cfd524b74cc4f3555c4e60b5d78955a4cc6ad58e18a772c2cc37e73cf300dda5

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Size

408KB
MD5

29d8381dd394bae97612e5952247a9c2
SHA1

c901f5bfc226652591a8525578dd7c0086f29ecc
SHA256

cfd524b74cc4f3555c4e60b5d78955a4cc6ad58e18a772c2cc37e73cf300dda5
SHA512

ead7d8ff3dabd4f76ce7755f5ef8356fa16f9c3ce5ebdde0fb2064d3a9de8d301d558015f7949bc065f814a5553dbcfa01d563a65f6edf8c5eacaf4b660c3748
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x002a000000015c3c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c7c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015c3c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000015c3c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000015c3c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015c3c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}\stubpath = "C:\\Windows\\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe"	{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E102D98-CBB4-4322-AD91-AC5013619194}\stubpath = "C:\\Windows\\{3E102D98-CBB4-4322-AD91-AC5013619194}.exe"	{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}\stubpath = "C:\\Windows\\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe"	{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}	{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}	{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}\stubpath = "C:\\Windows\\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe"	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{290F0446-AFCE-4272-BFBC-C9C32E592B93}\stubpath = "C:\\Windows\\{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe"	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB8FC973-D420-4846-B98D-457E633D5500}	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB8FC973-D420-4846-B98D-457E633D5500}\stubpath = "C:\\Windows\\{AB8FC973-D420-4846-B98D-457E633D5500}.exe"	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}\stubpath = "C:\\Windows\\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe"	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471F030D-7278-4534-AE02-8EA679F35EAC}	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471F030D-7278-4534-AE02-8EA679F35EAC}\stubpath = "C:\\Windows\\{471F030D-7278-4534-AE02-8EA679F35EAC}.exe"	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{290F0446-AFCE-4272-BFBC-C9C32E592B93}	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2723EC-60D2-4a84-90AC-41ABE831095E}	{AB8FC973-D420-4846-B98D-457E633D5500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2723EC-60D2-4a84-90AC-41ABE831095E}\stubpath = "C:\\Windows\\{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe"	{AB8FC973-D420-4846-B98D-457E633D5500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}\stubpath = "C:\\Windows\\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe"	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}\stubpath = "C:\\Windows\\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe"	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E102D98-CBB4-4322-AD91-AC5013619194}	{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe
2100	{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
1516	{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
2260	{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe
1784	{3E102D98-CBB4-4322-AD91-AC5013619194}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe	{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
File created	C:\Windows\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe	{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
File created	C:\Windows\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
File created	C:\Windows\{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
File created	C:\Windows\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
File created	C:\Windows\{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
File created	C:\Windows\{AB8FC973-D420-4846-B98D-457E633D5500}.exe	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
File created	C:\Windows\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
File created	C:\Windows\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
File created	C:\Windows\{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe	{AB8FC973-D420-4846-B98D-457E633D5500}.exe
File created	C:\Windows\{3E102D98-CBB4-4322-AD91-AC5013619194}.exe	{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
Token: SeIncBasePriorityPrivilege	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
Token: SeIncBasePriorityPrivilege	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
Token: SeIncBasePriorityPrivilege	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
Token: SeIncBasePriorityPrivilege	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
Token: SeIncBasePriorityPrivilege	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
Token: SeIncBasePriorityPrivilege	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe
Token: SeIncBasePriorityPrivilege	2100	{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
Token: SeIncBasePriorityPrivilege	1516	{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
Token: SeIncBasePriorityPrivilege	2260	{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2700	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	28
PID 2872 wrote to memory of 2700	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	28
PID 2872 wrote to memory of 2700	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	28
PID 2872 wrote to memory of 2700	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	28
PID 2872 wrote to memory of 2920	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	29
PID 2872 wrote to memory of 2920	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	29
PID 2872 wrote to memory of 2920	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	29
PID 2872 wrote to memory of 2920	2872	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	29
PID 2700 wrote to memory of 3048	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	32
PID 2700 wrote to memory of 3048	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	32
PID 2700 wrote to memory of 3048	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	32
PID 2700 wrote to memory of 3048	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	32
PID 2700 wrote to memory of 2460	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	33
PID 2700 wrote to memory of 2460	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	33
PID 2700 wrote to memory of 2460	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	33
PID 2700 wrote to memory of 2460	2700	{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe	33
PID 3048 wrote to memory of 2388	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	34
PID 3048 wrote to memory of 2388	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	34
PID 3048 wrote to memory of 2388	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	34
PID 3048 wrote to memory of 2388	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	34
PID 3048 wrote to memory of 2424	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	35
PID 3048 wrote to memory of 2424	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	35
PID 3048 wrote to memory of 2424	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	35
PID 3048 wrote to memory of 2424	3048	{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe	35
PID 2388 wrote to memory of 2800	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	36
PID 2388 wrote to memory of 2800	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	36
PID 2388 wrote to memory of 2800	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	36
PID 2388 wrote to memory of 2800	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	36
PID 2388 wrote to memory of 1016	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	37
PID 2388 wrote to memory of 1016	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	37
PID 2388 wrote to memory of 1016	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	37
PID 2388 wrote to memory of 1016	2388	{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe	37
PID 2800 wrote to memory of 792	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	38
PID 2800 wrote to memory of 792	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	38
PID 2800 wrote to memory of 792	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	38
PID 2800 wrote to memory of 792	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	38
PID 2800 wrote to memory of 1856	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	39
PID 2800 wrote to memory of 1856	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	39
PID 2800 wrote to memory of 1856	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	39
PID 2800 wrote to memory of 1856	2800	{471F030D-7278-4534-AE02-8EA679F35EAC}.exe	39
PID 792 wrote to memory of 2672	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	40
PID 792 wrote to memory of 2672	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	40
PID 792 wrote to memory of 2672	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	40
PID 792 wrote to memory of 2672	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	40
PID 792 wrote to memory of 2696	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	41
PID 792 wrote to memory of 2696	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	41
PID 792 wrote to memory of 2696	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	41
PID 792 wrote to memory of 2696	792	{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe	41
PID 2672 wrote to memory of 1804	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	42
PID 2672 wrote to memory of 1804	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	42
PID 2672 wrote to memory of 1804	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	42
PID 2672 wrote to memory of 1804	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	42
PID 2672 wrote to memory of 2300	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	43
PID 2672 wrote to memory of 2300	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	43
PID 2672 wrote to memory of 2300	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	43
PID 2672 wrote to memory of 2300	2672	{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe	43
PID 1804 wrote to memory of 2100	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	44
PID 1804 wrote to memory of 2100	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	44
PID 1804 wrote to memory of 2100	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	44
PID 1804 wrote to memory of 2100	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	44
PID 1804 wrote to memory of 2144	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	45
PID 1804 wrote to memory of 2144	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	45
PID 1804 wrote to memory of 2144	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	45
PID 1804 wrote to memory of 2144	1804	{AB8FC973-D420-4846-B98D-457E633D5500}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
  C:\Windows\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
    C:\Windows\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
      C:\Windows\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
        
        C:\Windows\{471F030D-7278-4534-AE02-8EA679F35EAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
        
        C:\Windows\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
        
        C:\Windows\{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{AB8FC973-D420-4846-B98D-457E633D5500}.exe
        
        C:\Windows\{AB8FC973-D420-4846-B98D-457E633D5500}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
        
        C:\Windows\{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
        
        C:\Windows\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe
        
        C:\Windows\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{3E102D98-CBB4-4322-AD91-AC5013619194}.exe
        
        C:\Windows\{3E102D98-CBB4-4322-AD91-AC5013619194}.exe
        12⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FECB~1.EXE > nul
        12⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCEAC~1.EXE > nul
        11⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D272~1.EXE > nul
        10⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB8FC~1.EXE > nul
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{290F0~1.EXE > nul
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C45BA~1.EXE > nul
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{471F0~1.EXE > nul
        6⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB48C~1.EXE > nul
        5⤵
        
        PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA26~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E2F~1.EXE > nul
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{290F0446-AFCE-4272-BFBC-C9C32E592B93}.exe

Filesize
408KB

MD5
e7e18e90226f319cd9d16178f21d2fd9

SHA1
bbb80003154171c7b93279ed73545592a84aea52

SHA256
4d267979a3bc7f4831878567d6ec7b0fd1ea21718a4a2a812e0bfbf34824a59f

SHA512
6109f46e7aeb6070197ed574f914172e36b48d3f196c55ad2de9896ab448423e8d695b93bcbd39307344026416b74d30b9d758d1ca89d5b3b4d5354c3e9af089

Download Submit
C:\Windows\{3E102D98-CBB4-4322-AD91-AC5013619194}.exe

Filesize
408KB

MD5
d1e3e7c83cbe9cb082a736784c013451

SHA1
c9881ea8d28214ac534d9201a5e8232493f27294

SHA256
c98b91d04749f9780a6b8ea79cc0db2e33dce305c3a5019fb3b26a448a21d304

SHA512
b9d6ee6723e2789a9b368c8618c0910e8872c6e03f1116771812641c1e9ca1ef24294171209101994fb746cecb66e7138ccf73c869793888144cde1384f89f4d

Download Submit
C:\Windows\{471F030D-7278-4534-AE02-8EA679F35EAC}.exe

Filesize
408KB

MD5
aa881cdec04e42821e377b19bb2b088f

SHA1
d783bfe28c71660168153a245ad321595adc6fe5

SHA256
17a8ec036d2a03a18f26f05266e35fe2a9c11ae33e0213d19b979a86cd7e7959

SHA512
0a08a3dd852459f9a3cdc90ae2ba88fceace5c7947fcca68492b25e1703776decf3ffac61d5c3e2b0bb2b5cd3f08e138c11fd9b3784ff4272360a1ef683ff321

Download Submit
C:\Windows\{5D2723EC-60D2-4a84-90AC-41ABE831095E}.exe

Filesize
408KB

MD5
2514278bfc6ddd444f389e1ce7a5f243

SHA1
56f9ab1df9a68f317ccf0a0a9a8fd499b806bb9d

SHA256
18d40f4eeb645dd1c495eab4ad9c63e248c37d16c1aa90193b3d4897b5efc95f

SHA512
1c9b103ca60f5b2a6ec20cec947cf70ca825fb83f1ace837cde0188bc1c0c5b052a0bd0643611ec6fe2e2d3f812982ae4382e7f001b660dc1decfa3388079a1c

Download Submit
C:\Windows\{8FECBFBD-FF3A-4479-9DF5-86E40DB50162}.exe

Filesize
408KB

MD5
81eeb30f46a96b7d4c6b19068dee3d74

SHA1
bdb9e27f2096d42f4954010ca50fefaff72c8d1d

SHA256
3798bb0011cbf4016f0ff8c8f058f825a1f5b92d8534ab240ba3d31247d83eaa

SHA512
668a2546a57203a2b8632ffa325c7df36b28ba31676710614b8311d8657e39996fee9f8db13d3b58ca170676da2cea2eb5fbf4535ae1c34a214691a71eb93b86

Download Submit
C:\Windows\{AB8FC973-D420-4846-B98D-457E633D5500}.exe

Filesize
408KB

MD5
8d6bb23f6505bfe2bf86737001747194

SHA1
4412685d4d9a59092ddd812d178727b3bd6a253d

SHA256
bff21c49c0547d928c8f6be04487244c1e32861300ed0ab403b90790763024e0

SHA512
f41b2e0c4556181e2c3d5c17cd15ef30f3f685d5faeba8b200c552bd6f12096763edb74aff2c7d1745687e43267d5fe18fef58b91633ffcd2848d57f0a30ddf3

Download Submit
C:\Windows\{C45BA7CD-69A2-412e-800B-FE593AD34FBB}.exe

Filesize
408KB

MD5
c34bd8dcc2e3a16785acfbf2c860c4cd

SHA1
c8329624348ab127c0e4107049e37b55b3242a79

SHA256
c77e27506e6edf837bb76007dc39ae2e6f3717e29540a7d743a464d5e30dfb4d

SHA512
b51cdd8be2f07c804e78123f0d424a43977cb9c91772ce326ac27813eda8a3636ca4bac50bbe73f2a46ec2442e628d1e883a18a4a1c3d990d588606a62db177e

Download Submit
C:\Windows\{CB48C4D8-1267-4aa5-A018-176D3033F7BE}.exe

Filesize
408KB

MD5
a8c786a34ec18d384174b4f9357a397f

SHA1
14dcaa164b99d5dd36aa5a40bb34f7e188fe714c

SHA256
87960802566d7078efbe1516b8af5733dedbaf92c03a293d40592eb8b4d5c819

SHA512
d187a8c72d2760339e4ca48d18488bb19e9f1f8c82214c830899abe96522d411627412f695848ff5ae9455b9fd18010456e083ca10dac1112864a5b4a7f76176

Download Submit
C:\Windows\{CCEACD49-FDE8-4bb8-A7FB-8DAEA07B92C2}.exe

Filesize
408KB

MD5
3d52b07509cd2a61670db84d16925bf9

SHA1
854cfd96dc4f04de70ae1cd09d47253829eba0ed

SHA256
c6a962c0dcb67111ecaee092b9ee524b5ba962fa1e4c870611f6ba3676794b9b

SHA512
46fde29eca47a52783c8cca2bb35cc27d4a3b8d02a607c6bba90a7f7339a7826cb6b77845cea425797e510dca9d3a08de78eb846e2695dd7914a271ff145641a

Download Submit
C:\Windows\{CEA26A84-5B8F-4595-8540-C7ED71B9CE89}.exe

Filesize
408KB

MD5
a6afb7f53488a0dbfaa5976426d30045

SHA1
1d85df31a855e66fc95107c6a92f2a088abeae4c

SHA256
f058d11ebc221a5223c44c74671e18414a39c938005d6a9b87bc86f88c02e250

SHA512
7baa125af6dc211ed7fefbd8f26f637b514d9a8a0eca82de967c9bdf207c95433e35c3751ae012f49a90b6281f9c3fb47c5eff88f3a9be0ea5a63afa92db04f3

Download Submit
C:\Windows\{E7E2F836-F05C-446a-AFA8-40806EC87F6F}.exe

Filesize
408KB

MD5
78663571c402800faa6782ed1932014f

SHA1
e09cc8e4bfb14721196d6fb2c353fa5e8f7b8d59

SHA256
164246b64be2c8f84389b4d3cd62fc6baa445739b1771cd0737e80f5ddad04f7

SHA512
e360e51a257e2ff0cb6739285d4ac9ccf06beecaa701b4a699a0499ab71c3cc745073e226ed66aff96a53bd06a13ece0c3459db7e4359b04219a9e41b7df6c16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads