1b48f3489d014b19becebe6e18a17ca2e34b67997b7ced09cd5df9b7a94a66cb

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Size

204KB
MD5

ec8c79d9550fe428670c387184871322
SHA1

fdd2e746f0f64cfd34cc1c55fe80871f5660ddd2
SHA256

1b48f3489d014b19becebe6e18a17ca2e34b67997b7ced09cd5df9b7a94a66cb
SHA512

dc2d6c3f46023c3628f4bc6f453c609d39ec716ccf1bfa985feaab308a191f843178756d08165600ea400ecfbc91147d66a6293636da3229b966c9505b3b4bdb
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122fa-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014af6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122fa-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122fa-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122fa-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96D820D-4931-4704-9906-9CFE0156D617}\stubpath = "C:\\Windows\\{D96D820D-4931-4704-9906-9CFE0156D617}.exe"	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50E5BDC-929B-4794-8D62-9D9D59D11478}\stubpath = "C:\\Windows\\{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe"	{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CD23A8-7934-42db-9188-91059772F9CB}	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5974BA3-292C-4c24-A853-363D804D22E1}	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5974BA3-292C-4c24-A853-363D804D22E1}\stubpath = "C:\\Windows\\{A5974BA3-292C-4c24-A853-363D804D22E1}.exe"	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373E8825-A48E-44f6-9766-3930FF14F325}\stubpath = "C:\\Windows\\{373E8825-A48E-44f6-9766-3930FF14F325}.exe"	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F95D7E-81F7-42d4-AC83-8408F76888FD}\stubpath = "C:\\Windows\\{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe"	{373E8825-A48E-44f6-9766-3930FF14F325}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96D820D-4931-4704-9906-9CFE0156D617}	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}\stubpath = "C:\\Windows\\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe"	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373E8825-A48E-44f6-9766-3930FF14F325}	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}	{D96D820D-4931-4704-9906-9CFE0156D617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}\stubpath = "C:\\Windows\\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe"	{D96D820D-4931-4704-9906-9CFE0156D617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}	{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}\stubpath = "C:\\Windows\\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe"	{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50E5BDC-929B-4794-8D62-9D9D59D11478}	{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4624EB8-F181-4eaa-B184-2D1278177108}	{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4624EB8-F181-4eaa-B184-2D1278177108}\stubpath = "C:\\Windows\\{D4624EB8-F181-4eaa-B184-2D1278177108}.exe"	{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CD23A8-7934-42db-9188-91059772F9CB}\stubpath = "C:\\Windows\\{63CD23A8-7934-42db-9188-91059772F9CB}.exe"	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E08F4B0C-2326-493a-86AD-B50095C4F365}	{63CD23A8-7934-42db-9188-91059772F9CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E08F4B0C-2326-493a-86AD-B50095C4F365}\stubpath = "C:\\Windows\\{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe"	{63CD23A8-7934-42db-9188-91059772F9CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F95D7E-81F7-42d4-AC83-8408F76888FD}	{373E8825-A48E-44f6-9766-3930FF14F325}.exe

Deletes itself 1 IoCs

pid	Process
2088	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe
2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe
856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe
2180	{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
2936	{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
2248	{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
1436	{D4624EB8-F181-4eaa-B184-2D1278177108}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D4624EB8-F181-4eaa-B184-2D1278177108}.exe	{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
File created	C:\Windows\{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
File created	C:\Windows\{373E8825-A48E-44f6-9766-3930FF14F325}.exe	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
File created	C:\Windows\{D96D820D-4931-4704-9906-9CFE0156D617}.exe	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
File created	C:\Windows\{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	{373E8825-A48E-44f6-9766-3930FF14F325}.exe
File created	C:\Windows\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe	{D96D820D-4931-4704-9906-9CFE0156D617}.exe
File created	C:\Windows\{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe	{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
File created	C:\Windows\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe	{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
File created	C:\Windows\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
File created	C:\Windows\{63CD23A8-7934-42db-9188-91059772F9CB}.exe	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
File created	C:\Windows\{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	{63CD23A8-7934-42db-9188-91059772F9CB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
Token: SeIncBasePriorityPrivilege	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe
Token: SeIncBasePriorityPrivilege	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
Token: SeIncBasePriorityPrivilege	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
Token: SeIncBasePriorityPrivilege	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe
Token: SeIncBasePriorityPrivilege	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
Token: SeIncBasePriorityPrivilege	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe
Token: SeIncBasePriorityPrivilege	2180	{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
Token: SeIncBasePriorityPrivilege	2936	{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
Token: SeIncBasePriorityPrivilege	2248	{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2740	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	28
PID 2316 wrote to memory of 2088	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	29
PID 2316 wrote to memory of 2088	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	29
PID 2316 wrote to memory of 2088	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	29
PID 2316 wrote to memory of 2088	2316	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	29
PID 2740 wrote to memory of 2276	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	30
PID 2740 wrote to memory of 2276	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	30
PID 2740 wrote to memory of 2276	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	30
PID 2740 wrote to memory of 2276	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	30
PID 2740 wrote to memory of 2608	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	31
PID 2740 wrote to memory of 2608	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	31
PID 2740 wrote to memory of 2608	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	31
PID 2740 wrote to memory of 2608	2740	{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe	31
PID 2276 wrote to memory of 2584	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	32
PID 2276 wrote to memory of 2584	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	32
PID 2276 wrote to memory of 2584	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	32
PID 2276 wrote to memory of 2584	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	32
PID 2276 wrote to memory of 2592	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	33
PID 2276 wrote to memory of 2592	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	33
PID 2276 wrote to memory of 2592	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	33
PID 2276 wrote to memory of 2592	2276	{63CD23A8-7934-42db-9188-91059772F9CB}.exe	33
PID 2584 wrote to memory of 2472	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	36
PID 2584 wrote to memory of 2472	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	36
PID 2584 wrote to memory of 2472	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	36
PID 2584 wrote to memory of 2472	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	36
PID 2584 wrote to memory of 2532	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	37
PID 2584 wrote to memory of 2532	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	37
PID 2584 wrote to memory of 2532	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	37
PID 2584 wrote to memory of 2532	2584	{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe	37
PID 2472 wrote to memory of 2084	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	38
PID 2472 wrote to memory of 2084	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	38
PID 2472 wrote to memory of 2084	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	38
PID 2472 wrote to memory of 2084	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	38
PID 2472 wrote to memory of 1880	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	39
PID 2472 wrote to memory of 1880	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	39
PID 2472 wrote to memory of 1880	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	39
PID 2472 wrote to memory of 1880	2472	{A5974BA3-292C-4c24-A853-363D804D22E1}.exe	39
PID 2084 wrote to memory of 856	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	40
PID 2084 wrote to memory of 856	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	40
PID 2084 wrote to memory of 856	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	40
PID 2084 wrote to memory of 856	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	40
PID 2084 wrote to memory of 1940	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	41
PID 2084 wrote to memory of 1940	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	41
PID 2084 wrote to memory of 1940	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	41
PID 2084 wrote to memory of 1940	2084	{373E8825-A48E-44f6-9766-3930FF14F325}.exe	41
PID 856 wrote to memory of 1832	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	42
PID 856 wrote to memory of 1832	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	42
PID 856 wrote to memory of 1832	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	42
PID 856 wrote to memory of 1832	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	42
PID 856 wrote to memory of 2776	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	43
PID 856 wrote to memory of 2776	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	43
PID 856 wrote to memory of 2776	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	43
PID 856 wrote to memory of 2776	856	{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe	43
PID 1832 wrote to memory of 2180	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	44
PID 1832 wrote to memory of 2180	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	44
PID 1832 wrote to memory of 2180	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	44
PID 1832 wrote to memory of 2180	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	44
PID 1832 wrote to memory of 1120	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	45
PID 1832 wrote to memory of 1120	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	45
PID 1832 wrote to memory of 1120	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	45
PID 1832 wrote to memory of 1120	1832	{D96D820D-4931-4704-9906-9CFE0156D617}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
  C:\Windows\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{63CD23A8-7934-42db-9188-91059772F9CB}.exe
    C:\Windows\{63CD23A8-7934-42db-9188-91059772F9CB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
      C:\Windows\{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
        
        C:\Windows\{A5974BA3-292C-4c24-A853-363D804D22E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{373E8825-A48E-44f6-9766-3930FF14F325}.exe
        
        C:\Windows\{373E8825-A48E-44f6-9766-3930FF14F325}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
        
        C:\Windows\{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{D96D820D-4931-4704-9906-9CFE0156D617}.exe
        
        C:\Windows\{D96D820D-4931-4704-9906-9CFE0156D617}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
        
        C:\Windows\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
        
        C:\Windows\{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
        
        C:\Windows\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{D4624EB8-F181-4eaa-B184-2D1278177108}.exe
        
        C:\Windows\{D4624EB8-F181-4eaa-B184-2D1278177108}.exe
        12⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{956DE~1.EXE > nul
        12⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C50E5~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4842F~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D96D8~1.EXE > nul
        9⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F95~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{373E8~1.EXE > nul
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5974~1.EXE > nul
        6⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E08F4~1.EXE > nul
        5⤵
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63CD2~1.EXE > nul
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9DCE~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{373E8825-A48E-44f6-9766-3930FF14F325}.exe

Filesize
204KB

MD5
fca63f8b1c96888ada43ed3405151156

SHA1
52ac356468c52f19a1c2b62eb2cec70aafe0a77f

SHA256
541cd4efc954c0cd83b3d3b38398246670694a67ff9fbeafce569ae849d94380

SHA512
3730c2d605b2524bb075aff7f1978e3abc83f34650f1de186401e4c5bcaf4629a4d7226fa119e37365826856d4e452830ab573531fc69bfc5f5510d426b74f37

Download Submit
C:\Windows\{46F95D7E-81F7-42d4-AC83-8408F76888FD}.exe

Filesize
204KB

MD5
ac1d57fa4362863d1141bc223a84b2dd

SHA1
babe7e9033d4886775a0edf01e4d056cefa4ddc7

SHA256
97632bcc7d0cbb8370b9cc71881ce86b770a6b15bcd0d4dd330d9fef61a3cbd8

SHA512
09a774408e9f74fb6084a5f062821d24c88ad9e9c7863e12700973db6e80def639aba36463e1f695a3ca0edc36e58b4fc65585dc47f53c7fa8dbb7737b5878f1

Download Submit
C:\Windows\{4842FCC6-C1FE-4486-BF95-C0350CFB9BB9}.exe

Filesize
204KB

MD5
e973464af9357bb290be69baaa400915

SHA1
a9fbd939224263bff087dcc533437ee060770cb9

SHA256
1760a72931220bc761c307f3eb14409976f49a72f367624d8f40042bf935250c

SHA512
dc8933ed47a2e150d73885e099dd1492e58d4809de135c11f5c2aa5dff44f5d4a39f9d92f3bc7d6b005391239ce8219ac39487157189becf43c0463f1d983899

Download Submit
C:\Windows\{63CD23A8-7934-42db-9188-91059772F9CB}.exe

Filesize
204KB

MD5
72865c2d4967e79dac045df01b30987b

SHA1
1f6d6ad27c314e297278e4eedeb584ccd5d75681

SHA256
eb5b21f062aa86745d82635d7c5e434552a3367de8217ed74658e3c842fa5e42

SHA512
f5c5bf295270d777e15ecc9aaf673d8e99134e5cbe2096a80d732fbe45f1bfd2044e1a6b931c9aa0456cc7e92537850901ac7191b1d65cf207514a0f09b2a74d

Download Submit
C:\Windows\{956DEC1E-FD84-4625-B2DA-F2BBB5ADE6A4}.exe

Filesize
204KB

MD5
826143234562df580f17d5c31f32eabc

SHA1
706c869bc6b58e481ce701e5292bfdf54252b90a

SHA256
b9121d5d0599dd1f719e41de83498e26f17358680f9c49d5a4d86646d15098dd

SHA512
47d439fa48962214357279e1ed4039ab097cb3cd77bdee265d75a87767621fb25766b6aa49139cfb591bea1c6c68e263d018bb263154e0b71fc30f636f0332e7

Download Submit
C:\Windows\{A5974BA3-292C-4c24-A853-363D804D22E1}.exe

Filesize
204KB

MD5
3916b66bf9ad2ff4ff99efab2ed66915

SHA1
2e63abf26744d41287c8a912b9a58d8eaacad1da

SHA256
d401e5980ab3e12ea13a375191161c5fb2d4c7ec013e178ca61ff839a30c681a

SHA512
1bc265bf4e3b7092c46fa2a3bf1a1f55c213ad52dd6f241f09c1c2684b938f0772fcf11c42f796c49e578ca79f516034e3f324290ae7a56275e9c36a25c8d220

Download Submit
C:\Windows\{A9DCE0D7-A1C3-4885-AD96-D4BAD3FCF200}.exe

Filesize
204KB

MD5
94ad06b1c2c8b7f3e2be402deaa27aa2

SHA1
c3be7db89c3473b614bbe6b79766f4e861bf6ede

SHA256
20e52640809d2ef3fa7eaa550c7a1806b84c9f446288aed2baf7587231b702c4

SHA512
dd6c37b475bd0acfc13a4a97677b39485807149a81fbd7b9952b3f4f45c6c2fa675008756eb04eb0e4a8beb537581440a50f36749071c3e26acb0da4b25608cf

Download Submit
C:\Windows\{C50E5BDC-929B-4794-8D62-9D9D59D11478}.exe

Filesize
204KB

MD5
35dd26f615a8cdb4497fc111bb65b7bb

SHA1
5f0830aab7472766c29f3a8236c9494fb24d5d21

SHA256
2e8f49b408c9407412e0deca6b13b5f0a3e34df9f2276ff028eaa06b50121275

SHA512
f7938a63c68da79327fc03eb4776794b97d26dee4a446ea4a172eb3b6b4e26deeb6b652da68ad6ddf600c4bca1dc1b609c39243bb2b02dd2b1a52abc5946929f

Download Submit
C:\Windows\{D4624EB8-F181-4eaa-B184-2D1278177108}.exe

Filesize
204KB

MD5
77bceba1ba52beaae5a934e67bbb98f6

SHA1
a8374f0a8153196a2551c97ecf8aaad029470c6e

SHA256
d53229980a619f081550725aee87409cdeb9ad6340c052234daec3269fe16780

SHA512
61ad1008a0d46e61014e08bb5aec1e516831de6145b8332aac8adfff99231bdbf7e39dfa03fdcd7c522d15859042ccd8f1a90bbb1f1aecb5c32d9beb9f059021

Download Submit
C:\Windows\{D96D820D-4931-4704-9906-9CFE0156D617}.exe

Filesize
204KB

MD5
3fd3fbb21c94896e07295b7f1ccf33b7

SHA1
d2d8b6870e07c22d068446d431e99da3ae6d4535

SHA256
accc4f498921e2f77ed64eaf9f72053c8dead959c3727bd92edab4fe84b3662c

SHA512
c05403ea56f38d4fa2515d98307b5d7b81cc898fe2a11947ad5266be02cfda08b0c309338a693d2418b7246e8136081441784f530b4d979c4d0520d9668f0b9f

Download Submit
C:\Windows\{E08F4B0C-2326-493a-86AD-B50095C4F365}.exe

Filesize
204KB

MD5
a710967e3ca49e58c74a3ef8d8ba2fe0

SHA1
e2adc08a48acf61454e912bb8eeacb3cab798f56

SHA256
b70a3ce1c21a4c1ee6a3779f6e704fe170d367d35029e835a99ea88fc8a8b51d

SHA512
edf5f32ec64ca9c370d64317b0888cc0ffd884c9622cd602c0047f87dcdb4723c015da48c060c7612cd12772b1208c77de7b3b3804b134335a669d3f5cd8120a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads