be2325df00350a3ca985e49833f099cffbb3527c95ec6a564f44835c0018ce92

Analysis

max time kernel
125s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 06:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
Size

204KB
MD5

36c3fd8810741a67b4fe2465faecc3d9
SHA1

d2a8ff007dc5934b1f24aac06b4b61291dd5ce1b
SHA256

be2325df00350a3ca985e49833f099cffbb3527c95ec6a564f44835c0018ce92
SHA512

7d6cf013eaafcd7200d977fc781c2a1398d08a4bd16b1f6f044d7771fd73980c28072553408abd23c4c067900b76670b143cc45d98b5edca5a94fa384b695f6b
SSDEEP

1536:1EGh0ozl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ozl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001325f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000132f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E786C420-60BA-454b-A26A-8B9E9EDC5074}	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}\stubpath = "C:\\Windows\\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe"	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64011F2B-7B32-4900-AE66-58794626CAA1}	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64011F2B-7B32-4900-AE66-58794626CAA1}\stubpath = "C:\\Windows\\{64011F2B-7B32-4900-AE66-58794626CAA1}.exe"	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}\stubpath = "C:\\Windows\\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe"	{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}	{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488E1510-C70F-4d76-B928-752954E51FBD}	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488E1510-C70F-4d76-B928-752954E51FBD}\stubpath = "C:\\Windows\\{488E1510-C70F-4d76-B928-752954E51FBD}.exe"	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92407782-ABD2-4510-A3D3-6932BD1DC94D}\stubpath = "C:\\Windows\\{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe"	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E786C420-60BA-454b-A26A-8B9E9EDC5074}\stubpath = "C:\\Windows\\{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe"	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}\stubpath = "C:\\Windows\\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe"	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92407782-ABD2-4510-A3D3-6932BD1DC94D}	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}	{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}	{488E1510-C70F-4d76-B928-752954E51FBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}\stubpath = "C:\\Windows\\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe"	{488E1510-C70F-4d76-B928-752954E51FBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}\stubpath = "C:\\Windows\\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe"	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}\stubpath = "C:\\Windows\\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe"	{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe
2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
2044	{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
2984	{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe
1928	{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{488E1510-C70F-4d76-B928-752954E51FBD}.exe	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
File created	C:\Windows\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	{488E1510-C70F-4d76-B928-752954E51FBD}.exe
File created	C:\Windows\{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
File created	C:\Windows\{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
File created	C:\Windows\{64011F2B-7B32-4900-AE66-58794626CAA1}.exe	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
File created	C:\Windows\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
File created	C:\Windows\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
File created	C:\Windows\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
File created	C:\Windows\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe	{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
File created	C:\Windows\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe	{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe
Token: SeIncBasePriorityPrivilege	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
Token: SeIncBasePriorityPrivilege	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
Token: SeIncBasePriorityPrivilege	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
Token: SeIncBasePriorityPrivilege	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
Token: SeIncBasePriorityPrivilege	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
Token: SeIncBasePriorityPrivilege	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
Token: SeIncBasePriorityPrivilege	2044	{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
Token: SeIncBasePriorityPrivilege	2984	{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2772	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	28
PID 1008 wrote to memory of 2772	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	28
PID 1008 wrote to memory of 2772	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	28
PID 1008 wrote to memory of 2772	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	28
PID 1008 wrote to memory of 3064	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	29
PID 1008 wrote to memory of 3064	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	29
PID 1008 wrote to memory of 3064	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	29
PID 1008 wrote to memory of 3064	1008	2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe	29
PID 2772 wrote to memory of 2216	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	30
PID 2772 wrote to memory of 2216	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	30
PID 2772 wrote to memory of 2216	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	30
PID 2772 wrote to memory of 2216	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	30
PID 2772 wrote to memory of 2688	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	31
PID 2772 wrote to memory of 2688	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	31
PID 2772 wrote to memory of 2688	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	31
PID 2772 wrote to memory of 2688	2772	{488E1510-C70F-4d76-B928-752954E51FBD}.exe	31
PID 2216 wrote to memory of 2856	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	32
PID 2216 wrote to memory of 2856	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	32
PID 2216 wrote to memory of 2856	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	32
PID 2216 wrote to memory of 2856	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	32
PID 2216 wrote to memory of 2684	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	33
PID 2216 wrote to memory of 2684	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	33
PID 2216 wrote to memory of 2684	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	33
PID 2216 wrote to memory of 2684	2216	{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe	33
PID 2856 wrote to memory of 2996	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	36
PID 2856 wrote to memory of 2996	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	36
PID 2856 wrote to memory of 2996	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	36
PID 2856 wrote to memory of 2996	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	36
PID 2856 wrote to memory of 1256	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	37
PID 2856 wrote to memory of 1256	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	37
PID 2856 wrote to memory of 1256	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	37
PID 2856 wrote to memory of 1256	2856	{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe	37
PID 2996 wrote to memory of 2788	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	38
PID 2996 wrote to memory of 2788	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	38
PID 2996 wrote to memory of 2788	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	38
PID 2996 wrote to memory of 2788	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	38
PID 2996 wrote to memory of 2872	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	39
PID 2996 wrote to memory of 2872	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	39
PID 2996 wrote to memory of 2872	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	39
PID 2996 wrote to memory of 2872	2996	{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe	39
PID 2788 wrote to memory of 1784	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	40
PID 2788 wrote to memory of 1784	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	40
PID 2788 wrote to memory of 1784	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	40
PID 2788 wrote to memory of 1784	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	40
PID 2788 wrote to memory of 1664	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	41
PID 2788 wrote to memory of 1664	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	41
PID 2788 wrote to memory of 1664	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	41
PID 2788 wrote to memory of 1664	2788	{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe	41
PID 1784 wrote to memory of 304	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	42
PID 1784 wrote to memory of 304	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	42
PID 1784 wrote to memory of 304	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	42
PID 1784 wrote to memory of 304	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	42
PID 1784 wrote to memory of 624	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	43
PID 1784 wrote to memory of 624	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	43
PID 1784 wrote to memory of 624	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	43
PID 1784 wrote to memory of 624	1784	{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe	43
PID 304 wrote to memory of 2044	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	44
PID 304 wrote to memory of 2044	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	44
PID 304 wrote to memory of 2044	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	44
PID 304 wrote to memory of 2044	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	44
PID 304 wrote to memory of 2820	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	45
PID 304 wrote to memory of 2820	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	45
PID 304 wrote to memory of 2820	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	45
PID 304 wrote to memory of 2820	304	{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_36c3fd8810741a67b4fe2465faecc3d9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\{488E1510-C70F-4d76-B928-752954E51FBD}.exe
  C:\Windows\{488E1510-C70F-4d76-B928-752954E51FBD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
    C:\Windows\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
      C:\Windows\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
        
        C:\Windows\{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
        
        C:\Windows\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
        
        C:\Windows\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
        
        C:\Windows\{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
        
        C:\Windows\{64011F2B-7B32-4900-AE66-58794626CAA1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe
        
        C:\Windows\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe
        
        C:\Windows\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe
        11⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\{5C82D96C-5259-4e70-929A-62AE70263210}.exe
        
        C:\Windows\{5C82D96C-5259-4e70-929A-62AE70263210}.exe
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2EA~1.EXE > nul
        12⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{063E3~1.EXE > nul
        11⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64011~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92407~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{033BA~1.EXE > nul
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B2D9~1.EXE > nul
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E786C~1.EXE > nul
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5428A~1.EXE > nul
        5⤵
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2DDB~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{488E1~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033BADA7-E975-45e5-B60B-47A7C5BC75E1}.exe

Filesize
204KB

MD5
14563da31fd6785fcbd78f9a1830c5ed

SHA1
81c9c16932a4ba2a990dd8cb2c940cfcdafcbac2

SHA256
87df73020142353117587a82568779f19e0e1f8d692d44596e2a696cb05eac1d

SHA512
a9f4166b858d2e50d567e7557ab26fc32109edd3b859af3cdb480e0d332d72bcb1fc3ab67ebfc61f125297700b187bf23f509e83e0d4c41e651d82758e40ddf4

Download Submit
C:\Windows\{063E369D-0FCD-48d0-8446-B1DEAB9EEF48}.exe

Filesize
204KB

MD5
153b200375f5df2951fe5a940d8b434a

SHA1
57b51a21dd5b4572d1cb576c6b1bf5568bb44cb0

SHA256
8de736d9d490c55e99c99dbd4f1076ffccf0fcd8f67ee2d9f66719654c12ecd1

SHA512
f20c5faa76b3e97c4571ad7bfd9508976bf683fee0af00ff4f41766412e7266aac4aaf50f2ff9f41370de7d81819ae04968ed8a4855d58bacb5d7202ba3de17c

Download Submit
C:\Windows\{2B2D9FA8-C5C3-4cc1-88B7-52DC6F082FDA}.exe

Filesize
204KB

MD5
3aa3777ecb3aba4aa449bb30b1e4a98b

SHA1
adc4ea14371b9d19b06f32c01c77317859f82208

SHA256
ba76bc0668c977433e262957a22b0635e218c18d4655ad9f9a5366ec22f14db0

SHA512
8fe1a8d07aeceb5a7a07dc095be3bbe313a10cd16113aea6627a9295a9e6fb34d16b618db65d8c404605d31e6c398bedf923b7b8c03ec006015318c29be49248

Download Submit
C:\Windows\{488E1510-C70F-4d76-B928-752954E51FBD}.exe

Filesize
204KB

MD5
321d9a064b98caf4a7b0dfa24e7a315b

SHA1
eac205cb7df4ce091a03a6a263fd0110968731a0

SHA256
e6a42dbaecc49aeab908c14f7943b1703e2445ff4688228baa363b90ea28e712

SHA512
4634491207104b4d7ec508cc6b9b857fd74bea52d27a30be86056309dbb4932a7095c389e217b1c060832601f1d11993b68f2ec2050e831c515a5cd8695d8364

Download Submit
C:\Windows\{5428AC8D-B3B7-49e0-A31B-AE271270B09C}.exe

Filesize
204KB

MD5
0be4fce396e3512db8d120b4eb3edd5c

SHA1
350ff79260d7985439ce14d27c928a1d34dc2802

SHA256
c9dc30233c486b037b0ff9bb75a3b0a815ad4ed6ee75f01b062782034f6a3701

SHA512
db6bb083a768d9aa2e68897a35bf5770545880802c6c8ef583e0bc3086f80db87a7e98838f8595e0c02ae67efaf721a3a650feed5688782c7eb4310ce236595b

Download Submit
C:\Windows\{5C82D96C-5259-4e70-929A-62AE70263210}.exe

Filesize
204KB

MD5
a219abf80a3d89c7264f17bf65f726ed

SHA1
c15918cbe83040106fc34838b5045b180e200c43

SHA256
8d7519e12c749b7307c022ef4a0b92ec6ca4ca282712b4992d0b69346462fd01

SHA512
5bee3c744151b58bf3339df5f0365cd070659866ece286f44a28e25578973a6585f78a9167766fb2c63a9a90ad3be8033e62339b7827e64ef1d2c01be4f2f991

Download Submit
C:\Windows\{64011F2B-7B32-4900-AE66-58794626CAA1}.exe

Filesize
204KB

MD5
b84f5db293d1eda7e0450fb36fa3d016

SHA1
51190cefaa0bc9d378b66ba961a3578cc1ada21d

SHA256
558b1bcc56f84feb1caa55ceff5aadc2f96b6f3b53f290bfe68b661d8884f36b

SHA512
e6265646e58cd56873bff8bd477dd00b11b17b70ef899a795a4e21f96dc2b2e95c4b53e3b179423aa4be2d424113fc2a44273620802aab51c914c54b142feb91

Download Submit
C:\Windows\{6E2EA8F2-EB5B-4a2d-A881-26E6657FBE68}.exe

Filesize
204KB

MD5
d7f29950069cbc7d2fa856cd25806ee1

SHA1
d57895d5d9c3b49c3462b6bbef69eb07e9c7e6e1

SHA256
d7b1024a7401f665ac7eb4c0d2686773c0f072190c1da7f658f39e4f9a9c1b3b

SHA512
79b05450fa765f40c19814742bd56c1f644fe7685014e77fa8c2200b7a64d412fdc304f40bfb3070b19a92bbd50ffa66b23a6a4461befd21d8db99128af3e0fd

Download Submit
C:\Windows\{92407782-ABD2-4510-A3D3-6932BD1DC94D}.exe

Filesize
204KB

MD5
4288460b1fb5c627b7294ed20b6a6c99

SHA1
f0b5f60fb655fd899fc80bb3d635a951c0f0d32e

SHA256
ce64f3ea9d43db54ba28a7574169d869b69aeaf7149de17888a0c71b7a06ad0f

SHA512
b760c30c8a68414efdf1594d3b4a0a7199192ac8579fd8f027cb5c3aa25c669ac082717bbd2b82437093fa6831a74b282de5f88bf0ef1c8bc700a3711a3c79ad

Download Submit
C:\Windows\{D2DDB656-6A24-4a4b-B61D-074425A1AFB7}.exe

Filesize
204KB

MD5
a11a0a5d3ccfa4926628e1cc24eb5235

SHA1
e3ee63f8e8dda71589069a0a2e03f8a3d0edc3b5

SHA256
b93cede7bc9ee4bc8e40cbdb9b88345896cce620d80cb3c017dddeec855dfa0e

SHA512
3ca2d7e0947624031adcee98881e385811c733f444f36b9d152295c3cfeb5a6b1ee3462198dfb5ef1d3664ad8d6adde9f7df7642f2a94bcc5b25db3f71572f73

Download Submit
C:\Windows\{E786C420-60BA-454b-A26A-8B9E9EDC5074}.exe

Filesize
204KB

MD5
048d5ec6e12c6b0a97713de85941c33a

SHA1
588586ebee48dc16bb0a70bc190af96582ded818

SHA256
3d4afe84a8fc5033fb538a3c9152937385f291b8a6df611603dd15d41ad35224

SHA512
f6a10d27e2959b35478a09a990bdff71dcdf1bb9dcd181600b7b4503313edb702b87ae291d3e6c5e4b8a479a5d06c23b13704b7a39a2d8a43ebbacb2675f3eaf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads