e25ae208703148abec5be39f406b5ac8972b5693fee78b828bf07b0a2a2007e6

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe
Size

380KB
MD5

9335d0d963c62a8822b4cc59ccd15dbc
SHA1

a7308e369d21513f7ab9a4a2042cb8ecda130a99
SHA256

e25ae208703148abec5be39f406b5ac8972b5693fee78b828bf07b0a2a2007e6
SHA512

bca7e05d0112ee81bb78638cf2ab2b5c39b6e2ecde35335d7f71ba6c52f0b783cf620e89ede2a7f62ba93d1509f8e0890f8b166217f70c25b9cf2018b7659749
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a71-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000141a2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a71-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a71-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a71-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a71-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{538EA658-34C4-4c69-A3CB-81D0DD800006}	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF777715-D6C7-4184-A49E-29687BED9009}\stubpath = "C:\\Windows\\{BF777715-D6C7-4184-A49E-29687BED9009}.exe"	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}\stubpath = "C:\\Windows\\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe"	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}\stubpath = "C:\\Windows\\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe"	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C881F271-5758-411f-B125-2AA3D78304CB}	{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}\stubpath = "C:\\Windows\\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe"	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C881F271-5758-411f-B125-2AA3D78304CB}\stubpath = "C:\\Windows\\{C881F271-5758-411f-B125-2AA3D78304CB}.exe"	{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{538EA658-34C4-4c69-A3CB-81D0DD800006}\stubpath = "C:\\Windows\\{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe"	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}	{BF777715-D6C7-4184-A49E-29687BED9009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}\stubpath = "C:\\Windows\\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe"	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA02E709-0D29-49d2-9D8A-15072E78A033}\stubpath = "C:\\Windows\\{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe"	{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6F2269-81B4-488d-86DF-10196250F09D}\stubpath = "C:\\Windows\\{6B6F2269-81B4-488d-86DF-10196250F09D}.exe"	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}\stubpath = "C:\\Windows\\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe"	{BF777715-D6C7-4184-A49E-29687BED9009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA02E709-0D29-49d2-9D8A-15072E78A033}	{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}\stubpath = "C:\\Windows\\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe"	{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6F2269-81B4-488d-86DF-10196250F09D}	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF777715-D6C7-4184-A49E-29687BED9009}	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}	{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe
2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
1628	{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
2908	{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
2116	{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe
580	{C881F271-5758-411f-B125-2AA3D78304CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BF777715-D6C7-4184-A49E-29687BED9009}.exe	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
File created	C:\Windows\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
File created	C:\Windows\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe	{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
File created	C:\Windows\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe
File created	C:\Windows\{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
File created	C:\Windows\{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
File created	C:\Windows\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	{BF777715-D6C7-4184-A49E-29687BED9009}.exe
File created	C:\Windows\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
File created	C:\Windows\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
File created	C:\Windows\{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe	{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
File created	C:\Windows\{C881F271-5758-411f-B125-2AA3D78304CB}.exe	{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
Token: SeIncBasePriorityPrivilege	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
Token: SeIncBasePriorityPrivilege	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
Token: SeIncBasePriorityPrivilege	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe
Token: SeIncBasePriorityPrivilege	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
Token: SeIncBasePriorityPrivilege	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
Token: SeIncBasePriorityPrivilege	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
Token: SeIncBasePriorityPrivilege	1628	{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
Token: SeIncBasePriorityPrivilege	2908	{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
Token: SeIncBasePriorityPrivilege	2116	{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3016	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	28
PID 2360 wrote to memory of 3016	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	28
PID 2360 wrote to memory of 3016	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	28
PID 2360 wrote to memory of 3016	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	28
PID 2360 wrote to memory of 772	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	29
PID 2360 wrote to memory of 772	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	29
PID 2360 wrote to memory of 772	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	29
PID 2360 wrote to memory of 772	2360	2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe	29
PID 3016 wrote to memory of 2564	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	31
PID 3016 wrote to memory of 2564	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	31
PID 3016 wrote to memory of 2564	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	31
PID 3016 wrote to memory of 2564	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	31
PID 3016 wrote to memory of 2664	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	30
PID 3016 wrote to memory of 2664	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	30
PID 3016 wrote to memory of 2664	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	30
PID 3016 wrote to memory of 2664	3016	{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe	30
PID 2564 wrote to memory of 2748	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	32
PID 2564 wrote to memory of 2748	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	32
PID 2564 wrote to memory of 2748	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	32
PID 2564 wrote to memory of 2748	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	32
PID 2564 wrote to memory of 2744	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	33
PID 2564 wrote to memory of 2744	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	33
PID 2564 wrote to memory of 2744	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	33
PID 2564 wrote to memory of 2744	2564	{6B6F2269-81B4-488d-86DF-10196250F09D}.exe	33
PID 2748 wrote to memory of 2624	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	36
PID 2748 wrote to memory of 2624	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	36
PID 2748 wrote to memory of 2624	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	36
PID 2748 wrote to memory of 2624	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	36
PID 2748 wrote to memory of 2904	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	37
PID 2748 wrote to memory of 2904	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	37
PID 2748 wrote to memory of 2904	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	37
PID 2748 wrote to memory of 2904	2748	{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe	37
PID 2624 wrote to memory of 2556	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	39
PID 2624 wrote to memory of 2556	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	39
PID 2624 wrote to memory of 2556	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	39
PID 2624 wrote to memory of 2556	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	39
PID 2624 wrote to memory of 2876	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	38
PID 2624 wrote to memory of 2876	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	38
PID 2624 wrote to memory of 2876	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	38
PID 2624 wrote to memory of 2876	2624	{BF777715-D6C7-4184-A49E-29687BED9009}.exe	38
PID 2556 wrote to memory of 2764	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	40
PID 2556 wrote to memory of 2764	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	40
PID 2556 wrote to memory of 2764	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	40
PID 2556 wrote to memory of 2764	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	40
PID 2556 wrote to memory of 2840	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	41
PID 2556 wrote to memory of 2840	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	41
PID 2556 wrote to memory of 2840	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	41
PID 2556 wrote to memory of 2840	2556	{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe	41
PID 2764 wrote to memory of 2768	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	42
PID 2764 wrote to memory of 2768	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	42
PID 2764 wrote to memory of 2768	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	42
PID 2764 wrote to memory of 2768	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	42
PID 2764 wrote to memory of 2852	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	43
PID 2764 wrote to memory of 2852	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	43
PID 2764 wrote to memory of 2852	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	43
PID 2764 wrote to memory of 2852	2764	{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe	43
PID 2768 wrote to memory of 1628	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	45
PID 2768 wrote to memory of 1628	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	45
PID 2768 wrote to memory of 1628	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	45
PID 2768 wrote to memory of 1628	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	45
PID 2768 wrote to memory of 1272	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	44
PID 2768 wrote to memory of 1272	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	44
PID 2768 wrote to memory of 1272	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	44
PID 2768 wrote to memory of 1272	2768	{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_9335d0d963c62a8822b4cc59ccd15dbc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
  C:\Windows\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A11D8~1.EXE > nul
    3⤵
    PID:2664
- - C:\Windows\{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
    C:\Windows\{6B6F2269-81B4-488d-86DF-10196250F09D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
      C:\Windows\{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{BF777715-D6C7-4184-A49E-29687BED9009}.exe
        
        C:\Windows\{BF777715-D6C7-4184-A49E-29687BED9009}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF777~1.EXE > nul
        6⤵
        
        PID:2876
      - C:\Windows\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
        
        C:\Windows\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
        
        C:\Windows\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
        
        C:\Windows\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B34D~1.EXE > nul
        9⤵
        
        PID:1272
        
        C:\Windows\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
        
        C:\Windows\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A5F~1.EXE > nul
        10⤵
        
        PID:2316
        
        C:\Windows\{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
        
        C:\Windows\{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA02E~1.EXE > nul
        11⤵
        
        PID:688
        
        C:\Windows\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe
        
        C:\Windows\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D387~1.EXE > nul
        12⤵
        
        PID:1120
        
        C:\Windows\{C881F271-5758-411f-B125-2AA3D78304CB}.exe
        
        C:\Windows\{C881F271-5758-411f-B125-2AA3D78304CB}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{492EC~1.EXE > nul
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3575C~1.EXE > nul
        7⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{538EA~1.EXE > nul
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B6F2~1.EXE > nul
      4⤵
      PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe

Filesize
380KB

MD5
86390c037a267fce06f4ab548d81a00e

SHA1
975d472a05dbca0effb47b8a6f807981b67b2f4f

SHA256
29c4f2f6a9d93622a229d56908c713adcc291047bb9c7de05d0e22d1ff265c60

SHA512
ddd566d31d695aee91ee299f09b46eb0defcc730214e6d969c2ec7663d1d69fee85f15e36612f147ab1e577c63bf56dc2affc8a26eff325f6009317180c61eeb

Download Submit
C:\Windows\{3575CD8C-D986-4d36-87EF-6345BDC4FB70}.exe

Filesize
294KB

MD5
d044c84ef6ee585fd8102f4d67ead908

SHA1
3d9089d8725d88878a2799d43f87787835bb4aeb

SHA256
c563c67944ea1fe29d4bbf4bf9b009bc00952eed0c41801c37dbe63de2fca608

SHA512
0bb3db0fbf40a707f6a82a5b3b817468f35dbe50365b7120e876cedb5405201d1a644b93caceafbcd97b36f6e82273013321405862dfc5e67a4856b3c99d5b71

Download Submit
C:\Windows\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe

Filesize
325KB

MD5
bb5a0685b413cb18533a17e60277972c

SHA1
7598ade1ce884e3176f9eb94ccc85e044ea938b9

SHA256
047f95e4bd8399f5d13ad52b655fbf450297effa2807d3bc82b456c2db7096a1

SHA512
37922eb8973b0d8ef966cc3c857fab4b1334e2fec653682cf1be0768abc94cb4dec3247e720ca173965a921cb8f4df65dc19f6faed5de77371b23a4db370cd5b

Download Submit
C:\Windows\{492ECDDA-F55A-4a6e-AA7F-6905BBD016DD}.exe

Filesize
380KB

MD5
47fbf48c4679b30c714364b1a3685e36

SHA1
eca2965bc9be63a9921915166b2b10544b946500

SHA256
3aa785215a3302123cbf2d1d28dccb17df10e9e906c507f87c1d13022397db51

SHA512
1f7c1cc26259e8e4061b89638a252332253170ed5640b8ad3c26409eca2a638ff970b58632406c730a02bf2278c3681c8dc723319ca03a65e3d98524f00b5c11

Download Submit
C:\Windows\{538EA658-34C4-4c69-A3CB-81D0DD800006}.exe

Filesize
380KB

MD5
ee068b733a29970839382785883f47d6

SHA1
fb6ff728624ce05196abeceb6751aa0b4e3c4518

SHA256
6c4721635b175a792ccb3bc9d1250e1511eb5f318a7ddceabcea7251d3bdda81

SHA512
bdcc5fc7630c9c08675e5f91ad898bc0090228c07defbc6aeef76bfa6fd6c0563bc1f1e1a3d7ded9789414d82d52fb41ec6f8fa43869035586dc0685c5790d64

Download Submit
C:\Windows\{5D3875C4-0E6F-4a2b-B671-B66163ADA39E}.exe

Filesize
380KB

MD5
2e73f2783459265098821372ffc84618

SHA1
f1ad19c3ffb946b46dd7924cf160fb026cfb0e5b

SHA256
592dedeeafa663b7a9634b993adf380c4ccbad98acc440c38e1ba27be428a4bf

SHA512
b6215d0752eacaf4d5d7109f11bb7a710a8d4e98eddc030d369e600973e174260ccefd93fce346972d33795bc71ad5cc4433ad1fe1b3cfe47f32b7720812df08

Download Submit
C:\Windows\{6B34D60D-1BFB-459a-AA5C-F365AB93A724}.exe

Filesize
380KB

MD5
97bab827bda39ac80ec2cc4f513862a9

SHA1
cd0f089339891218cbbed059e06d7f0ffcf1c7f9

SHA256
2f2488349ef94130fed6212245492e864d670e2a889d101c2b75148660d367be

SHA512
3df847e0317874cdae7f6a389dc165fd6d625185d1362f179e310e865426041e98f8240c32d4daff59994d3987d44a6e70568da364a5ee24a39bac1a9173ff56

Download Submit
C:\Windows\{6B6F2269-81B4-488d-86DF-10196250F09D}.exe

Filesize
380KB

MD5
8d6bdd44fb037675d34d5e027d70328e

SHA1
c8722efcdcc086dde485c8a64449cdff976cfcd2

SHA256
ebbd4f1a83d780763628b89ccde882ec29f0d7c6572feadf28d28d8724a5c37c

SHA512
547a5dbb55b50f5a1066f74b277646b7732492931cf64440a8218a87f34f2f9017400db120cecf8426df8f06264ccf6ed40cfc73d4b860541eb2faa3d8efb1f4

Download Submit
C:\Windows\{A11D86FB-892E-4bf2-8DE2-805734CA9D09}.exe

Filesize
380KB

MD5
2a4c46e372c16ead0573b3fd165e08af

SHA1
8c005b5a7f8c2e22292a9c52ed5be1e3d1a077b7

SHA256
5c3e2f5f86f799ad94f4fbb8880af1dc9f46792c2d2ff716d6cd27141e035a4e

SHA512
fa9baad5c2a6010931d6d7ad60686cb8755e347fe2bad7d4c815582ed18b3e622b3ed5c234dbb1ae1e8bda9367848d0bb6f462820bb25ba540d410017e7ee4ae

Download Submit
C:\Windows\{BF777715-D6C7-4184-A49E-29687BED9009}.exe

Filesize
380KB

MD5
50cf167bbc8869a040d7dc989349c794

SHA1
190143fa911a0e8a4bd2d095e8c68e7ef1e3bfb3

SHA256
0d72d157c1030459ca20ce1c0c325f32f1e7d442439724ffcdce7044516ddbe4

SHA512
10048fee5722ea08a9025bf3d4b90126e8c30a55ed8164bbad7c91f8395c23f5bcd94be6f1d33350769a175f2581039a5f635cc351ae5f30fecc1d5631f8c043

Download Submit
C:\Windows\{C881F271-5758-411f-B125-2AA3D78304CB}.exe

Filesize
380KB

MD5
1f695fab4cda1fd33fe96ab64423a0ed

SHA1
9f2093a9b6b9c1cfdf8804ff25b009891f5f6c94

SHA256
821bdabd728f697f8488a8bf9bd2cfe7041f57a04885d241cab4e4bf21512393

SHA512
f5490cde950b1e3899337cb8c441580437844fb79f9a14d64f31254cb502596459b3dbf6b7987a0df1670079e3edef8ba8b5316a3120a38beacb7247151635b7

Download Submit
C:\Windows\{C9A5F601-32E0-4954-8EEF-D4F042C3D11A}.exe

Filesize
380KB

MD5
310c64a69a7c879a1a60f8c1b138bb84

SHA1
3c9a4a1c28e722fde628ed2210965b78a7ea4f30

SHA256
ec825d8e7beab16236bad98aa6c0d29caefec4ae0e0bfa57dfd3c3b432e0c391

SHA512
530e6f092ba960475db35b14c954603b93328e8307cfa095985116dc188422d4323f5393370f6d21c661e9ecb34acdf8d2adc58e4da72ee9346c45b16452294b

Download Submit
C:\Windows\{FA02E709-0D29-49d2-9D8A-15072E78A033}.exe

Filesize
380KB

MD5
81ba228bdb4b093e11ca1839fab8c095

SHA1
cc38fdf54f3798d9a9a481b8e928b1dd89b144ff

SHA256
2af6f772cad81dcf8f878b54df2c8e8423424bd8ba664497510aeaf0bfb68f6f

SHA512
079e448348715579619e280b5dbaadea3b739925781974c87d70ce5a2eb085a07197f4930fdd2d9dcdb0893b154f5298c49ae15d4127fae00609d427010e743f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads