1c0cb1b769ca5c78525c2c1567b93a1af6318d6e967a453d7faeb778b38379e0

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
Size

204KB
MD5

719f150a125ce2af17da832453b3480e
SHA1

9410f4ed2dfe274706f8bfdb8991f6c7f14aaadc
SHA256

1c0cb1b769ca5c78525c2c1567b93a1af6318d6e967a453d7faeb778b38379e0
SHA512

7f52bdccb3cef7b5419ac83b93897d28989e07624e49eb8fa2edeb51e86f557d6aed576a6dbec99eaa05efed7dc766c8d9729843372a1d730ddae2e4e10bac5f
SSDEEP

1536:1EGh0oFl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oFl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012331-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000013a88-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012331-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012331-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0254980-58FE-4440-82FC-731D042BCA97}\stubpath = "C:\\Windows\\{C0254980-58FE-4440-82FC-731D042BCA97}.exe"	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}	{C0254980-58FE-4440-82FC-731D042BCA97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07227B98-4692-48d5-9F06-230ABACFABC1}\stubpath = "C:\\Windows\\{07227B98-4692-48d5-9F06-230ABACFABC1}.exe"	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}\stubpath = "C:\\Windows\\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe"	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF8F1078-072D-437c-B1F7-B8552625D374}	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F07F1C92-E594-44a5-95A8-06E971B5CA89}	{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0254980-58FE-4440-82FC-731D042BCA97}	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF8F1078-072D-437c-B1F7-B8552625D374}\stubpath = "C:\\Windows\\{EF8F1078-072D-437c-B1F7-B8552625D374}.exe"	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C923F1D-6B55-488c-9BE5-318C72699CEF}	{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CDDC341-139C-48a9-B37C-E75A9D65192B}	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CDDC341-139C-48a9-B37C-E75A9D65192B}\stubpath = "C:\\Windows\\{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe"	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CACBA04-F919-414b-A2B5-BC02F540D025}\stubpath = "C:\\Windows\\{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe"	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C876D1BC-7121-4d41-BFD0-276457D888A3}\stubpath = "C:\\Windows\\{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe"	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4274357-1A43-443a-8D6D-73286CEE2A34}	{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C923F1D-6B55-488c-9BE5-318C72699CEF}\stubpath = "C:\\Windows\\{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe"	{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}\stubpath = "C:\\Windows\\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe"	{C0254980-58FE-4440-82FC-731D042BCA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07227B98-4692-48d5-9F06-230ABACFABC1}	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CACBA04-F919-414b-A2B5-BC02F540D025}	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C876D1BC-7121-4d41-BFD0-276457D888A3}	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4274357-1A43-443a-8D6D-73286CEE2A34}\stubpath = "C:\\Windows\\{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe"	{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F07F1C92-E594-44a5-95A8-06E971B5CA89}\stubpath = "C:\\Windows\\{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe"	{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe
2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
2468	{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
2052	{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
536	{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe
1404	{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe	{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
File created	C:\Windows\{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe	{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
File created	C:\Windows\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	{C0254980-58FE-4440-82FC-731D042BCA97}.exe
File created	C:\Windows\{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
File created	C:\Windows\{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
File created	C:\Windows\{EF8F1078-072D-437c-B1F7-B8552625D374}.exe	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
File created	C:\Windows\{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe	{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe
File created	C:\Windows\{C0254980-58FE-4440-82FC-731D042BCA97}.exe	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
File created	C:\Windows\{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
File created	C:\Windows\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
File created	C:\Windows\{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe
Token: SeIncBasePriorityPrivilege	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
Token: SeIncBasePriorityPrivilege	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
Token: SeIncBasePriorityPrivilege	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
Token: SeIncBasePriorityPrivilege	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
Token: SeIncBasePriorityPrivilege	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
Token: SeIncBasePriorityPrivilege	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
Token: SeIncBasePriorityPrivilege	2468	{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
Token: SeIncBasePriorityPrivilege	2052	{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
Token: SeIncBasePriorityPrivilege	536	{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2472	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	28
PID 2184 wrote to memory of 2472	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	28
PID 2184 wrote to memory of 2484	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	29
PID 2184 wrote to memory of 2484	2184	2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe	29
PID 2472 wrote to memory of 2512	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	30
PID 2472 wrote to memory of 2512	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	30
PID 2472 wrote to memory of 2512	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	30
PID 2472 wrote to memory of 2512	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	30
PID 2472 wrote to memory of 2496	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	31
PID 2472 wrote to memory of 2496	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	31
PID 2472 wrote to memory of 2496	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	31
PID 2472 wrote to memory of 2496	2472	{C0254980-58FE-4440-82FC-731D042BCA97}.exe	31
PID 2512 wrote to memory of 2304	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	32
PID 2512 wrote to memory of 2304	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	32
PID 2512 wrote to memory of 2304	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	32
PID 2512 wrote to memory of 2304	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	32
PID 2512 wrote to memory of 2424	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	33
PID 2512 wrote to memory of 2424	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	33
PID 2512 wrote to memory of 2424	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	33
PID 2512 wrote to memory of 2424	2512	{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe	33
PID 2304 wrote to memory of 2396	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	36
PID 2304 wrote to memory of 2396	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	36
PID 2304 wrote to memory of 2396	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	36
PID 2304 wrote to memory of 2396	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	36
PID 2304 wrote to memory of 1360	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	37
PID 2304 wrote to memory of 1360	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	37
PID 2304 wrote to memory of 1360	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	37
PID 2304 wrote to memory of 1360	2304	{07227B98-4692-48d5-9F06-230ABACFABC1}.exe	37
PID 2396 wrote to memory of 2660	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	38
PID 2396 wrote to memory of 2660	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	38
PID 2396 wrote to memory of 2660	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	38
PID 2396 wrote to memory of 2660	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	38
PID 2396 wrote to memory of 2340	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	39
PID 2396 wrote to memory of 2340	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	39
PID 2396 wrote to memory of 2340	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	39
PID 2396 wrote to memory of 2340	2396	{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe	39
PID 2660 wrote to memory of 1776	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	40
PID 2660 wrote to memory of 1776	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	40
PID 2660 wrote to memory of 1776	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	40
PID 2660 wrote to memory of 1776	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	40
PID 2660 wrote to memory of 1520	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	41
PID 2660 wrote to memory of 1520	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	41
PID 2660 wrote to memory of 1520	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	41
PID 2660 wrote to memory of 1520	2660	{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe	41
PID 1776 wrote to memory of 2268	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	42
PID 1776 wrote to memory of 2268	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	42
PID 1776 wrote to memory of 2268	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	42
PID 1776 wrote to memory of 2268	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	42
PID 1776 wrote to memory of 1484	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	43
PID 1776 wrote to memory of 1484	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	43
PID 1776 wrote to memory of 1484	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	43
PID 1776 wrote to memory of 1484	1776	{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe	43
PID 2268 wrote to memory of 2468	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	44
PID 2268 wrote to memory of 2468	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	44
PID 2268 wrote to memory of 2468	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	44
PID 2268 wrote to memory of 2468	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	44
PID 2268 wrote to memory of 1128	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	45
PID 2268 wrote to memory of 1128	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	45
PID 2268 wrote to memory of 1128	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	45
PID 2268 wrote to memory of 1128	2268	{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_719f150a125ce2af17da832453b3480e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{C0254980-58FE-4440-82FC-731D042BCA97}.exe
  C:\Windows\{C0254980-58FE-4440-82FC-731D042BCA97}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
    C:\Windows\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
      C:\Windows\{07227B98-4692-48d5-9F06-230ABACFABC1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
        
        C:\Windows\{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
        
        C:\Windows\{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
        
        C:\Windows\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
        
        C:\Windows\{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
        
        C:\Windows\{EF8F1078-072D-437c-B1F7-B8552625D374}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
        
        C:\Windows\{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe
        
        C:\Windows\{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe
        
        C:\Windows\{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C923~1.EXE > nul
        12⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4274~1.EXE > nul
        11⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF8F1~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C876D~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5242~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CACB~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CDDC~1.EXE > nul
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07227~1.EXE > nul
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8994~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0254~1.EXE > nul
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07227B98-4692-48d5-9F06-230ABACFABC1}.exe

Filesize
204KB

MD5
d6affd91a47cfed8c4ada4c95e32a7ad

SHA1
fa6e20388be12904479c9b9e7688259c41dd634b

SHA256
ee2bfdf5f0d2a36feb2ad1ff8a3e1ad3c24c2d62aeaa528b39310ba3cc1a23b5

SHA512
332942ee939df187a97e6f240dc8fa87a97268a626ba12423823cd4ddb14568ca796ee1fdd0abcdd9d9eedd026b4e9f83eda0e53ea52c413d4e8ae8ec264728d

Download Submit
C:\Windows\{0C923F1D-6B55-488c-9BE5-318C72699CEF}.exe

Filesize
204KB

MD5
d4d4d91a45699f912c97cdd4aa19884d

SHA1
76fcb897efb396a65eff5bc83be61a59b1df524d

SHA256
9f73d1b35d2613651f5f00779ae39a48d279a04d1d8005d67952a1aa493627e9

SHA512
f815c530ba9f255cfd2264e1c2732781802429a361a383610f80208f1a942f24eeb61df1f7eba0b77b8bff3749956923a5c2ade39e2631094bbce97769be95d3

Download Submit
C:\Windows\{3CDDC341-139C-48a9-B37C-E75A9D65192B}.exe

Filesize
204KB

MD5
c548a7e065e086561c027ded784b92b5

SHA1
49f8f769fa839dbf9caa27dfa7fb7d291c75b0a1

SHA256
d8ad0d76a979b96141fb1db857fa12b9e9cd1af33f1f13aa4942e867150d70ba

SHA512
e4c3ff9c6a8d2b4c839563cfb1aa1974fd41d117345aff19fe1dd9fe395abd9cc46bbe48a5601d44e95e9d8133eb14d971f858dd4ce6f302c6a73885e728d441

Download Submit
C:\Windows\{6CACBA04-F919-414b-A2B5-BC02F540D025}.exe

Filesize
204KB

MD5
472e439a92d29d523f271ddb28310e9b

SHA1
f0a383e0a7182c02909e5962242102faf93a1bd9

SHA256
0a5ba3f2c599ed36eb18a59d352767b6099299dfd442a9d3e066c4d3af486c0c

SHA512
d77adcb26937b0b3033f4bf4bcb5076b166e10027bd5d74293f582732a187bab8ca23435ead46ec00e0afc297fb8358d32a1430b82b5db0d76e7d624f7d884fc

Download Submit
C:\Windows\{A4274357-1A43-443a-8D6D-73286CEE2A34}.exe

Filesize
204KB

MD5
9ab095f9d20fc40b231b48d19b3de7b8

SHA1
ef33688914de52d1bad19af92a4db6fff51ac2e8

SHA256
147c6097b807fcfb622bda5320a8cf2b484280d473b6b63e786977954e0b46f6

SHA512
ae33a52f0cdf5373933058a8721d0fe97e921bf546bc89f359c3dbb477d48c1768008bd5c6c178e900126d46778a9be128d00390c43f4570cd5eea7c1ca1c9f6

Download Submit
C:\Windows\{C0254980-58FE-4440-82FC-731D042BCA97}.exe

Filesize
204KB

MD5
f303dad5983d8cf898fc2429e331ea76

SHA1
d22f409efd710b4ea0e9ed9d2a94b509c95cc5df

SHA256
c25115cc16fe42cb6643042b21efa98249c9893d410a28338fb75ba2f5d75011

SHA512
70b5e2aa0a13a13a5e6274dd2e87fa19662a637ab54d663815b35a21e44084c371cdabe779c9b845f8a39dae3ac4a9511bf6ea73a716c5c5d411a283071a4abc

Download Submit
C:\Windows\{C5242D38-9CC0-4922-8C6F-DD33E3BFB5ED}.exe

Filesize
204KB

MD5
d576d6a3740aa9ef9482b76df9fba58d

SHA1
2c53d179a002d39e302848067cc207c74456a173

SHA256
e54da62e4713ddb42240b59c039899bd60446539c5d7310df7439479ed959016

SHA512
c84108f2adcdf476ed174ff6608c7a87af6bc04a5b78ab2f15146bf4b678d2271793d1e4757d9a74c441ee0d8287f3438779c7529884237695907d31d68a88ef

Download Submit
C:\Windows\{C876D1BC-7121-4d41-BFD0-276457D888A3}.exe

Filesize
204KB

MD5
4ae0efeafce1f07b26399ae920af7c17

SHA1
ad755cb1741502dd765c06d9834a3d1a553a5ca9

SHA256
a393ab8d518daca546d15fa7c5b64ac94781bc2a586f448527b16ca1149c69e4

SHA512
dded2ed8e744c9881fe284a62bcb17fcdf1f063fd06f5812893b24003b2b3c7b71dc22700c411fe31e959b6f23c3454e72840f28e74de2731c73f9cbc7d2d145

Download Submit
C:\Windows\{E899492D-C35D-40b9-A95A-825B6FA1AFCC}.exe

Filesize
204KB

MD5
074d46846b693366c856252fb4b9c711

SHA1
06c87007cb18502ef1781e6403c9c9e756216392

SHA256
bd7819e6bd2d6f89b8d05c8962753e725f74a8824c53a175946f27a21cbd3ed3

SHA512
1ac15d6631014665e9a1e09e7d93b9443fc38ef2c8b3ab1378dbc34fa82e119d66f4a708a74313d33a982dc1d4a8cf609a6b90a50f3d2b5829e3376110d710d6

Download Submit
C:\Windows\{EF8F1078-072D-437c-B1F7-B8552625D374}.exe

Filesize
204KB

MD5
9e29af96956f31097c719a7c49d652ca

SHA1
f10f9f0f4d5ae06f9f6b024580aa4c6d72183633

SHA256
8d04abd79028ad085ddd5ee42d231fb84ec38094f26f185d978ba8ccfcd23454

SHA512
1f3813305e5ef3864dd433496738c20932be1ce8fe581ab8a381ba55620fde3d212b3f65f1cc2312af3b33cc1bd913669b7b1030fe3fac630a153352d7ee06bc

Download Submit
C:\Windows\{F07F1C92-E594-44a5-95A8-06E971B5CA89}.exe

Filesize
204KB

MD5
a21570ba6b7287f145725fb89b47af02

SHA1
fd8c5d22d069f537f86257e14b9753f5e360eb99

SHA256
bbf3804ff28caf92178f6f31e3929249024546e92e661a2bf8b34c258c9d50f2

SHA512
460a2ae4c899631677e91917c93c3d9f1534087e24567ff56ea758a04f18f01d53d147adcbc9fba240563b3370b5a1c136589575c2628948d019ecf5201d89b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads