8bb837bbc5d61a4c38a010aff25bafb0baac7591b06c1153c95f76953dac3107

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Size

180KB
MD5

304f6243f273291c82db85cd5d0f14bc
SHA1

109d742fdae1c6d5955d6c0ecea24d1d23998411
SHA256

8bb837bbc5d61a4c38a010aff25bafb0baac7591b06c1153c95f76953dac3107
SHA512

2144a90fd6fc63afefe7e20a85dd8e851ece6cd4b652ab5e695ec1f109a7f5245e106ca93bfee97dd7294357de4539f43e7139d16554a7cca839547a8a039fd6
SSDEEP

3072:jEGh0oTlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014f71-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001567f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014f71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015be6-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015cba-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015cd5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015ce1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015ceb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}\stubpath = "C:\\Windows\\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe"	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5F39CD5-C207-41b0-913E-840440D3A557}\stubpath = "C:\\Windows\\{E5F39CD5-C207-41b0-913E-840440D3A557}.exe"	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E99392-BC71-4bc9-925C-EE420DD30499}\stubpath = "C:\\Windows\\{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe"	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5F39CD5-C207-41b0-913E-840440D3A557}	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9292917F-08C5-4fc9-A537-1ECADF000D8F}\stubpath = "C:\\Windows\\{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe"	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}	{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}	{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}\stubpath = "C:\\Windows\\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe"	{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}\stubpath = "C:\\Windows\\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe"	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}\stubpath = "C:\\Windows\\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe"	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86951F70-56CF-4646-AACA-95C92E2AEC5F}	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}\stubpath = "C:\\Windows\\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe"	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E99392-BC71-4bc9-925C-EE420DD30499}	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}\stubpath = "C:\\Windows\\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe"	{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89AC00B2-A69D-4620-BECE-0B1706D8251A}	{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89AC00B2-A69D-4620-BECE-0B1706D8251A}\stubpath = "C:\\Windows\\{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe"	{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9292917F-08C5-4fc9-A537-1ECADF000D8F}	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86951F70-56CF-4646-AACA-95C92E2AEC5F}\stubpath = "C:\\Windows\\{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe"	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
540	{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
2296	{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
2412	{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
780	{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
File created	C:\Windows\{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
File created	C:\Windows\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe	{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
File created	C:\Windows\{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe	{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
File created	C:\Windows\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
File created	C:\Windows\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
File created	C:\Windows\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
File created	C:\Windows\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe	{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
File created	C:\Windows\{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
File created	C:\Windows\{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
File created	C:\Windows\{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
Token: SeIncBasePriorityPrivilege	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
Token: SeIncBasePriorityPrivilege	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
Token: SeIncBasePriorityPrivilege	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
Token: SeIncBasePriorityPrivilege	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
Token: SeIncBasePriorityPrivilege	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
Token: SeIncBasePriorityPrivilege	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
Token: SeIncBasePriorityPrivilege	540	{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
Token: SeIncBasePriorityPrivilege	2296	{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
Token: SeIncBasePriorityPrivilege	2412	{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1300	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	28
PID 2756 wrote to memory of 1300	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	28
PID 2756 wrote to memory of 1300	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	28
PID 2756 wrote to memory of 1300	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	28
PID 2756 wrote to memory of 2524	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	29
PID 2756 wrote to memory of 2524	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	29
PID 2756 wrote to memory of 2524	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	29
PID 2756 wrote to memory of 2524	2756	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	29
PID 1300 wrote to memory of 2836	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	30
PID 1300 wrote to memory of 2836	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	30
PID 1300 wrote to memory of 2836	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	30
PID 1300 wrote to memory of 2836	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	30
PID 1300 wrote to memory of 2832	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	31
PID 1300 wrote to memory of 2832	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	31
PID 1300 wrote to memory of 2832	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	31
PID 1300 wrote to memory of 2832	1300	{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe	31
PID 2836 wrote to memory of 2468	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	32
PID 2836 wrote to memory of 2468	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	32
PID 2836 wrote to memory of 2468	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	32
PID 2836 wrote to memory of 2468	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	32
PID 2836 wrote to memory of 2520	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	33
PID 2836 wrote to memory of 2520	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	33
PID 2836 wrote to memory of 2520	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	33
PID 2836 wrote to memory of 2520	2836	{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe	33
PID 2468 wrote to memory of 2288	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	36
PID 2468 wrote to memory of 2288	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	36
PID 2468 wrote to memory of 2288	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	36
PID 2468 wrote to memory of 2288	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	36
PID 2468 wrote to memory of 1628	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	37
PID 2468 wrote to memory of 1628	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	37
PID 2468 wrote to memory of 1628	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	37
PID 2468 wrote to memory of 1628	2468	{E5F39CD5-C207-41b0-913E-840440D3A557}.exe	37
PID 2288 wrote to memory of 2728	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	38
PID 2288 wrote to memory of 2728	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	38
PID 2288 wrote to memory of 2728	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	38
PID 2288 wrote to memory of 2728	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	38
PID 2288 wrote to memory of 2696	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	39
PID 2288 wrote to memory of 2696	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	39
PID 2288 wrote to memory of 2696	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	39
PID 2288 wrote to memory of 2696	2288	{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe	39
PID 2728 wrote to memory of 2160	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	40
PID 2728 wrote to memory of 2160	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	40
PID 2728 wrote to memory of 2160	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	40
PID 2728 wrote to memory of 2160	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	40
PID 2728 wrote to memory of 1996	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	41
PID 2728 wrote to memory of 1996	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	41
PID 2728 wrote to memory of 1996	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	41
PID 2728 wrote to memory of 1996	2728	{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe	41
PID 2160 wrote to memory of 308	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	42
PID 2160 wrote to memory of 308	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	42
PID 2160 wrote to memory of 308	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	42
PID 2160 wrote to memory of 308	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	42
PID 2160 wrote to memory of 2256	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	43
PID 2160 wrote to memory of 2256	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	43
PID 2160 wrote to memory of 2256	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	43
PID 2160 wrote to memory of 2256	2160	{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe	43
PID 308 wrote to memory of 540	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	44
PID 308 wrote to memory of 540	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	44
PID 308 wrote to memory of 540	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	44
PID 308 wrote to memory of 540	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	44
PID 308 wrote to memory of 2216	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	45
PID 308 wrote to memory of 2216	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	45
PID 308 wrote to memory of 2216	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	45
PID 308 wrote to memory of 2216	308	{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
  C:\Windows\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
    C:\Windows\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
      C:\Windows\{E5F39CD5-C207-41b0-913E-840440D3A557}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
        
        C:\Windows\{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
        
        C:\Windows\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
        
        C:\Windows\{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
        
        C:\Windows\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
        
        C:\Windows\{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
        
        C:\Windows\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
        
        C:\Windows\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe
        
        C:\Windows\{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe
        12⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9036A~1.EXE > nul
        12⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68C49~1.EXE > nul
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E99~1.EXE > nul
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7F00~1.EXE > nul
        9⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86951~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B22AD~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92929~1.EXE > nul
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5F39~1.EXE > nul
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FFB~1.EXE > nul
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A399~1.EXE > nul
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{68C49DE0-D6FA-4f22-824B-1A2DC9C1E046}.exe

Filesize
180KB

MD5
7cd99811c99cc8b17125ca80b702ded0

SHA1
cb548c8fc1719d39494b140b8c87a41ae796e864

SHA256
f7de7d3387757581f668a16ebc719b12d1ffde7af6c0820b1b8005f2fc6fb32a

SHA512
79df247bec7438bf7e4f9ca43ff77a0f229e38282ca14eab337fa822c1954ba39a2f6f897ab53ac9024b46a084c242912c8ea472b44054460c0350689d99125f

Download Submit
C:\Windows\{86951F70-56CF-4646-AACA-95C92E2AEC5F}.exe

Filesize
180KB

MD5
4ecd7c1f0e33edece1363d302d49f1fa

SHA1
f11d95d687cf896a6d85881bc5b95f287aea18db

SHA256
6b5548c5bd449c98ab14776504ea40bbf11384664f3f35a45bd169b5d1a0e00a

SHA512
f28cb8cfebd8d0eea94bc3839e14b27a5d687e02ca81aacd23021e7af5468e308af50860323b15dd160c607151a08d461fda931a7d4ead6683852f7dc0363470

Download Submit
C:\Windows\{89AC00B2-A69D-4620-BECE-0B1706D8251A}.exe

Filesize
180KB

MD5
137009b25de2ed1f2e8bc278ee45ff3a

SHA1
72001e32cc663d72ef67ac63f7bd241d6b4c3c7a

SHA256
995008579bdb63c00764da801cee9c65673c33fbe7a8689b82e427a1fd3c227a

SHA512
b2d30c25e72fedf0e7afeddafc626672ff3cbbe6c7ec981c2829f646c11a7b21e9c3299bd9c4139809581ebd059bfac8a3254ae562633bd369c57d9d4226d4f7

Download Submit
C:\Windows\{9036A5BE-EF2E-4f7c-BA28-1873E38786B8}.exe

Filesize
180KB

MD5
baa91467089620f517aaef466c50d2a6

SHA1
aa9ab9ae377ce2eefce67a374fc7e7e1caafde03

SHA256
bf057fce8ecfc4fe6b9d415a1a61a725787f5a971af07fae7a10af53666a069f

SHA512
455b9c199f4383b20302a0176ce4485ad0d998e5b8afd7582ba2152a522b3c9f80151c00239c7a599821940a380427e994485b346053816c74ab1f5523defed8

Download Submit
C:\Windows\{9292917F-08C5-4fc9-A537-1ECADF000D8F}.exe

Filesize
180KB

MD5
0fc45c1bda23480fa36c45455f89ebb0

SHA1
b52b37ae8eda0545e0cfa8eabcf568af2f84852f

SHA256
404fbc991bb110da71bb79fdc0224124edc3494d02542bb7efa2bd627ea7c0d2

SHA512
b6219d846174a87cab5c7aeb6cbbaef332fa0ceb42205762e7245a103cf32c17b03b9896645df52b8ba5038e10ed331b4ee7bd8dc082f04b3ab4ebe43193cdaf

Download Submit
C:\Windows\{9A39959E-BA52-42f6-94B9-28DB19E17DDB}.exe

Filesize
180KB

MD5
a3279200a24de99fa3f20dbd98534dc9

SHA1
86fe84e075349a6c1a19a7861134044b7a527cd4

SHA256
9a3b10a6d2b3dbe7eced4534883d2185be7f91f1e25e7d60b5165471938b3f42

SHA512
c7c248101fe29cc34361d6c5fcf329d3696aa3e3d799a8a6d85a56df1cad964cbedfacde01f614ee2597920719ca9f18d6ec3904d67e89aaab50efae4195d8f6

Download Submit
C:\Windows\{B1FFB173-C3B9-4598-9C84-D68DFCA3F5D6}.exe

Filesize
180KB

MD5
c1c278f06c818a1f371d26705190c8df

SHA1
3fbda78e2e3f1548c2da021b9ac165545690de90

SHA256
15c15baa80ed53a35601db7207cbd55e9f9d3681033a3911793fcb4aa7733519

SHA512
d99f019257fc7d79974fdd4a7ee35b31ab150f7778d5a6ee4676147d19602551b4a21d7d2d3dc60e5a00be00715830391589e94bd247058141ec032b71cca58c

Download Submit
C:\Windows\{B22AD7D4-1165-4a12-952B-3AF40F3E50D8}.exe

Filesize
180KB

MD5
298a930edbd56c182c98d094067b5dd5

SHA1
53380a839d262cd7c7d0a7391b9155e8f9b7da6d

SHA256
8b29184f14754a77b13bcd0c0bc89a0bd5afa3bce6a40841d5c31de1184614ad

SHA512
e9ae5bbb3566a44d5407319b25177055e82e7fa3caa76bc6ae71621e3bded95ad1b9287db12f23f5490a91531a0df802c63b3c7cdd2a1f114bfae49fc675b007

Download Submit
C:\Windows\{D7F00BA3-945B-4b3e-BB2F-FEC681E24452}.exe

Filesize
180KB

MD5
f4d8c807eca6cfb723034b5c5531a67e

SHA1
775606ce395dc623c8f86ecccf4efeed12722119

SHA256
06a4f5f02b2fb67325b85c2438689927cd18912cbb2d4164f0ee276ab397bee9

SHA512
62d8bf878846badfe320fd41a1107997af1eb410f26e4ddddf128d5393d6768075284de27e72ea9a826efad767354f5ac6ada4530c46fb6374a119828bb5d3ca

Download Submit
C:\Windows\{E1E99392-BC71-4bc9-925C-EE420DD30499}.exe

Filesize
180KB

MD5
698cdca32d8bfa78400782ebb53fab67

SHA1
f918c09d4c7c6cd4464dab02154d241bf9c21b6a

SHA256
0737bccc94046644f3df66dadda635c01b523356ce41eda87ae24f3b2173a7fa

SHA512
f94d273cb09a53bb961ff18a3b7ceb91f99a83fd8d0b449a7ec2b84a2ff8b3f1c40e9d82f4a16b5532134d767bc45eb41a0f0cf7a2eb057d4b7587be8710b1c2

Download Submit
C:\Windows\{E5F39CD5-C207-41b0-913E-840440D3A557}.exe

Filesize
180KB

MD5
7c3c20219bdd9d33e091ca6cd3d7bb6f

SHA1
94cab16fa982a569ed24b07ade82b53554d27d11

SHA256
737031926bbc9a8579f9ada9c84dfd10c0891aa123a8d3eace7477182c151701

SHA512
4a61b06ad780f96259eca2eef7081a5d8cfca80dbde5ee837d5c62ff274e4008a7af502cd593920f5815cef4d49d2ed7bbce23d9c8203bd157bfe7168a52d6fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads