3e87290a8d66a8be344bb90c0c392dbbec2b280046ee18e87396b1e9b7a7f1e1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Size

372KB
MD5

26c7ed80110b0851401af812a404aded
SHA1

f02978ab210e8d6d799bcbbd1af7f716cb0de2ec
SHA256

3e87290a8d66a8be344bb90c0c392dbbec2b280046ee18e87396b1e9b7a7f1e1
SHA512

810e6768b9476e13e368667ace7a324f358b91af7dc72c96bae35bc0cbf356607077f2e06835189271191cb47aa87f748bc2055ba7a7a50ec2f5fffd9d9eb471
SSDEEP

3072:CEGh0oZlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGHlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000167ef-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cab-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000167ef-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000167ef-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000167ef-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cc9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ce1-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016cc9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016cf5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432B1E46-0D28-4a02-9893-34251FE221DE}\stubpath = "C:\\Windows\\{432B1E46-0D28-4a02-9893-34251FE221DE}.exe"	{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC794A3C-3ADE-4bc3-A670-320832A011EE}\stubpath = "C:\\Windows\\{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe"	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218F2592-9331-4d21-8BE4-C12E1C90D718}\stubpath = "C:\\Windows\\{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe"	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202AFFE2-8200-476c-ABB1-4D057ED40273}	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202AFFE2-8200-476c-ABB1-4D057ED40273}\stubpath = "C:\\Windows\\{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe"	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}\stubpath = "C:\\Windows\\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe"	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432B1E46-0D28-4a02-9893-34251FE221DE}	{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}	{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}\stubpath = "C:\\Windows\\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe"	{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218F2592-9331-4d21-8BE4-C12E1C90D718}	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8C0457-FDED-4bda-9B55-F8390033A539}\stubpath = "C:\\Windows\\{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe"	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}	{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}\stubpath = "C:\\Windows\\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe"	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}\stubpath = "C:\\Windows\\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe"	{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}\stubpath = "C:\\Windows\\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe"	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC794A3C-3ADE-4bc3-A670-320832A011EE}	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}\stubpath = "C:\\Windows\\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe"	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8C0457-FDED-4bda-9B55-F8390033A539}	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
2280	{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
2464	{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
2208	{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe
1788	{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe	{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
File created	C:\Windows\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
File created	C:\Windows\{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
File created	C:\Windows\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
File created	C:\Windows\{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
File created	C:\Windows\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
File created	C:\Windows\{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
File created	C:\Windows\{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
File created	C:\Windows\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
File created	C:\Windows\{432B1E46-0D28-4a02-9893-34251FE221DE}.exe	{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
File created	C:\Windows\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe	{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
Token: SeIncBasePriorityPrivilege	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
Token: SeIncBasePriorityPrivilege	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
Token: SeIncBasePriorityPrivilege	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
Token: SeIncBasePriorityPrivilege	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
Token: SeIncBasePriorityPrivilege	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
Token: SeIncBasePriorityPrivilege	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
Token: SeIncBasePriorityPrivilege	2280	{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
Token: SeIncBasePriorityPrivilege	2464	{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
Token: SeIncBasePriorityPrivilege	2208	{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2080	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	28
PID 1848 wrote to memory of 2080	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	28
PID 1848 wrote to memory of 2508	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	29
PID 1848 wrote to memory of 2508	1848	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	29
PID 2080 wrote to memory of 2492	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	30
PID 2080 wrote to memory of 2492	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	30
PID 2080 wrote to memory of 2492	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	30
PID 2080 wrote to memory of 2492	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	30
PID 2080 wrote to memory of 2088	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	31
PID 2080 wrote to memory of 2088	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	31
PID 2080 wrote to memory of 2088	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	31
PID 2080 wrote to memory of 2088	2080	{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe	31
PID 2492 wrote to memory of 2836	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	32
PID 2492 wrote to memory of 2836	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	32
PID 2492 wrote to memory of 2836	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	32
PID 2492 wrote to memory of 2836	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	32
PID 2492 wrote to memory of 2408	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	33
PID 2492 wrote to memory of 2408	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	33
PID 2492 wrote to memory of 2408	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	33
PID 2492 wrote to memory of 2408	2492	{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe	33
PID 2836 wrote to memory of 472	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	36
PID 2836 wrote to memory of 472	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	36
PID 2836 wrote to memory of 472	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	36
PID 2836 wrote to memory of 472	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	36
PID 2836 wrote to memory of 856	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	37
PID 2836 wrote to memory of 856	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	37
PID 2836 wrote to memory of 856	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	37
PID 2836 wrote to memory of 856	2836	{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe	37
PID 472 wrote to memory of 2600	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	38
PID 472 wrote to memory of 2600	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	38
PID 472 wrote to memory of 2600	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	38
PID 472 wrote to memory of 2600	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	38
PID 472 wrote to memory of 1592	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	39
PID 472 wrote to memory of 1592	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	39
PID 472 wrote to memory of 1592	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	39
PID 472 wrote to memory of 1592	472	{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe	39
PID 2600 wrote to memory of 300	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	40
PID 2600 wrote to memory of 300	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	40
PID 2600 wrote to memory of 300	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	40
PID 2600 wrote to memory of 300	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	40
PID 2600 wrote to memory of 376	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	41
PID 2600 wrote to memory of 376	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	41
PID 2600 wrote to memory of 376	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	41
PID 2600 wrote to memory of 376	2600	{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe	41
PID 300 wrote to memory of 1556	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	42
PID 300 wrote to memory of 1556	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	42
PID 300 wrote to memory of 1556	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	42
PID 300 wrote to memory of 1556	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	42
PID 300 wrote to memory of 1612	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	43
PID 300 wrote to memory of 1612	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	43
PID 300 wrote to memory of 1612	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	43
PID 300 wrote to memory of 1612	300	{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe	43
PID 1556 wrote to memory of 2280	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	44
PID 1556 wrote to memory of 2280	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	44
PID 1556 wrote to memory of 2280	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	44
PID 1556 wrote to memory of 2280	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	44
PID 1556 wrote to memory of 1220	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	45
PID 1556 wrote to memory of 1220	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	45
PID 1556 wrote to memory of 1220	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	45
PID 1556 wrote to memory of 1220	1556	{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
  C:\Windows\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
    C:\Windows\{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
      C:\Windows\{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
        
        C:\Windows\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Windows\{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
        
        C:\Windows\{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
        
        C:\Windows\{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
        
        C:\Windows\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
        
        C:\Windows\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
        
        C:\Windows\{432B1E46-0D28-4a02-9893-34251FE221DE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe
        
        C:\Windows\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe
        
        C:\Windows\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C463~1.EXE > nul
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{432B1~1.EXE > nul
        11⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E85A~1.EXE > nul
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2967~1.EXE > nul
        9⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{202AF~1.EXE > nul
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB8C0~1.EXE > nul
        7⤵
        
        PID:376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24070~1.EXE > nul
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{218F2~1.EXE > nul
        5⤵
        
        PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC794~1.EXE > nul
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6F8C2~1.EXE > nul
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{202AFFE2-8200-476c-ABB1-4D057ED40273}.exe

Filesize
372KB

MD5
b9e9d463c3b954306fcf5a46691aa448

SHA1
e2db50bf5581c67b84a187936c8073e56ca4e462

SHA256
cb97f4d3098dae1791ac1e657f04d77e68d528453ea3f598c9f0e94df0780ad9

SHA512
38f1a6fc6bce5611db68a0d42a92bd729f67a4ce89a9d8d66a40e0ff891a376c8038ca7fa52d19278c453110843ac161f9ddea06a24021c4702bd314f5a8ad5b

Download Submit
C:\Windows\{218F2592-9331-4d21-8BE4-C12E1C90D718}.exe

Filesize
372KB

MD5
55875cf6d1f9ec7cd9a93af8b566ffb4

SHA1
3e5a5e76b505964274bf5337962bdcf868ad9a8b

SHA256
721ee75bb3e7ad3649760acf318f98009bf7cc27a9991e479f43ab81e04cd6ce

SHA512
252d7f321b23efebfed82d6469c31ae05ee6b5cda2798472b737f722eeaef51e8fbb7bc3dd53bcf10e51c44ea9f7b42016de26b953cb4f8ca5472f22377096df

Download Submit
C:\Windows\{2407022A-A8EC-4900-BE7F-C9AABFFDCB8E}.exe

Filesize
372KB

MD5
7e2d81eee930c074b8efd42dfa116571

SHA1
20e4c439c953d201aaa1b568dca8df5a3ca312e8

SHA256
df3c49fba7dbf9be39f572dfca31edc18e96ea7c094dd7611f2e642ee621720a

SHA512
d6ad0be70e1a4631d0a3108ca3902f79f0fd2fd77664ea8717a7c15a0df67936f3748a2ef3970631275c8c23072841d7896a703030366ab83cb23a1c8a13232b

Download Submit
C:\Windows\{2C463DD0-C2C3-4aeb-A83C-D47F207C44A4}.exe

Filesize
372KB

MD5
2547b5162518f91349ad408a19076792

SHA1
3c2e1e5c947770369ffd8361369b82ef0655efd2

SHA256
0e52a62f4d4162ba4e0dc71e4c1a80677d9e002caf07e075bf706b3e9e783490

SHA512
8245b0dca018d4fbb302b2f279213ed4e293a727b89d5bf2cd0be76dd54c4ede5ae51fba5cd3f0c53a402f4b35e940f2ebcc3903fd90f9b7dc073b6d4b853350

Download Submit
C:\Windows\{2E85AD08-A315-4268-8446-8FBFDCB03BE7}.exe

Filesize
372KB

MD5
5f59ced3315f263de9a18eeadee935ef

SHA1
2272d96b7d547b64a0ec8411a0dc1384a3130953

SHA256
da7cb7e6c8c1808fffea3031c15aceb40720e1ef3a051e321a32037374e65e3d

SHA512
3f868d2fb2fc6566e0d96788b0f60946ec2105a152c0551d5d9886ee5a21ccd0179cab2a79419b7aafd13baff6724960fac127646b274cd3ff468d14653b4686

Download Submit
C:\Windows\{432B1E46-0D28-4a02-9893-34251FE221DE}.exe

Filesize
372KB

MD5
a18f2f4f82243f9e08d45e1173d56e1a

SHA1
e6b15b98b1997b229a003e68b4e3bcc6877a6d24

SHA256
739a313a95748c57a32df01b0f84834fcb330d791799f070a3e1a74f37a945d0

SHA512
896eb9b915336106876eb4507a3ac149a3b7502c5ee2d3bb14445aaecd2c242bcdc67c8dbf621addedbe3945cd9c44c9476c49c9865200acac045819881db6cc

Download Submit
C:\Windows\{6E06F7BB-84CE-4a84-8C3B-B43A51EEB34A}.exe

Filesize
372KB

MD5
e5136db5d5104ca502e89d19bddc3a86

SHA1
fe9b5eda61fec078ba7fd3bd16a7f7ff6b6901b4

SHA256
5fb006ebdfc0182802e5daa5baea61fa686f7d1eee0f9d5119bf6bfd693707bb

SHA512
245d7f65c9af92a8180a4b8eae1de068918dca871d541fb142437a6f6dcfde8ccac31dad124b9dd40dde0d96d66df072b29cd25385f7e1aeb3b5a37cc4baf3b2

Download Submit
C:\Windows\{6F8C27A9-4986-44ae-ADF9-1E5A284ACFED}.exe

Filesize
372KB

MD5
3fe2a4e297f29a1501fe683b9af55c92

SHA1
eb37199b45b8cd8bda42c70dcece5318dd7986bd

SHA256
777efe5c3d9e67e656da17cf8a4d9c38870da95aae69745b5cf2377527fddf63

SHA512
f17b2ecba9a734f37cac841deeed507c1dc24791ecf4e617ddeecafc99f3b79aaef8349b64ec6e05c9d2a4143a5e396f59563c1b8b7ecf5ec691c45904e01970

Download Submit
C:\Windows\{B296771D-F8E5-49aa-82F0-F7C39D4B8622}.exe

Filesize
372KB

MD5
6076fce216354705cb46f268ef0c9d4f

SHA1
b6ce10ff6923e7346e9856b4119ca8608c1952fb

SHA256
0f3e54babce97698b2d7ee83f11b5b20a96f46629639bc86339fa4cf538be24e

SHA512
caf3ea0901a110ce67d696734ab58f5afe063a6fb261fe93b3ba98eb3503886cb735c1f39dae28fe023524af6de502d9b92f92af9eeb7a1dce2e413aea31f519

Download Submit
C:\Windows\{CB8C0457-FDED-4bda-9B55-F8390033A539}.exe

Filesize
372KB

MD5
ee6449870ca832b285cb36078d7ec969

SHA1
0c362078c4892270f59aac974ec846618d981690

SHA256
dba2291236d938cf9fdcc4aff05bc60be6ec64f36f07afa23a592fb36c272d9c

SHA512
e89cb0bb003cb792efed9fcf5ce3c5add47fb83942e381986b5b1e52d634241e7ff28d59ac1e701fe6cacb0cb22aae395d6365210ad8ee278e1366314fa99c57

Download Submit
C:\Windows\{FC794A3C-3ADE-4bc3-A670-320832A011EE}.exe

Filesize
372KB

MD5
aeb863da2e62a293d8fbf9f731a67339

SHA1
a503ef4f85bceba2b1812af9debcefe30598fb8a

SHA256
ab6900623ad714f7d32e2654242c5c9326f49ee3fed7f02d673223a6118794a8

SHA512
8ecb55583cdedbb63aba793186bf0683c5ce2af3d9f1e6a29d14982146396b14f09fc5f35fae6861cc0c490ee1afddcca617bccd362193117b9ed9ed01fa9f28

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads