9ef5b0a98cb7feb0fe17181ce7d523df721a941809af82b1be87e9a00a8dafa3

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe
Size

216KB
MD5

78b784a8e5c68798591d3d2770f6f83a
SHA1

257c7f39ec378c8ad37e6b1c6cf5553493738099
SHA256

9ef5b0a98cb7feb0fe17181ce7d523df721a941809af82b1be87e9a00a8dafa3
SHA512

27e8b421c71bbf9352a04302caf24aeb8683162baabcb2d4790c9c1fe6ec084f30a06b7f95cf3abfb2ae0f286f708bf49c49e10a4499dee9e3477aa0d4a0f5f5
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0037000000016133-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00370000000162cc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000016133-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000016133-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000016133-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000016133-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c000000016133-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}\stubpath = "C:\\Windows\\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe"	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAC7151C-C829-4402-8245-2481CD72D73C}\stubpath = "C:\\Windows\\{DAC7151C-C829-4402-8245-2481CD72D73C}.exe"	{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57656C14-5889-4b9a-9271-EE20071CFB23}	{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}\stubpath = "C:\\Windows\\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe"	{A956E31C-A695-4372-955E-018E51854206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}\stubpath = "C:\\Windows\\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe"	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32C5717-0036-4212-B34D-39DE7A01C331}\stubpath = "C:\\Windows\\{F32C5717-0036-4212-B34D-39DE7A01C331}.exe"	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85E41A95-86AB-458b-B113-5AB19424AB1C}	{57656C14-5889-4b9a-9271-EE20071CFB23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85E41A95-86AB-458b-B113-5AB19424AB1C}\stubpath = "C:\\Windows\\{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe"	{57656C14-5889-4b9a-9271-EE20071CFB23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A956E31C-A695-4372-955E-018E51854206}	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A956E31C-A695-4372-955E-018E51854206}\stubpath = "C:\\Windows\\{A956E31C-A695-4372-955E-018E51854206}.exe"	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}\stubpath = "C:\\Windows\\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe"	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32C5717-0036-4212-B34D-39DE7A01C331}	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}	{A956E31C-A695-4372-955E-018E51854206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}\stubpath = "C:\\Windows\\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe"	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAC7151C-C829-4402-8245-2481CD72D73C}	{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57656C14-5889-4b9a-9271-EE20071CFB23}\stubpath = "C:\\Windows\\{57656C14-5889-4b9a-9271-EE20071CFB23}.exe"	{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}\stubpath = "C:\\Windows\\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe"	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
2712	{A956E31C-A695-4372-955E-018E51854206}.exe
2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
2404	{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
1580	{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
1912	{57656C14-5889-4b9a-9271-EE20071CFB23}.exe
2896	{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	{A956E31C-A695-4372-955E-018E51854206}.exe
File created	C:\Windows\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
File created	C:\Windows\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
File created	C:\Windows\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
File created	C:\Windows\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
File created	C:\Windows\{DAC7151C-C829-4402-8245-2481CD72D73C}.exe	{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
File created	C:\Windows\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe
File created	C:\Windows\{A956E31C-A695-4372-955E-018E51854206}.exe	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
File created	C:\Windows\{57656C14-5889-4b9a-9271-EE20071CFB23}.exe	{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
File created	C:\Windows\{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
File created	C:\Windows\{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe	{57656C14-5889-4b9a-9271-EE20071CFB23}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
Token: SeIncBasePriorityPrivilege	2712	{A956E31C-A695-4372-955E-018E51854206}.exe
Token: SeIncBasePriorityPrivilege	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
Token: SeIncBasePriorityPrivilege	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
Token: SeIncBasePriorityPrivilege	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
Token: SeIncBasePriorityPrivilege	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
Token: SeIncBasePriorityPrivilege	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
Token: SeIncBasePriorityPrivilege	2404	{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
Token: SeIncBasePriorityPrivilege	1580	{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
Token: SeIncBasePriorityPrivilege	1912	{57656C14-5889-4b9a-9271-EE20071CFB23}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1092	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	28
PID 2928 wrote to memory of 1092	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	28
PID 2928 wrote to memory of 1092	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	28
PID 2928 wrote to memory of 1092	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	28
PID 2928 wrote to memory of 2108	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	29
PID 2928 wrote to memory of 2108	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	29
PID 2928 wrote to memory of 2108	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	29
PID 2928 wrote to memory of 2108	2928	2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe	29
PID 1092 wrote to memory of 2712	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	30
PID 1092 wrote to memory of 2712	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	30
PID 1092 wrote to memory of 2712	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	30
PID 1092 wrote to memory of 2712	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	30
PID 1092 wrote to memory of 2876	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	31
PID 1092 wrote to memory of 2876	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	31
PID 1092 wrote to memory of 2876	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	31
PID 1092 wrote to memory of 2876	1092	{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe	31
PID 2712 wrote to memory of 2016	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	32
PID 2712 wrote to memory of 2016	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	32
PID 2712 wrote to memory of 2016	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	32
PID 2712 wrote to memory of 2016	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	32
PID 2712 wrote to memory of 2540	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	33
PID 2712 wrote to memory of 2540	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	33
PID 2712 wrote to memory of 2540	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	33
PID 2712 wrote to memory of 2540	2712	{A956E31C-A695-4372-955E-018E51854206}.exe	33
PID 2016 wrote to memory of 2956	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	36
PID 2016 wrote to memory of 2956	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	36
PID 2016 wrote to memory of 2956	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	36
PID 2016 wrote to memory of 2956	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	36
PID 2016 wrote to memory of 2080	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	37
PID 2016 wrote to memory of 2080	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	37
PID 2016 wrote to memory of 2080	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	37
PID 2016 wrote to memory of 2080	2016	{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe	37
PID 2956 wrote to memory of 1608	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	38
PID 2956 wrote to memory of 1608	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	38
PID 2956 wrote to memory of 1608	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	38
PID 2956 wrote to memory of 1608	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	38
PID 2956 wrote to memory of 2760	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	39
PID 2956 wrote to memory of 2760	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	39
PID 2956 wrote to memory of 2760	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	39
PID 2956 wrote to memory of 2760	2956	{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe	39
PID 1608 wrote to memory of 1812	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	40
PID 1608 wrote to memory of 1812	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	40
PID 1608 wrote to memory of 1812	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	40
PID 1608 wrote to memory of 1812	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	40
PID 1608 wrote to memory of 1868	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	41
PID 1608 wrote to memory of 1868	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	41
PID 1608 wrote to memory of 1868	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	41
PID 1608 wrote to memory of 1868	1608	{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe	41
PID 1812 wrote to memory of 2000	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	42
PID 1812 wrote to memory of 2000	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	42
PID 1812 wrote to memory of 2000	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	42
PID 1812 wrote to memory of 2000	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	42
PID 1812 wrote to memory of 1944	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	43
PID 1812 wrote to memory of 1944	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	43
PID 1812 wrote to memory of 1944	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	43
PID 1812 wrote to memory of 1944	1812	{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe	43
PID 2000 wrote to memory of 2404	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	44
PID 2000 wrote to memory of 2404	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	44
PID 2000 wrote to memory of 2404	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	44
PID 2000 wrote to memory of 2404	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	44
PID 2000 wrote to memory of 380	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	45
PID 2000 wrote to memory of 380	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	45
PID 2000 wrote to memory of 380	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	45
PID 2000 wrote to memory of 380	2000	{F32C5717-0036-4212-B34D-39DE7A01C331}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_78b784a8e5c68798591d3d2770f6f83a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
  C:\Windows\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\{A956E31C-A695-4372-955E-018E51854206}.exe
    C:\Windows\{A956E31C-A695-4372-955E-018E51854206}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
      C:\Windows\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
        
        C:\Windows\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
        
        C:\Windows\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
        
        C:\Windows\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
        
        C:\Windows\{F32C5717-0036-4212-B34D-39DE7A01C331}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
        
        C:\Windows\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
        
        C:\Windows\{DAC7151C-C829-4402-8245-2481CD72D73C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{57656C14-5889-4b9a-9271-EE20071CFB23}.exe
        
        C:\Windows\{57656C14-5889-4b9a-9271-EE20071CFB23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe
        
        C:\Windows\{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57656~1.EXE > nul
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAC71~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{220ED~1.EXE > nul
        10⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F32C5~1.EXE > nul
        9⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39E58~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8E17~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAF84~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F2B~1.EXE > nul
        5⤵
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A956E~1.EXE > nul
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE74~1.EXE > nul
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{220ED4B0-D090-4141-88AE-0D8FA1D7B794}.exe

Filesize
216KB

MD5
fa8fa879caa789adf0281a0f6aaaf834

SHA1
8f936bc218d501edc0a011409f7e5c4bde69b4b4

SHA256
b3b2a5bc8cb9ce1664f46855e277d110d252b0c1aa69f123f13a8f02285b9c75

SHA512
646b09f15f34ac4d22618fa4dd261f3f834306ae60e44f78a09c0eda90d0b87c05e6030ed38ccb36b341893602ad64fc48e1942aa93aadbc67fb2c9d84427a61

Download Submit
C:\Windows\{39E58CEE-5FBC-4adc-A486-FBA403F0DF10}.exe

Filesize
216KB

MD5
acc104564393f5bfaf396645078e7bb2

SHA1
0d6d2450d1bd1595ca81fefc44411c039756b48d

SHA256
42598d32feadb0506457b8bcaf99cea540f820bfe1361795e83112ff0c2bc50c

SHA512
0dd915eac9217bb57cc8fdbe668158a3381d130bfaac69eaf61c2d3f42938cc3cc258d25123eace95ba30722c71a8a148e72514ccdcf0d5cabcac3ab8e772ceb

Download Submit
C:\Windows\{57656C14-5889-4b9a-9271-EE20071CFB23}.exe

Filesize
216KB

MD5
9ea5b2b85af562059ffb638bf793190e

SHA1
72b0c630282211bb582b52ed9f23eee293995ad1

SHA256
07a17d6235cb15826c249bb1329c0b7ab194f52a207616f8d131b9ef4aca56dd

SHA512
cc0fb5f5560f8b2992823de0e33aeb2de4837b8ce6dca4e0008b2aa05fd15d630cf9bbb98c48ba4982cd4c18ffbd18d10ec394c3e237ee0215ec0a66ff62b4c5

Download Submit
C:\Windows\{85E41A95-86AB-458b-B113-5AB19424AB1C}.exe

Filesize
216KB

MD5
79c534da74223c4bb811cec01943a796

SHA1
ccdd1ad58f580956e23a7ef8486a93e0f9fb64fd

SHA256
5247a82fa63e2bf1fab75fd3a158eed6172105169ed11a4d8bf5ff5093ed68e4

SHA512
4d16d8a6311ba6fb5f635c0a736fb737f0a2ebd769d0230fcad78acd3d945d2caa31528414a91851a681b6555f6d431e637a5f5605ee8af10832939df292aaa4

Download Submit
C:\Windows\{A8E170DA-0091-4a4f-97C5-B1E4F54AE3AD}.exe

Filesize
216KB

MD5
78fc1cd514d5af9d7840d769bf5978f1

SHA1
c3615f1575a50c0521ef346785923cd6aebe6054

SHA256
e7172dd97b8594aa28093bddf55395e80a8526adcfaacb45036e5e50a803a2f5

SHA512
de2a0cf5ce6ef68de9b8c4ffa03e4e622f8aaf410dbc0b8a5e08256048fd535fa981c7153efc2a12824801e40ad558721c062d77374c82cff3e2d475ef27dcc0

Download Submit
C:\Windows\{A956E31C-A695-4372-955E-018E51854206}.exe

Filesize
216KB

MD5
7c95e308c6c1b897513c705c42910328

SHA1
5b6bfbaec9cfd32e83320eec1373699e50bd7518

SHA256
644040f376bd2ad07a7fe187a2a9b4d51098daebb4885ab756caf0a96c5a6c4c

SHA512
f433f171efbcc95445466647ec714339a273df1a274858aaae58aa76bc34c9b1bb22908df5c31755c6196a6a86842b908d8603f61a697807a1c2d0ff5ae36444

Download Submit
C:\Windows\{B8F2BE1E-8B2A-41e2-A9A9-3495E450A8DF}.exe

Filesize
216KB

MD5
91996ea8023527a86300278b2df200c9

SHA1
283ef152eb82a2f229ea6fe35904d585a45a9f2a

SHA256
9d7ace10242e4746ebf196337ba6fec5c1bd4c37f41f7ad73209d4041b6c4d3d

SHA512
9ca313d9030fe0d1be37089a4050c27d23e1baec671ca14f2ce644cbb7c53374fac9f2760e9066e0731339b14c817a210a8162456f616b4355632e3ddb5a9f73

Download Submit
C:\Windows\{DAC7151C-C829-4402-8245-2481CD72D73C}.exe

Filesize
216KB

MD5
856d3520b36c20ae115aca21927cc55e

SHA1
2a576836df86fedfa77d85a2b8b56b559a7f7bee

SHA256
c493b4370d73b3699d14c88cac5a265027e3f3eb3047ebca0e383f831754f73b

SHA512
39e479a007b01380434920b67c04b4825878acd947c3fd423c1421cb86ff2eddb3b18feeb671b44bba0ed676073734951de8142977aab18f9a7359520a7c9028

Download Submit
C:\Windows\{EEE74A0E-75EA-48bd-8982-C7C7B437DB52}.exe

Filesize
216KB

MD5
3d4fe122fbaf3c7737b76525107a04ed

SHA1
f1a878f1752728a772bad33f4186c84742a695f8

SHA256
16a56b7fd51da9f61576432920800e6270136b9c922887f4a8c4c9457589a794

SHA512
095a0ab49ce43211e27767633d628e5da0df4f883b9a03300e5dc58c0355c8e043a952b222f212b01cf290f3300661225836c7bb41d803149e3f20c21d84de89

Download Submit
C:\Windows\{F32C5717-0036-4212-B34D-39DE7A01C331}.exe

Filesize
216KB

MD5
430eb7760deb2834894a652abdd9c783

SHA1
e042530871aab761589b00de28d0f750ae39aecd

SHA256
a7be6729867983eb38d9d702e07c53d64c3d2e8b21c2826428dc89e8ad83b943

SHA512
2595dcca814ec38f3074d44a8ec5b500123fb006178047714d4e9376cc964e359c89ef253033befa6a51ede2f171252ccbace9fff7a07f791ffe838ec9360564

Download Submit
C:\Windows\{FAF84414-15BF-42a2-9BD3-E74200CC9BCF}.exe

Filesize
216KB

MD5
127f01f3134cb3c7ec59ffb6bab9cdb3

SHA1
33360faeb84fde4824d0b46cdfdce5d615882ef8

SHA256
3fb3fd92671e7d6fca42aed5ce1dc19d6022e87d21f3bd3a30be11cf1326fc93

SHA512
38a6e048a9d9990d030bb8dccc32e529899dac7979cc28db11c9fa65ab9b22103dee54016634656b57027555fed3508ec64cc6740bd450f4e57fd49f8902f42e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads