8402cf2d0ecde83317cb695ac39b7de10f8d8659e074df91aaf4f5a9acb2c465

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Size

197KB
MD5

112b95a40e0f54f5a0a8e66f53b60516
SHA1

b7658fa8f9aa15fd582c53a41482d51d211295d5
SHA256

8402cf2d0ecde83317cb695ac39b7de10f8d8659e074df91aaf4f5a9acb2c465
SHA512

ac84bd59d28ba2916616f67667781436cc1f3586c968a4462f334bb8b10cf43ed16ed55a9802fcff7971a17257bab5bdbdaf3acd9bebc97a1b923279271a36d4
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGzlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 20 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122c9-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015658-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015658-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122c9-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb3-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122c9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122c9-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122c9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122c9-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c9-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}\stubpath = "C:\\Windows\\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe"	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}	{D3964291-872F-48b3-99DD-395A317E1407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3964291-872F-48b3-99DD-395A317E1407}	{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5A56884-E339-481c-92F0-462A31A89DD2}	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}\stubpath = "C:\\Windows\\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe"	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}\stubpath = "C:\\Windows\\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe"	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2498A60E-C19E-4b27-A3F0-086E778F748E}	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2498A60E-C19E-4b27-A3F0-086E778F748E}\stubpath = "C:\\Windows\\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe"	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB45E042-640B-4fac-9391-54AD67DF3063}\stubpath = "C:\\Windows\\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe"	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}\stubpath = "C:\\Windows\\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe"	{D3964291-872F-48b3-99DD-395A317E1407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}\stubpath = "C:\\Windows\\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe"	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5A56884-E339-481c-92F0-462A31A89DD2}\stubpath = "C:\\Windows\\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe"	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB45E042-640B-4fac-9391-54AD67DF3063}	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3964291-872F-48b3-99DD-395A317E1407}\stubpath = "C:\\Windows\\{D3964291-872F-48b3-99DD-395A317E1407}.exe"	{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}\stubpath = "C:\\Windows\\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe"	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
1132	{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
1984	{D3964291-872F-48b3-99DD-395A317E1407}.exe
268	{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
File created	C:\Windows\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
File created	C:\Windows\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
File created	C:\Windows\{D3964291-872F-48b3-99DD-395A317E1407}.exe	{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
File created	C:\Windows\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
File created	C:\Windows\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
File created	C:\Windows\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
File created	C:\Windows\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
File created	C:\Windows\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
File created	C:\Windows\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe	{D3964291-872F-48b3-99DD-395A317E1407}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
Token: SeIncBasePriorityPrivilege	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
Token: SeIncBasePriorityPrivilege	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
Token: SeIncBasePriorityPrivilege	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
Token: SeIncBasePriorityPrivilege	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
Token: SeIncBasePriorityPrivilege	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
Token: SeIncBasePriorityPrivilege	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
Token: SeIncBasePriorityPrivilege	1132	{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
Token: SeIncBasePriorityPrivilege	1984	{D3964291-872F-48b3-99DD-395A317E1407}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2664	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	28
PID 2080 wrote to memory of 2664	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	28
PID 2080 wrote to memory of 2664	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	28
PID 2080 wrote to memory of 2664	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	28
PID 2080 wrote to memory of 2628	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	29
PID 2080 wrote to memory of 2628	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	29
PID 2080 wrote to memory of 2628	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	29
PID 2080 wrote to memory of 2628	2080	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	29
PID 2664 wrote to memory of 2828	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	31
PID 2664 wrote to memory of 2828	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	31
PID 2664 wrote to memory of 2828	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	31
PID 2664 wrote to memory of 2828	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	31
PID 2664 wrote to memory of 2740	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	30
PID 2664 wrote to memory of 2740	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	30
PID 2664 wrote to memory of 2740	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	30
PID 2664 wrote to memory of 2740	2664	{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe	30
PID 2828 wrote to memory of 2480	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	33
PID 2828 wrote to memory of 2480	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	33
PID 2828 wrote to memory of 2480	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	33
PID 2828 wrote to memory of 2480	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	33
PID 2828 wrote to memory of 2568	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	32
PID 2828 wrote to memory of 2568	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	32
PID 2828 wrote to memory of 2568	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	32
PID 2828 wrote to memory of 2568	2828	{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe	32
PID 2480 wrote to memory of 1260	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	37
PID 2480 wrote to memory of 1260	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	37
PID 2480 wrote to memory of 1260	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	37
PID 2480 wrote to memory of 1260	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	37
PID 2480 wrote to memory of 2896	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	36
PID 2480 wrote to memory of 2896	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	36
PID 2480 wrote to memory of 2896	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	36
PID 2480 wrote to memory of 2896	2480	{E5A56884-E339-481c-92F0-462A31A89DD2}.exe	36
PID 1260 wrote to memory of 2612	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	38
PID 1260 wrote to memory of 2612	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	38
PID 1260 wrote to memory of 2612	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	38
PID 1260 wrote to memory of 2612	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	38
PID 1260 wrote to memory of 848	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	39
PID 1260 wrote to memory of 848	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	39
PID 1260 wrote to memory of 848	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	39
PID 1260 wrote to memory of 848	1260	{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe	39
PID 2612 wrote to memory of 352	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	41
PID 2612 wrote to memory of 352	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	41
PID 2612 wrote to memory of 352	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	41
PID 2612 wrote to memory of 352	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	41
PID 2612 wrote to memory of 2404	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	40
PID 2612 wrote to memory of 2404	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	40
PID 2612 wrote to memory of 2404	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	40
PID 2612 wrote to memory of 2404	2612	{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe	40
PID 352 wrote to memory of 1460	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	43
PID 352 wrote to memory of 1460	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	43
PID 352 wrote to memory of 1460	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	43
PID 352 wrote to memory of 1460	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	43
PID 352 wrote to memory of 2704	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	42
PID 352 wrote to memory of 2704	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	42
PID 352 wrote to memory of 2704	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	42
PID 352 wrote to memory of 2704	352	{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe	42
PID 1460 wrote to memory of 1132	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	45
PID 1460 wrote to memory of 1132	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	45
PID 1460 wrote to memory of 1132	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	45
PID 1460 wrote to memory of 1132	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	45
PID 1460 wrote to memory of 2060	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	44
PID 1460 wrote to memory of 2060	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	44
PID 1460 wrote to memory of 2060	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	44
PID 1460 wrote to memory of 2060	1460	{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
  C:\Windows\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F951A~1.EXE > nul
    3⤵
    PID:2740
- - C:\Windows\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
    C:\Windows\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{87123~1.EXE > nul
      4⤵
      PID:2568
  - - C:\Windows\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
      C:\Windows\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5A56~1.EXE > nul
        5⤵
        
        PID:2896
    - - C:\Windows\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
        
        C:\Windows\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
        
        C:\Windows\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81FCF~1.EXE > nul
        7⤵
        
        PID:2404
        
        C:\Windows\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
        
        C:\Windows\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2498A~1.EXE > nul
        8⤵
        
        PID:2704
        
        C:\Windows\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
        
        C:\Windows\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA5AB~1.EXE > nul
        9⤵
        
        PID:2060
        
        C:\Windows\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
        
        C:\Windows\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB45E~1.EXE > nul
        10⤵
        
        PID:1224
        
        C:\Windows\{D3964291-872F-48b3-99DD-395A317E1407}.exe
        
        C:\Windows\{D3964291-872F-48b3-99DD-395A317E1407}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3964~1.EXE > nul
        11⤵
        
        PID:808
        
        C:\Windows\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe
        
        C:\Windows\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe
        11⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{800D1~1.EXE > nul
        12⤵
        
        PID:328
        
        C:\Windows\{B5EB532D-4AD7-41cc-BC5D-8434FD25B358}.exe
        
        C:\Windows\{B5EB532D-4AD7-41cc-BC5D-8434FD25B358}.exe
        12⤵
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED2AE~1.EXE > nul
        6⤵
        
        PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe

Filesize
197KB

MD5
4e5bf20fd84fe27b9bfe84161195622f

SHA1
698109a6bab5fb098e5c557d4db5862eca6ba914

SHA256
c331e52335d884db97ad2e5b3f1d73850af24989db24a4d8a6b99fc5e32a87ad

SHA512
9e37b07bbf535c9a0588286ab7b9e794e0674f8e3e9b8ccc17333febbeb27f89d2a265fec1e29b79d3add55775787e141a30cbd043324487af69172c42ffbcef

Download Submit
C:\Windows\{2498A60E-C19E-4b27-A3F0-086E778F748E}.exe

Filesize
193KB

MD5
cdb83fe47fef97e336d159a39421b410

SHA1
c59d318c7a768f2ebb46682c874f057a0abd6a48

SHA256
d30784bbb2062d16b7b55f5196c5b83b22837143f9d8f682fa0a978cb06ac433

SHA512
be0fa8e8a116fe8cae4c86ec07dee23eb87e8a4e27eb105e0aa64c0bf667969e3fa2b446b58a54b11cf1bd16496a98290e6865ed69c62f3cfec529f3e534d9fc

Download Submit
C:\Windows\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe

Filesize
50KB

MD5
30b3c23e5ae971c7e5a780841f210a13

SHA1
9bce2def9a5fa700cbd166660ae9118803059058

SHA256
af06632a2b9ffccc2104ffde83f2ee4f3238d6746726a635c5056e119e6999d7

SHA512
c3c5edcc07479602c89086cc52903f4fa1d066fb7c7884a8822c59de5337a450dc714823f61ac1c8e871d513efda45d62d32a20814179248a53ae0eeebb2ed2d

Download Submit
C:\Windows\{800D1518-7115-4ca3-BE97-1AAFCA237F3B}.exe

Filesize
113KB

MD5
97326f6ecf18f6a6f94dbf932fc76abd

SHA1
beedbddbb8cc4790cbb496e8de1efca518774257

SHA256
07c6a579975ba6986c2b5f6cd442251f6fc5ecbf8fc8cfb018353b2a2a9cb11f

SHA512
0499a1dd4deeaa4eaea7d2a718e88d6a5247913f86c8ba6b03c9fec5d0204cd5864c42b5b3ad55ee1d6bd76eb810f8b8fbb3b97873b6ac291aec569db237c3a8

Download Submit
C:\Windows\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe

Filesize
5KB

MD5
bb603df69e70338ddfcf26a1ded6f4de

SHA1
6fe540a9910dbf85f3776bb42368bdaf2b7421d6

SHA256
5c76e8126fff9b2400add174a5ce62961463cf06ef408ce0ef097ba577370ba5

SHA512
3bbeef5d25a3054609440d926baa35c6087d8f6d01abe355a8406ccbf1ed66df7599d69a34884a582bd2c8df6cff05b90774a7bd44a839d91c52ad7784814830

Download Submit
C:\Windows\{81FCFF4A-98FF-4662-B469-A3FFBBBD8FE7}.exe

Filesize
197KB

MD5
43fb3a89aad16b44d0e423da53a4a028

SHA1
e00ae895c7f9163dc1f871e867ccd3a0396f49ab

SHA256
0ba9819d3a9e8c11caa938f3cb58c912ba261584a66744f3f1f46c39a8eb0138

SHA512
c9c9d2fc0d4f8ed26c072dd3287fd827fe4e4460705ae180cc22049e0f2ed1a81ae60cbf141306405a3e2bf0ce5ae153fc140551078af5bd63d102e30d9ea348

Download Submit
C:\Windows\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe

Filesize
197KB

MD5
9f5864cdaebf6d08fcb0407eab7932b8

SHA1
c17cb0529b9fcf803c66098671b236fdb5274b15

SHA256
560c000f6c2f4b60db02298e7746c13e8d0d58b00aa425f3fa7ecbd01a284982

SHA512
80adad79bca33e9f410196584647b6f12bed982fe55c2c4497fad2c3eaf456833bb308e71c1faff2ba0ae740c41ee7cb65dcfb22bba91518a4479a90d004d5c1

Download Submit
C:\Windows\{8712367E-F483-4ece-9AE9-7A7EBC2AF367}.exe

Filesize
181KB

MD5
1ea915f720208ec00c765bc9641dbda8

SHA1
c45fbf83d50fc87a50ac39da23139f394b246185

SHA256
89c1ee3bce32e68e115afd6b63c17c4dbf659b572a21b7913864be6f56d1bc74

SHA512
fa33638bcd84146cc5cec76def20f4d7d106f25d6c071209d8cae948637dbdda50451ae1ae6b5dc417a81eeef8b965d7cac86c608aceef381073e189145bbe26

Download Submit
C:\Windows\{B5EB532D-4AD7-41cc-BC5D-8434FD25B358}.exe

Filesize
77KB

MD5
d87ee6282eea76af55e94d1d6706c52f

SHA1
3432eb85c007bf4b546f40184bd1cd394835dcf2

SHA256
bfe759401d61c96427ae802d6a13c4a8d9afa8b40535dc6f4f2add30d8b68e17

SHA512
fef58d4a7c7c940dc518f109c42ed09cf9511d9fa40f4e56102cfb589005cf6b851e8bbd54b8b08c0a9a56b545bb0625c4d58be09d3c81e4418718cd588fc908

Download Submit
C:\Windows\{D3964291-872F-48b3-99DD-395A317E1407}.exe

Filesize
61KB

MD5
bd293f353c8e331adc85a9941044f554

SHA1
d5b988b6876d5278a1a67ce605c35b67b4350494

SHA256
7519ca7792c5959e6bab2b9fb31dabb0c3dbd1ff6f805146b74863a5c74b0e16

SHA512
3f79cfdcf6ef44bb970357fb2bdeb2f1e33538935f2dd261cbeb324ceca674be2e6585f38a0886946a3efb63b6ce1008611d0b0f25a163a1a22abc5bdd0d2411

Download Submit
C:\Windows\{D3964291-872F-48b3-99DD-395A317E1407}.exe

Filesize
21KB

MD5
315e29f2a49df4bd220f563274609606

SHA1
6f0635365bd632e71798915a43c14c72c8cb4c3e

SHA256
d8918dedd9c925ee3f56f7be98248ab1ec86184135df27009a99b35855b4ec61

SHA512
90404f23c338c108c1b883e943b3300e9e0386c10311864744d43b171d8ebf4e2d0b8524375ff66f7fcc57412618fa4bb79683e3c3920ec1387aa579c04fac1c

Download Submit
C:\Windows\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe

Filesize
176KB

MD5
ebe2350d78dac5573b0c389c01607891

SHA1
53676d57a3dd8476e2d156ec923ca4d4d592baa3

SHA256
99f6d67b31c0e64ab995db0ed47fd1f563cda75dd9300ead16706ff1194a0281

SHA512
3dca527814852544105432f48f4fdc4f020d1208415da90c0bda703ebfe41e0536155596efdcf383c8704559b8227af0aefb0b1eea4f675d1d978f81fe5e9107

Download Submit
C:\Windows\{E5A56884-E339-481c-92F0-462A31A89DD2}.exe

Filesize
35KB

MD5
9d2c2db70b1ee429e7f156765d31a880

SHA1
6c467432581b41de87b6d4fb7f3a6f7acd468516

SHA256
d0ebd3ca7a59e4512980b13e24b2fa2b9fe7e6aaba5da4e2cb39407723320367

SHA512
e65503c797ece9f11be9a04054b6a313610c0cee4453d6af23bfd258f5dbc7933199bb84d6f31631d2c77dbfe72fc36e13b666c342b082eb14a88dd89d7c54ed

Download Submit
C:\Windows\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe

Filesize
197KB

MD5
916c4085a5fcd3d03aee2afee6c9711e

SHA1
7b2822341dbac05bb699dfab1022e6e77c822421

SHA256
282ffdfd02e871278f8e661fe189cb76d5910248cc5b58051ddf222b89099192

SHA512
70544fea93f1ea805f0ceef3f458304d647e107455207424052bbf714dc64ca36e0ecf1fee75998a33899f98e18600efbdbf04ae530fcdae756a9edd5b5ac6c9

Download Submit
C:\Windows\{EA5AB78A-631A-4d5e-97B4-0E81F2D0180E}.exe

Filesize
117KB

MD5
4feea1721c3690f03349e11719b860ef

SHA1
e0575653594d40ffd7304353c0428d4c5aa8796b

SHA256
c981228b84168b8b43f09b410844daabfdd7389ecdee33f6ad2535982eaee3a6

SHA512
38185fee09d6e43b1e9c28440214b61e56b51b9d89125a6b636dcbd627e03cd08e5ee9294b0253db0ffd3a39970efba99ae6bfad07ffa4958024520eeb6bdd11

Download Submit
C:\Windows\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe

Filesize
95KB

MD5
d1bad2346f9bc09371b6d6e68e5e4fd9

SHA1
730079060f512f4d69878488c991cc5b76364e28

SHA256
31fe15c9b9459fae9abfd868cb1fc832c49c0d612b189d620626fc90eb4ae48a

SHA512
4939610012e6ab04baacec17fb3c2d47e43c567beabd9fc4147b409bcdf8c62187d608b0818edfc1acc86ce8a85147f411e465955b5ee68f0ec12f7ae3cc88fa

Download Submit
C:\Windows\{ED2AEC14-FA46-4d3b-80DC-E5CBCF1F18D5}.exe

Filesize
197KB

MD5
c89960c7386200dcde9033387d46934d

SHA1
a2e374d16913b3f8f6535e61f19b13e3ac8789db

SHA256
8e0028a23f8d0f465e39f4d7f3b9f68f880cade3351c492171d60f69352fb652

SHA512
57c2171ce78538fd98e7b543bdabf03f18ebe746a649766dd7ced6a21b49b357dede3d2ee585cd2359cba2fc126461d527057afb4a069c5180f9ca3b857426ae

Download Submit
C:\Windows\{F951AA0D-42C8-4d03-BC82-344DAD11EACC}.exe

Filesize
197KB

MD5
47112a4d9297e322edeb0bb14741444e

SHA1
9ab1eba40d7b5e7b33707c02c3c1c45e0b7dadee

SHA256
965fdc94f466684569ca3c8972be700e6252d7abfed91dcd3c9d8b2c9f40c1db

SHA512
7a1922e8d4459d6eaffde4b0e04d6124b51e04a9f4511a11a3f0eb97405f6182b68a534d161bb5ab9c3466a678186d20344869d75f7427c18e2ca49e52acc619

Download Submit
C:\Windows\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe

Filesize
92KB

MD5
bc7cd04f1481637b936d3c0496fd5c97

SHA1
ed049292cf2bf7cb90984df8400c5d406be5ed2b

SHA256
369b503ca4dea152f8b9297150e1043ebbe75c8812ce6d8b46e53273b6c5f469

SHA512
a3b9d890170aa4cb7f8aef2dc2c7c4b45866477ead9e78f9fbe535bacf3812e6335355ee92395703f2cc70f54e75a9e198af0941707d1db217905ed4f9fce438

Download Submit
C:\Windows\{FB45E042-640B-4fac-9391-54AD67DF3063}.exe

Filesize
80KB

MD5
b6950e69eee683608e1bd25c86972e90

SHA1
a2d0e7f7a82393ab41d2523a8245e3c70131a031

SHA256
7c0dbb21c4e34d24d2fdb9b29233ddd3dac8839d6c345972b9147197f17d9f63

SHA512
9702faac6039d1a8d0f167f7645b551120bc9bf81e98b828cc54be211ec64403bdf9904ff93da2f139e08ccf6b2bdd589428f7ff6da1adfeb2d1693cdf87f605

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads