dffa8a852a149502c21389669097297446d341969440f91d20a5336c4785b45e

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Size

372KB
MD5

f22ee516851d8f5a79e947fdd7647631
SHA1

54abbbc72846a9ac3bcee35150741f766a6bf5f1
SHA256

dffa8a852a149502c21389669097297446d341969440f91d20a5336c4785b45e
SHA512

f204f09613191b4ef8aca3ff54d9645e9033e1451d3be5554fe93a8596b9d896cc878567436f490b9c29f5ca9b01acf7bd17bcaaa16131fa25915a95482850b1
SSDEEP

3072:CEGh0o8lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d24-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d84-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016d24-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d89-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000001704f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d89-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001704f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d89-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000017090-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00020000000180e5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{411764F6-2819-439e-8E75-66B144E9D74F}	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{411764F6-2819-439e-8E75-66B144E9D74F}\stubpath = "C:\\Windows\\{411764F6-2819-439e-8E75-66B144E9D74F}.exe"	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56D7960-BAD6-4262-8A40-7D6348846986}\stubpath = "C:\\Windows\\{D56D7960-BAD6-4262-8A40-7D6348846986}.exe"	{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}	{411764F6-2819-439e-8E75-66B144E9D74F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}\stubpath = "C:\\Windows\\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe"	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}\stubpath = "C:\\Windows\\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe"	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}\stubpath = "C:\\Windows\\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe"	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}	{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}\stubpath = "C:\\Windows\\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe"	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}\stubpath = "C:\\Windows\\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe"	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}\stubpath = "C:\\Windows\\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe"	{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}\stubpath = "C:\\Windows\\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe"	{411764F6-2819-439e-8E75-66B144E9D74F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}\stubpath = "C:\\Windows\\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe"	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56D7960-BAD6-4262-8A40-7D6348846986}	{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe

Deletes itself 1 IoCs

pid	Process
1636	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe
2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
2852	{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
1624	{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe
3056	{D56D7960-BAD6-4262-8A40-7D6348846986}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{D56D7960-BAD6-4262-8A40-7D6348846986}.exe	{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe
File created	C:\Windows\{411764F6-2819-439e-8E75-66B144E9D74F}.exe	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
File created	C:\Windows\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
File created	C:\Windows\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe	{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
File created	C:\Windows\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
File created	C:\Windows\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
File created	C:\Windows\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
File created	C:\Windows\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	{411764F6-2819-439e-8E75-66B144E9D74F}.exe
File created	C:\Windows\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
File created	C:\Windows\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe
Token: SeIncBasePriorityPrivilege	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
Token: SeIncBasePriorityPrivilege	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
Token: SeIncBasePriorityPrivilege	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
Token: SeIncBasePriorityPrivilege	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
Token: SeIncBasePriorityPrivilege	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
Token: SeIncBasePriorityPrivilege	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
Token: SeIncBasePriorityPrivilege	2852	{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
Token: SeIncBasePriorityPrivilege	1624	{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1316	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	30
PID 2336 wrote to memory of 1316	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	30
PID 2336 wrote to memory of 1316	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	30
PID 2336 wrote to memory of 1316	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	30
PID 2336 wrote to memory of 1636	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	31
PID 2336 wrote to memory of 1636	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	31
PID 2336 wrote to memory of 1636	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	31
PID 2336 wrote to memory of 1636	2336	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	31
PID 1316 wrote to memory of 2324	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	32
PID 1316 wrote to memory of 2324	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	32
PID 1316 wrote to memory of 2324	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	32
PID 1316 wrote to memory of 2324	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	32
PID 1316 wrote to memory of 1992	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	33
PID 1316 wrote to memory of 1992	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	33
PID 1316 wrote to memory of 1992	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	33
PID 1316 wrote to memory of 1992	1316	{411764F6-2819-439e-8E75-66B144E9D74F}.exe	33
PID 2324 wrote to memory of 572	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	34
PID 2324 wrote to memory of 572	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	34
PID 2324 wrote to memory of 572	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	34
PID 2324 wrote to memory of 572	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	34
PID 2324 wrote to memory of 464	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	35
PID 2324 wrote to memory of 464	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	35
PID 2324 wrote to memory of 464	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	35
PID 2324 wrote to memory of 464	2324	{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe	35
PID 572 wrote to memory of 1752	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	36
PID 572 wrote to memory of 1752	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	36
PID 572 wrote to memory of 1752	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	36
PID 572 wrote to memory of 1752	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	36
PID 572 wrote to memory of 2412	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	37
PID 572 wrote to memory of 2412	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	37
PID 572 wrote to memory of 2412	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	37
PID 572 wrote to memory of 2412	572	{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe	37
PID 1752 wrote to memory of 364	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	38
PID 1752 wrote to memory of 364	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	38
PID 1752 wrote to memory of 364	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	38
PID 1752 wrote to memory of 364	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	38
PID 1752 wrote to memory of 2672	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	39
PID 1752 wrote to memory of 2672	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	39
PID 1752 wrote to memory of 2672	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	39
PID 1752 wrote to memory of 2672	1752	{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe	39
PID 364 wrote to memory of 1332	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	40
PID 364 wrote to memory of 1332	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	40
PID 364 wrote to memory of 1332	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	40
PID 364 wrote to memory of 1332	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	40
PID 364 wrote to memory of 2872	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	41
PID 364 wrote to memory of 2872	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	41
PID 364 wrote to memory of 2872	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	41
PID 364 wrote to memory of 2872	364	{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe	41
PID 1332 wrote to memory of 2548	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	42
PID 1332 wrote to memory of 2548	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	42
PID 1332 wrote to memory of 2548	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	42
PID 1332 wrote to memory of 2548	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	42
PID 1332 wrote to memory of 2636	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	43
PID 1332 wrote to memory of 2636	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	43
PID 1332 wrote to memory of 2636	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	43
PID 1332 wrote to memory of 2636	1332	{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe	43
PID 2548 wrote to memory of 2852	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	44
PID 2548 wrote to memory of 2852	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	44
PID 2548 wrote to memory of 2852	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	44
PID 2548 wrote to memory of 2852	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	44
PID 2548 wrote to memory of 1352	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	45
PID 2548 wrote to memory of 1352	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	45
PID 2548 wrote to memory of 1352	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	45
PID 2548 wrote to memory of 1352	2548	{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{411764F6-2819-439e-8E75-66B144E9D74F}.exe
  C:\Windows\{411764F6-2819-439e-8E75-66B144E9D74F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
    C:\Windows\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
      C:\Windows\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
        
        C:\Windows\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
        
        C:\Windows\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
        
        C:\Windows\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
        
        C:\Windows\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
        
        C:\Windows\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe
        
        C:\Windows\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{D56D7960-BAD6-4262-8A40-7D6348846986}.exe
        
        C:\Windows\{D56D7960-BAD6-4262-8A40-7D6348846986}.exe
        11⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AF67~1.EXE > nul
        11⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB1E~1.EXE > nul
        10⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86DB3~1.EXE > nul
        9⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B55~1.EXE > nul
        8⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82B5D~1.EXE > nul
        7⤵
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30E83~1.EXE > nul
        6⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9904C~1.EXE > nul
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2FB0~1.EXE > nul
      4⤵
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41176~1.EXE > nul
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30E83E59-4AAE-4e08-B939-50A41DA1B16D}.exe

Filesize
372KB

MD5
7849ddefb3118a7d281b72a130c55721

SHA1
3e4e0fcdcc6c8cf1deb11093dfe17993338337bf

SHA256
60fb0d92333acc6b4c07e2e529c2a07737731e8e40c1bc4da89b4a7979b3223c

SHA512
eadc96cbba36cf03115f7bb0892ac8759ae289877d7eeeb885d06169ed549e53040fd46d46467b1ca112375ce7164026a17376c3598984b6d3e054c515734169

Download Submit
C:\Windows\{411764F6-2819-439e-8E75-66B144E9D74F}.exe

Filesize
372KB

MD5
7646f5918e5b89f4c9f345c62086e34e

SHA1
57eb72bae520e0fbe43c221764628ff01d81310c

SHA256
4109379d306c3d46ec5ef381f31aaf7e10e56778fea863bf1df323ce76d91638

SHA512
7a1c1fe9c1ae872a606d1a62b76f8b513413997227b7e3539817450beb80c815dbecb0dfb084cc479da5337c457b5d1c6989627cca95ea075171d8f19da1f026

Download Submit
C:\Windows\{7AF6770A-D818-4e26-899F-1FBD0D20D4CA}.exe

Filesize
372KB

MD5
134e214e6ab3f2b2ac1dd347105e10dc

SHA1
ec147130f1d1e68975a1d5bd616006af90934ec4

SHA256
8fe1ec83330b4bccbbeb05149f7bc7c8c942c17f2ef8b15ef5443bab0141222e

SHA512
bfd3242e069ae22eca5950f276241c141e26e58951644974286f161cf1b794e74d5e51c8611cdbafc461f777e9da882bcc29402f3d1742788a1c3958490b0493

Download Submit
C:\Windows\{82B5D2C7-BFB0-4df5-AB9B-B54CE1DABE56}.exe

Filesize
372KB

MD5
23eba60ff8ab58d90a2a42690768b307

SHA1
0eb70f6caf9881dfc1c9a85081b406521c924820

SHA256
2a29ed8437c7b363a38c51c3af746ae6691cdf1bf81d64b74350f0a39bb6e817

SHA512
589276ab7bb30c53606fb8627cde8cf1e17f3aa3a6a6ae62fc5b57d0ca70e32930c7e73aa2826eb10f393089e7e4d8d1480d23fd1c3a646aa1d15d5e44bb9ead

Download Submit
C:\Windows\{86DB3AE2-5563-4b8d-91D7-456433BEDAFF}.exe

Filesize
372KB

MD5
16e79c4d011f9a100be0fa3fed7d5533

SHA1
ecf4ca790b3dab12711c92e66db78afe8fb0133d

SHA256
efdde3276d0d92f47ebdfff50db8d6e6ea4e5bff789ffd3aa4a0ce7130ff846f

SHA512
8f65ae0f8263b00d55da6aaf581deaa8909585185ac0156cbb81d5b545053d0d5279ccfd4c969e95c13acafe3eba76eda662237208049f19cb8c0c44d425f885

Download Submit
C:\Windows\{94B55314-5794-40c3-B7EE-7BBE6FF30DE6}.exe

Filesize
372KB

MD5
8e583b0db62ad11a5727627a58c21594

SHA1
b7b200b0fec9f609bf0b1de821ff07ff254a4147

SHA256
788356d9c97f9cf40c7639f4aa23dd596ec4140c86840d756a5ded2eee403d64

SHA512
5631c669ae72cf26fb2a8389abf568fafb239b67de35c70c25e1b611863a18ff79b310c10543bf40bc609652a63a3d68f799529c9d58b0b66ea4fca96f9d1e0e

Download Submit
C:\Windows\{9904C832-8EEE-4c3c-8DF5-C1F3596D042E}.exe

Filesize
372KB

MD5
25bd7721159ab2a84259887f016c14ba

SHA1
83562344842a7cfdf3c29faa64369b89ae8512ee

SHA256
17a76e32e1ad18d9a4935f0f36e340b636c60bafb1e53cf2897be3a28c9b84dc

SHA512
dea373b3554fc0393efd1829de643999b417e645a4cfa04f02ffb15ac86f53ecab197755668182ce5d73e9da08eb4765a6e4c473910d68b74cfb141d317c1b6b

Download Submit
C:\Windows\{A2FB0FA6-25AE-4c63-ACFC-E1B001D52C36}.exe

Filesize
372KB

MD5
c8b902b264090e55ba3f791ff5a3a1c1

SHA1
18701a81b0c2bf962d121b2647f6da6ae9e37751

SHA256
194c47a4e251e931a87e577be286536ae93d919ac1179d3b8813eadebfe42852

SHA512
dad81c6c3e3d5c4372643cf003c231afc705f2f0e2b5d686453a4402e99c7370544de69c80668f25359bbeefb80fbf12e0382048b8ce493589cb57c9b33d7352

Download Submit
C:\Windows\{BCB1EE8E-6807-4146-89A4-C229DFFC2E18}.exe

Filesize
372KB

MD5
99b151177701f799edddc332d724ff72

SHA1
7644b6c64e0cca0c6ce8eae9038df574ff45a10e

SHA256
2913df303a4f94b456d0ec65ca9b1ce57edbc8f05874d0b15dad8b3a512a54ac

SHA512
ee0434891556c9c3bab832068c1dcc1f39ae12956a85c39430afa91a951d05c5befd1a5cf11e97e0c714d62f68a67b6e7775346e17dfdd5fcf5789ff65407624

Download Submit
C:\Windows\{D56D7960-BAD6-4262-8A40-7D6348846986}.exe

Filesize
372KB

MD5
96e64fd199899bcd3ec3df7514193b99

SHA1
98a357290a53df254b72be8041f6a81fc1bb128f

SHA256
2679d9417cdee1436601f58aff8bb7fc505456ed4de8ac677226b2ac13bd8bed

SHA512
914331753d45814f601e4b72a1e485c3839533795fbd7ae6449a4e65367b29466de3f2403c1727e6040a7ad221639de10db65078f726f0dba191217e8c754f00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads