 3020	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	38
PID 2408 wrote to memory of 3020	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	38
PID 2408 wrote to memory of 3020	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	38
PID 2408 wrote to memory of 3024	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	39
PID 2408 wrote to memory of 3024	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	39
PID 2408 wrote to memory of 3024	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	39
PID 2408 wrote to memory of 3024	2408	{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe	39
PID 3020 wrote to memory of 320	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	40
PID 3020 wrote to memory of 320	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	40
PID 3020 wrote to memory of 320	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	40
PID 3020 wrote to memory of 320	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	40
PID 3020 wrote to memory of 2744	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	41
PID 3020 wrote to memory of 2744	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	41
PID 3020 wrote to memory of 2744	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	41
PID 3020 wrote to memory of 2744	3020	{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe	41
PID 320 wrote to memory of 2000	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	42
PID 320 wrote to memory of 2000	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	42
PID 320 wrote to memory of 2000	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	42
PID 320 wrote to memory of 2000	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	42
PID 320 wrote to memory of 1992	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	43
PID 320 wrote to memory of 1992	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	43
PID 320 wrote to memory of 1992	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	43
PID 320 wrote to memory of 1992	320	{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe	43
PID 2000 wrote to memory of 2708	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	44
PID 2000 wrote to memory of 2708	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	44
PID 2000 wrote to memory of 2708	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	44
PID 2000 wrote to memory of 2708	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	44
PID 2000 wrote to memory of 1328	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	45
PID 2000 wrote to memory of 1328	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	45
PID 2000 wrote to memory of 1328	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	45
PID 2000 wrote to memory of 1328	2000	{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
  C:\Windows\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
    C:\Windows\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
      C:\Windows\{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
        
        C:\Windows\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
        
        C:\Windows\{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
        
        C:\Windows\{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
        
        C:\Windows\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
        
        C:\Windows\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
        
        C:\Windows\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
        
        C:\Windows\{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{6526947E-E599-4895-B8C5-BA940F46946A}.exe
        
        C:\Windows\{6526947E-E599-4895-B8C5-BA940F46946A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C62B~1.EXE > nul
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A8C~1.EXE > nul
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0ED4~1.EXE > nul
        10⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB094~1.EXE > nul
        9⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2C7~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F356~1.EXE > nul
        7⤵
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD7D~1.EXE > nul
        6⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81484~1.EXE > nul
        5⤵
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{68012~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CDC7~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E2C7FCB-C581-440b-93FE-2451659882C2}.exe

Filesize
204KB

MD5
57df252131945fe992dd01495e62609d

SHA1
94b343da43b2655e9f7a92270098a5874ce45b48

SHA256
2ea3695f682554ee78d1b25dc0d9dfd88775ec2ab58734315b625145b3d346e5

SHA512
73a76da6a0796e55e7520a654a29840c0c0ee83019a517408931bb85cee5ec9daef1ff806bcf50d61e9bce302baf2d260db0c143587f2854e3cdd903bdfb19bc

Download Submit
C:\Windows\{0F356984-11C2-4bac-A22F-4C90C19F2633}.exe

Filesize
204KB

MD5
c0e86335b160b96567f59e7e2f615eb4

SHA1
abaf475ec6c5db548b9e790d76fb5d04d08e6931

SHA256
207756bd997a9399e81f7b0b19ef0c08c9985608d9fd9327e0749c9f5e270d31

SHA512
5a18b7f10088b7de0a825a25e8194e17c2e7842750cfdaf2c2c77929b6548dff81ccb3b2aa511cc1e09218fcdf254d0cc9551839363700ceb08e5b9e10255c97

Download Submit
C:\Windows\{2C62BF54-5E04-4963-A18D-BDEE408B2487}.exe

Filesize
204KB

MD5
d6b5572c6ee531c4cf245f7e8d493857

SHA1
9fd89e501e0058341b6f98d299587fcfa60b03ca

SHA256
a44c4db6cef34b7ab3d9c4a61db573d5552bdcde1ced28740eafb371b430b095

SHA512
bc5be87a943760560ffcf6eae3bb6193ad8bac28b5904076ca7a1e5e001ae2739740de715a1fd1083168b1014aae576f0eb5b3e3f758f09adc123a4816cb4be3

Download Submit
C:\Windows\{2CDC7617-2B6E-4fd1-B4C0-56464DF2F6D4}.exe

Filesize
204KB

MD5
de5a3c8936b6a52b8b31b5c4a14c893a

SHA1
7a3f85dac6e238faee882026113504206f1da940

SHA256
c17ad75e787115417f02c46644ffbbf3a0726fbccf903c873a1063d1fbf8bfe4

SHA512
04a5b9a0c63842ce2164ed026a3c695e7ec6517a2c9c90559b7a4d446742e5aa92631f85b84fcdeda92269f188d1f2080b94d413b56eaf3aa694f8e26c7df4fe

Download Submit
C:\Windows\{6526947E-E599-4895-B8C5-BA940F46946A}.exe

Filesize
204KB

MD5
631e29181a450be377a7c9a67473bff8

SHA1
9eb9616ff27a2b4370c57c9143a11d82a4077ecb

SHA256
5e5a06d5489b23c8e5342c22847410350cff0cf6e33258a2e93c804a2dc5f1eb

SHA512
00e9c490deae2fd6b9ec0d0082f570d6e40582f70cdc2028c53794aa0747c08181dbf30223f8ce47c4f0f315b80f0fd422ab816228fa1e81009232db3711b029

Download Submit
C:\Windows\{66A8CE9A-C9B6-4737-9452-8023CBBE77E8}.exe

Filesize
204KB

MD5
14744c1a94b50dc5dabe811f88371ec5

SHA1
c1f25c525ba23ec826d3c3373f48d20949afb1bc

SHA256
fe61c45ad7c144f6f4a3180fcee3316cdf62770f98009bc9afd552cc37120acc

SHA512
40ff70116af81c1378fe4b575bcc71f25160f9bc2d403e9b2aa78372191a34f18aea279d7c0d18b5bceb7cd606ef865cf4dacb81b37f8fae1681718b4ff9ee55

Download Submit
C:\Windows\{68012B9D-533B-4242-A6D4-C0D6BB4D0618}.exe

Filesize
204KB

MD5
cd76293277846424ff12677f21d35a4f

SHA1
9a156c2f9f6aa91440994644a901bde20ba7b677

SHA256
eef1e616762aaefa4458889f781d0e544f14a261030af3f7bb9ffefbdad2ab0c

SHA512
895fc5ea8f733d413d2750c387c7fe6b89605e0b520c2e5e5afe2c6952ebd0aa4c0188ea0683762c6c26fa86eac4b6a1633d99a527dca5f170a55f7b981e96d8

Download Submit
C:\Windows\{7BD7DC95-3A4B-4a03-808E-182BE1C97989}.exe

Filesize
204KB

MD5
a3f750aa58e7b8e1f820f21edf1e3806

SHA1
09c6deb3dc7bdc7f88d9fdfc008734213d3a066d

SHA256
97d33a31c5c80d47afc16cf220c2f1b4b0ab8d7c14e6c9196166863384fc061d

SHA512
71fa919fc4a517ca9fbd6ba246a8ad07e1bf71a357f3c04cbdb596f562f0a5b07cab11596364c684bb249200d34fc00949b4f5a9068d6f7e9def659e65ebdf4c

Download Submit
C:\Windows\{814841D4-069C-4fa9-9B51-E43F30E426BD}.exe

Filesize
204KB

MD5
d365a4b874b3d715e267ad5ce3b24105

SHA1
33873d7f7922db2787745575cb7a1709efa64837

SHA256
e161b9c9d4e623b0d72940b94f452b176a4370d68bf200ad85d0f167d8f16c55

SHA512
2f9563c4756c7dd292e7e007018e98bee7b06360da68ee23d7e443f0f93cd1b560a087322421ee58e12f6978001386e2b52441af303a74f8352d47d223c2eeb9

Download Submit
C:\Windows\{C0ED490F-7000-4e27-9956-63C89E1BA3D6}.exe

Filesize
204KB

MD5
89575ec1aec9f11c0f47d981b090e140

SHA1
1d701616c92f646386400ce98e6bc0806d94c485

SHA256
193020fd8f97e1a693a45c41b2c7144c5ba027f77dcb574b000ee41ff47e038c

SHA512
c466283846228f040c1236d1e8f62f324e01ecd24a1e89155eb230b1407b829d47a9e6830f2b53eee793a39d16c2261a1ffbc061d2a357066a61a8fbb56d29c1

Download Submit
C:\Windows\{DB094288-E4A7-4216-B8D7-B9E79DCEA13D}.exe

Filesize
204KB

MD5
5f2d27d85d9f265adf156d1f6174bf7d

SHA1
bb4cf6291c2df87442aa21caa5f56dfa80cc7315

SHA256
db95172371d11cd5fe4b450ae60f38905d727180ba5e99430dd05e791d43674d

SHA512
35604fc35bc3707f625b7d45c9a54e455e9e18cbb326f554607f0facab878b3f3e24988320c55cafbcd9bb4339d2ad128bb25ee3214c85aa36e301c5aa93f824

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads