09d2858ac2576212f8adca81f953e44de868d5607204ee9e74ddb7ae71b1cfbf

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
Size

344KB
MD5

d016a6202842d2aacbd32574cda53bf2
SHA1

a78b07f471376cc30eb46133d93e2309c6e05716
SHA256

09d2858ac2576212f8adca81f953e44de868d5607204ee9e74ddb7ae71b1cfbf
SHA512

8f0031265d6d7de9b92cc2b546f14e55589ae41bf9576e0c60317c09e03efa642a0d69fed6f197e4e2905d6b6444a8b9d0aba5368b03f81a2b3f383a1eb4320b
SSDEEP

3072:mEGh0ollEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGPlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000144e9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014817-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3BC57C-668D-4239-AE84-F8E8A929E914}\stubpath = "C:\\Windows\\{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe"	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144EB2FB-A6B0-4018-8667-E12502715113}	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}\stubpath = "C:\\Windows\\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe"	{144EB2FB-A6B0-4018-8667-E12502715113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAA472F-3B84-4c54-8306-9098636EB7CA}\stubpath = "C:\\Windows\\{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe"	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{916A0E24-4446-4685-8C6E-C32CB1054D48}	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC446478-F604-4c6f-88FB-DEF1F44E4328}	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}\stubpath = "C:\\Windows\\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe"	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC446478-F604-4c6f-88FB-DEF1F44E4328}\stubpath = "C:\\Windows\\{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe"	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32AFD423-2554-4fe5-95BE-0699CC7864D2}	{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}	{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3BC57C-668D-4239-AE84-F8E8A929E914}	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}	{144EB2FB-A6B0-4018-8667-E12502715113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}\stubpath = "C:\\Windows\\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe"	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90267D67-2B03-4278-BFA7-513E608DAA5B}\stubpath = "C:\\Windows\\{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe"	{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}\stubpath = "C:\\Windows\\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe"	{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144EB2FB-A6B0-4018-8667-E12502715113}\stubpath = "C:\\Windows\\{144EB2FB-A6B0-4018-8667-E12502715113}.exe"	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAA472F-3B84-4c54-8306-9098636EB7CA}	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{916A0E24-4446-4685-8C6E-C32CB1054D48}\stubpath = "C:\\Windows\\{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe"	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32AFD423-2554-4fe5-95BE-0699CC7864D2}\stubpath = "C:\\Windows\\{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe"	{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90267D67-2B03-4278-BFA7-513E608DAA5B}	{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe
2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
2784	{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
1692	{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
2876	{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe
756	{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{144EB2FB-A6B0-4018-8667-E12502715113}.exe	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
File created	C:\Windows\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
File created	C:\Windows\{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
File created	C:\Windows\{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe	{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
File created	C:\Windows\{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe	{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
File created	C:\Windows\{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
File created	C:\Windows\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	{144EB2FB-A6B0-4018-8667-E12502715113}.exe
File created	C:\Windows\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
File created	C:\Windows\{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
File created	C:\Windows\{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
File created	C:\Windows\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe	{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
Token: SeIncBasePriorityPrivilege	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe
Token: SeIncBasePriorityPrivilege	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
Token: SeIncBasePriorityPrivilege	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
Token: SeIncBasePriorityPrivilege	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
Token: SeIncBasePriorityPrivilege	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
Token: SeIncBasePriorityPrivilege	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
Token: SeIncBasePriorityPrivilege	2784	{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
Token: SeIncBasePriorityPrivilege	1692	{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
Token: SeIncBasePriorityPrivilege	2876	{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2856	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	28
PID 2928 wrote to memory of 2856	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	28
PID 2928 wrote to memory of 2964	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	29
PID 2928 wrote to memory of 2964	2928	2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe	29
PID 2856 wrote to memory of 2880	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	30
PID 2856 wrote to memory of 2880	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	30
PID 2856 wrote to memory of 2880	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	30
PID 2856 wrote to memory of 2880	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	30
PID 2856 wrote to memory of 2560	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	31
PID 2856 wrote to memory of 2560	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	31
PID 2856 wrote to memory of 2560	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	31
PID 2856 wrote to memory of 2560	2856	{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe	31
PID 2880 wrote to memory of 2572	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	32
PID 2880 wrote to memory of 2572	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	32
PID 2880 wrote to memory of 2572	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	32
PID 2880 wrote to memory of 2572	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	32
PID 2880 wrote to memory of 2632	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	33
PID 2880 wrote to memory of 2632	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	33
PID 2880 wrote to memory of 2632	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	33
PID 2880 wrote to memory of 2632	2880	{144EB2FB-A6B0-4018-8667-E12502715113}.exe	33
PID 2572 wrote to memory of 2520	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	36
PID 2572 wrote to memory of 2520	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	36
PID 2572 wrote to memory of 2520	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	36
PID 2572 wrote to memory of 2520	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	36
PID 2572 wrote to memory of 2972	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	37
PID 2572 wrote to memory of 2972	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	37
PID 2572 wrote to memory of 2972	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	37
PID 2572 wrote to memory of 2972	2572	{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe	37
PID 2520 wrote to memory of 2936	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	38
PID 2520 wrote to memory of 2936	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	38
PID 2520 wrote to memory of 2936	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	38
PID 2520 wrote to memory of 2936	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	38
PID 2520 wrote to memory of 2280	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	39
PID 2520 wrote to memory of 2280	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	39
PID 2520 wrote to memory of 2280	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	39
PID 2520 wrote to memory of 2280	2520	{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe	39
PID 2936 wrote to memory of 1152	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	40
PID 2936 wrote to memory of 1152	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	40
PID 2936 wrote to memory of 1152	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	40
PID 2936 wrote to memory of 1152	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	40
PID 2936 wrote to memory of 2168	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	41
PID 2936 wrote to memory of 2168	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	41
PID 2936 wrote to memory of 2168	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	41
PID 2936 wrote to memory of 2168	2936	{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe	41
PID 1152 wrote to memory of 1400	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	42
PID 1152 wrote to memory of 1400	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	42
PID 1152 wrote to memory of 1400	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	42
PID 1152 wrote to memory of 1400	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	42
PID 1152 wrote to memory of 2524	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	43
PID 1152 wrote to memory of 2524	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	43
PID 1152 wrote to memory of 2524	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	43
PID 1152 wrote to memory of 2524	1152	{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe	43
PID 1400 wrote to memory of 2784	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	44
PID 1400 wrote to memory of 2784	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	44
PID 1400 wrote to memory of 2784	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	44
PID 1400 wrote to memory of 2784	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	44
PID 1400 wrote to memory of 2412	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	45
PID 1400 wrote to memory of 2412	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	45
PID 1400 wrote to memory of 2412	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	45
PID 1400 wrote to memory of 2412	1400	{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_d016a6202842d2aacbd32574cda53bf2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
  C:\Windows\{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{144EB2FB-A6B0-4018-8667-E12502715113}.exe
    C:\Windows\{144EB2FB-A6B0-4018-8667-E12502715113}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
      C:\Windows\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
        
        C:\Windows\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
        
        C:\Windows\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
        
        C:\Windows\{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
        
        C:\Windows\{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
        
        C:\Windows\{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
        
        C:\Windows\{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe
        
        C:\Windows\{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe
        
        C:\Windows\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe
        12⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90267~1.EXE > nul
        12⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32AFD~1.EXE > nul
        11⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC446~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{916A0~1.EXE > nul
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFAA4~1.EXE > nul
        8⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97AA5~1.EXE > nul
        7⤵
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC77B~1.EXE > nul
        6⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F2A~1.EXE > nul
        5⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{144EB~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3BC~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{144EB2FB-A6B0-4018-8667-E12502715113}.exe

Filesize
344KB

MD5
f3c1d546c250621116111f961a761f44

SHA1
6140d526b663f191fdcadaca2c11d19a5e5a373b

SHA256
d547f52db900c7be11eeee40e9a21152d8c91b2429bf8da8be33db61a42e6186

SHA512
e37a9c41e3f3d1726d3d5470688075592b45811bdc6b9bad3e02db66bf126685a591c591011a0ac7b366995ece7dfefd8efd5befa7ac1d62eb135af8aafbfa62

Download Submit
C:\Windows\{17F2ABDE-DE80-49f4-8E05-0F3539290C87}.exe

Filesize
344KB

MD5
1e7e70c4df822603e441b619221e9579

SHA1
81e095bc500cd688afc29a1ffe00418333658b17

SHA256
11502474a40cee184062464f94cbb069a4de15b781dc975a42ce52761bcc0148

SHA512
e48916a0e47117ef4d7f253e311b27ee69ea1b908fa626fb97dc429587099901eec2341b7e1763bd0941ea541069904bd8dc658e9d27f8d7c9ac71e80504bfe6

Download Submit
C:\Windows\{32AFD423-2554-4fe5-95BE-0699CC7864D2}.exe

Filesize
344KB

MD5
9ab2664d79ceba7e39e34d505e94c14a

SHA1
984f267b3475ee67715630fff8676dec5e81ab78

SHA256
4c0250b8264231f5a9501037c2e4b3313eca5e41debef505369d004fc802d32d

SHA512
6143e6d3c7f22fd37414c4ec42345251e0f7cdb7a6656c34ba390bd3b937e4082eda9e1247e4dac6d6f1b8d9dec53dfe1c5896391f0977fb6c70366ba36ca63c

Download Submit
C:\Windows\{71DDEF74-AB10-4ee7-AC7B-8D5E46AF0298}.exe

Filesize
344KB

MD5
3d09edd4b69a9f59c9e45aef69f3ad69

SHA1
69f2d156978b0dc93f17367500f4fb90b1889ae8

SHA256
56fc5e09dc9ee48eb5748303426d93e2c5cccd0b5ecc0a4c25e88cb84ef7a742

SHA512
ff24faebb79b491c3b052ccd44f2dda44e762916dca25d587bf98a6765839f7c8e12ba0d6c540180023c32fb5e3f95d41ed977a602f5c1eb5ed704110509f323

Download Submit
C:\Windows\{90267D67-2B03-4278-BFA7-513E608DAA5B}.exe

Filesize
344KB

MD5
d5405f519b95a52403f32cfa657c47da

SHA1
d2ce0e6c0b8232b83652bddb83e5060b493825b6

SHA256
1b3d0ae8ec948e3552f78345153756cf5283dc0136e84bf1fcc613d0fa66b066

SHA512
a6eaa8d46e78fbbc0b4cf9daf48af2c50f1487a85da869400ebc5914ba4e9e06d4993a8cc869361a5b8d4e8585dc3ed31586a207abea325559af8bc84c5f2e89

Download Submit
C:\Windows\{916A0E24-4446-4685-8C6E-C32CB1054D48}.exe

Filesize
344KB

MD5
605755ae9210a30633d1ee3b271911bb

SHA1
176c445b4feb080220bf6b81c0e69186c4569115

SHA256
1fd7663eb146e5ae34497dd14db3e4eba38137beb0622fc6d6b2e7dc918c795b

SHA512
2b0fba4adf1acbaffb5aa6cd91540cb5bfeb1df8f603290fa332169282212e9efb589a5b1a8f250d1800487f0411d10c007362a798dca5fa317b9bda68492caa

Download Submit
C:\Windows\{97AA5A71-5CC5-4f26-BDB3-884611B6D2FF}.exe

Filesize
344KB

MD5
6805e04c0086909977b78ccde073812f

SHA1
dc1767757ecd0c338e41224cb595b5af0488d3ca

SHA256
5334b0c34d610d271c5e90b5a0fc7b8e4b1874aa2151d606b75d42b02af4e8b4

SHA512
9f1f658dbefb445fc3af47224037c83487bb5826921000d9b530806e0bb7a789f7532d567c61deb90a500df82f1993377fdb1b79ac87b3d58a4216a47d22982d

Download Submit
C:\Windows\{CC446478-F604-4c6f-88FB-DEF1F44E4328}.exe

Filesize
344KB

MD5
c6be11b338c95347fcf64bf6ee272a9c

SHA1
d9afa8710469d10413eea248353dcf0c91cb5456

SHA256
7ef84bd7058682f334c574ef5692a217259b79da8168c6bf31ee1bd1a9502854

SHA512
c4a91edf79836fabc8db5ad77733f1b2f286d449caf5aa9f2cf09514ce2a0bd0a2a280411f51026603589df885bde710b4b13e72c12cea9d12eec0812c56248d

Download Submit
C:\Windows\{CD3BC57C-668D-4239-AE84-F8E8A929E914}.exe

Filesize
344KB

MD5
e0dfa4bb2171596ff9440a62fd14b06a

SHA1
914836173e233e9116bfa2940ef57ebb38f13fd4

SHA256
f8e92bf0bf98af81710ed54b77cb3e56960b1803a6b4fa446ae91d3343511ce4

SHA512
e2342e78c2e1b7d7086f0f8b92ac23c820331883bb1129177436dcce73e1199f4aa93a74a2ddf9fbfa7ab4bdb3b990af2ff4b817b3058168e1ad24dcc4506d6d

Download Submit
C:\Windows\{DC77BF73-2415-4d86-BF1E-9EAF5015FA5E}.exe

Filesize
344KB

MD5
14ccad96d6a9a46833fa3e4185b238cd

SHA1
67e37c9a369f3e4305ae843286921e2154fa79fb

SHA256
9a8b57ff9d3be6d6cc1dd57ee13e697bb404fdf96d885aa194fdadcdaf8e4fe3

SHA512
cf13ad9a1753c0764b3c8c735d4a8d1d891a808d18d7ead3f437645e676061fb6cd614874460bacda0fe5b9c4397f2320dbb6243ccd1ca180a4bfe251a9564e1

Download Submit
C:\Windows\{EFAA472F-3B84-4c54-8306-9098636EB7CA}.exe

Filesize
344KB

MD5
a9007754c28d6d52322bebe6066f0845

SHA1
bbadeb75bd0f55b484c5f7dfe9ef5a06a10f5d1f

SHA256
4af6ce69f6eb1a0f9b0b36e83217698b14b233fbdd7b1aa4c07557927dc16c86

SHA512
f77c7936fd8c6684dd759846e3a0af826c2bab696fb034bcc1b01d1d55b0eb38beca770145655264deabf1e90181410901d02d477dbaffc66cf3831c0336464f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads