a75d13c3b2e1f580997d853b131a8ecf2c7cc7c12b6ad8506ac9eedbc5ce13d9

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Size

180KB
MD5

10063c266b213ecb19b229a23bb87e70
SHA1

ca3af5d663716eef13283439a19757c34d55a21a
SHA256

a75d13c3b2e1f580997d853b131a8ecf2c7cc7c12b6ad8506ac9eedbc5ce13d9
SHA512

5ea2f0ee5dc1dc653f09ef196f6e7076e26b12e9cf8299bfae475d4dd9e916a1c219e254dad1f0ce2c341b83431c9acfad3c6bf0fc35c76d3d3c0299c39a2da1
SSDEEP

3072:jEGh0oglfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012257-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012257-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}\stubpath = "C:\\Windows\\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe"	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}\stubpath = "C:\\Windows\\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe"	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE5B841-9556-44e3-B002-C43DCCF65738}	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}	{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF32931-856C-4744-9091-8E034787392A}	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F442FA38-CF14-44eb-8B1B-54B178B98F27}	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895321E5-03BF-42cc-954A-0B4B73DCE981}	{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF32931-856C-4744-9091-8E034787392A}\stubpath = "C:\\Windows\\{2CF32931-856C-4744-9091-8E034787392A}.exe"	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}	{2CF32931-856C-4744-9091-8E034787392A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}\stubpath = "C:\\Windows\\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe"	{2CF32931-856C-4744-9091-8E034787392A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE5B841-9556-44e3-B002-C43DCCF65738}\stubpath = "C:\\Windows\\{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe"	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}\stubpath = "C:\\Windows\\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe"	{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}	{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895321E5-03BF-42cc-954A-0B4B73DCE981}\stubpath = "C:\\Windows\\{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe"	{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F442FA38-CF14-44eb-8B1B-54B178B98F27}\stubpath = "C:\\Windows\\{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe"	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A236804A-A30E-4666-AA14-2EFCA698D85F}	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A236804A-A30E-4666-AA14-2EFCA698D85F}\stubpath = "C:\\Windows\\{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe"	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}\stubpath = "C:\\Windows\\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe"	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}\stubpath = "C:\\Windows\\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe"	{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
2700	{2CF32931-856C-4744-9091-8E034787392A}.exe
2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
1648	{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
1488	{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
2972	{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe
2980	{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2CF32931-856C-4744-9091-8E034787392A}.exe	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
File created	C:\Windows\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
File created	C:\Windows\{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
File created	C:\Windows\{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
File created	C:\Windows\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
File created	C:\Windows\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe	{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
File created	C:\Windows\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
File created	C:\Windows\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	{2CF32931-856C-4744-9091-8E034787392A}.exe
File created	C:\Windows\{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
File created	C:\Windows\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe	{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
File created	C:\Windows\{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe	{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
Token: SeIncBasePriorityPrivilege	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe
Token: SeIncBasePriorityPrivilege	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
Token: SeIncBasePriorityPrivilege	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
Token: SeIncBasePriorityPrivilege	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
Token: SeIncBasePriorityPrivilege	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
Token: SeIncBasePriorityPrivilege	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
Token: SeIncBasePriorityPrivilege	1648	{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
Token: SeIncBasePriorityPrivilege	1488	{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
Token: SeIncBasePriorityPrivilege	2972	{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2436	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	28
PID 1740 wrote to memory of 2436	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	28
PID 1740 wrote to memory of 2436	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	28
PID 1740 wrote to memory of 2436	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	28
PID 1740 wrote to memory of 2716	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	29
PID 1740 wrote to memory of 2716	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	29
PID 1740 wrote to memory of 2716	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	29
PID 1740 wrote to memory of 2716	1740	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	29
PID 2436 wrote to memory of 2700	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	31
PID 2436 wrote to memory of 2700	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	31
PID 2436 wrote to memory of 2700	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	31
PID 2436 wrote to memory of 2700	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	31
PID 2436 wrote to memory of 2948	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	30
PID 2436 wrote to memory of 2948	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	30
PID 2436 wrote to memory of 2948	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	30
PID 2436 wrote to memory of 2948	2436	{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe	30
PID 2700 wrote to memory of 2756	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	32
PID 2700 wrote to memory of 2756	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	32
PID 2700 wrote to memory of 2756	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	32
PID 2700 wrote to memory of 2756	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	32
PID 2700 wrote to memory of 2616	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	33
PID 2700 wrote to memory of 2616	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	33
PID 2700 wrote to memory of 2616	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	33
PID 2700 wrote to memory of 2616	2700	{2CF32931-856C-4744-9091-8E034787392A}.exe	33
PID 2756 wrote to memory of 1932	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	36
PID 2756 wrote to memory of 1932	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	36
PID 2756 wrote to memory of 1932	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	36
PID 2756 wrote to memory of 1932	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	36
PID 2756 wrote to memory of 2644	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	37
PID 2756 wrote to memory of 2644	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	37
PID 2756 wrote to memory of 2644	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	37
PID 2756 wrote to memory of 2644	2756	{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe	37
PID 1932 wrote to memory of 2920	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	38
PID 1932 wrote to memory of 2920	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	38
PID 1932 wrote to memory of 2920	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	38
PID 1932 wrote to memory of 2920	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	38
PID 1932 wrote to memory of 3056	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	39
PID 1932 wrote to memory of 3056	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	39
PID 1932 wrote to memory of 3056	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	39
PID 1932 wrote to memory of 3056	1932	{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe	39
PID 2920 wrote to memory of 1988	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	41
PID 2920 wrote to memory of 1988	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	41
PID 2920 wrote to memory of 1988	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	41
PID 2920 wrote to memory of 1988	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	41
PID 2920 wrote to memory of 2220	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	40
PID 2920 wrote to memory of 2220	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	40
PID 2920 wrote to memory of 2220	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	40
PID 2920 wrote to memory of 2220	2920	{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe	40
PID 1988 wrote to memory of 2928	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	42
PID 1988 wrote to memory of 2928	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	42
PID 1988 wrote to memory of 2928	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	42
PID 1988 wrote to memory of 2928	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	42
PID 1988 wrote to memory of 324	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	43
PID 1988 wrote to memory of 324	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	43
PID 1988 wrote to memory of 324	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	43
PID 1988 wrote to memory of 324	1988	{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe	43
PID 2928 wrote to memory of 1648	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	44
PID 2928 wrote to memory of 1648	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	44
PID 2928 wrote to memory of 1648	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	44
PID 2928 wrote to memory of 1648	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	44
PID 2928 wrote to memory of 1856	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	45
PID 2928 wrote to memory of 1856	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	45
PID 2928 wrote to memory of 1856	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	45
PID 2928 wrote to memory of 1856	2928	{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
  C:\Windows\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72F94~1.EXE > nul
    3⤵
    PID:2948
- - C:\Windows\{2CF32931-856C-4744-9091-8E034787392A}.exe
    C:\Windows\{2CF32931-856C-4744-9091-8E034787392A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
      C:\Windows\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
        
        C:\Windows\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
        
        C:\Windows\{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F442F~1.EXE > nul
        7⤵
        
        PID:2220
        
        C:\Windows\{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
        
        C:\Windows\{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
        
        C:\Windows\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
        
        C:\Windows\{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
        
        C:\Windows\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe
        
        C:\Windows\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe
        
        C:\Windows\{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe
        12⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30B6A~1.EXE > nul
        12⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0CAE~1.EXE > nul
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE5B~1.EXE > nul
        10⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B5E~1.EXE > nul
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2368~1.EXE > nul
        8⤵
        
        PID:324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D0B~1.EXE > nul
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBA1~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2CF32~1.EXE > nul
      4⤵
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DE5B841-9556-44e3-B002-C43DCCF65738}.exe

Filesize
180KB

MD5
9bd1d2c097f17f703672e8893d171566

SHA1
ae755df408cdaa6cc3365ccd2d27b2feabcae0fa

SHA256
371fa7a0abde286b39621b92c5525e2a29db1f1655318b971d72a48642efd2c2

SHA512
12d80d6f82b3ca033f9e7f0ea95d118b91082b2d9199a61c48f41690926a811b7d6bcdd124d22c80bfdc0802dc9968ebf31c70730064c4be8f0a2d7ebc2b2288

Download Submit
C:\Windows\{2CF32931-856C-4744-9091-8E034787392A}.exe

Filesize
180KB

MD5
0b80e196989c89c4dd10e918149f73b0

SHA1
4581ae76b7d1a5ab40a4c1630c684724c273b85e

SHA256
58da9a1789132ddb98f49b850faea057878cb9c9ca661a141ebfa7b5bceeab7d

SHA512
18b94e6d8eb2be1519c32c8f1ff17065873dd27cc7832da82d87064f6f671145b316e58d0428c8b1424623a6707691265c4c02a15c3add4b8e874ae52c164bca

Download Submit
C:\Windows\{30B6A758-3487-4e7c-BCB0-6AC6D72FA2C6}.exe

Filesize
180KB

MD5
e24d183fd87db0792ffb41c32d8310bc

SHA1
b97917a5ee473556e2acc934089596536c85dcf7

SHA256
51c3910e1c0c6fb932b67572fcd267d50afe1e927f853db4787bef7e42d2338d

SHA512
37bf970d7c80f04c80e0f7c800870239347f3bd7263b3a4d552c1963ce21bb49c7c81ae361be3bea85d5e0e0c652169a21db7272fa8cca1b1e6c3757ccb6cf68

Download Submit
C:\Windows\{72F94DDA-A74C-4b4e-A6D2-F3D7A541F5CE}.exe

Filesize
180KB

MD5
cfc6162c5202f4746d6cf2e5fc03e97f

SHA1
450d3d65ca6f9d23ccc93954e71f3168b50a0101

SHA256
77bf7460e98f185760ea5bd8f2d2490f7651db1948c684f36085abcbbd1ff065

SHA512
36a85405ca1f5d2c05584c6c44679f461acb4e17893eebb1226f35214442af6c0b7871798611fc0dca5ce9fbe11507b2b68cdf5e280736dfc88e83a931b58ea7

Download Submit
C:\Windows\{895321E5-03BF-42cc-954A-0B4B73DCE981}.exe

Filesize
180KB

MD5
e28b643bc5049f66259ecc0583d44403

SHA1
18c0f41244ca204b1c44a6aa7d2aef4d877f1784

SHA256
12e6104c52d3e1648890005621803b70159a5bd43c5f8a64197753a5053922f0

SHA512
e7b9b1e2eb43ba62bccdba6c09ff34da38d90c69e5cb571a203389ae528203faa3762973b2b5b824a326ff1e5978d9f3443f2cb318a92e76859679c032fbe6b0

Download Submit
C:\Windows\{A236804A-A30E-4666-AA14-2EFCA698D85F}.exe

Filesize
180KB

MD5
c88f4f73391ca12a19da96b4cb44d3f1

SHA1
b7a8f654768b6acc9438084cebbe9c20c75c2837

SHA256
5dc720d2baeb7e605eff4b82d51edfcbfab4650ee4ab5f6ad30694d45db7a7dc

SHA512
11ccae8b7358a946ffdab715bdd855cf3e15832a29c4f8794ddb8a83089b9afec62eb414964a1c7caa958bc4bb7bc6c4753c839c7d5c521e6908ccf7402e3fd6

Download Submit
C:\Windows\{C9B5E569-5D21-49b6-80A6-FAF0E34AF02C}.exe

Filesize
180KB

MD5
e6b26e4af8b9111bbed55b1e8c374eae

SHA1
7a7981915930c1fdd0c296faadac247ca744a19c

SHA256
66d263c5ab93812f55a634ab715a88bbfae18dbd916a1d1b75b9790121b69e62

SHA512
eac2ca506fd7602b152cc531fe64107aa71cdbdaf7f79ee8e31b5b11e07323c825468982baa6af698765b61be41306766fe5e9f629885d69f47be873e99570d7

Download Submit
C:\Windows\{EBBA1EF7-52D6-4044-BAC2-86CD76E1AD63}.exe

Filesize
180KB

MD5
0d747360c21489ebdfcf2b1664e879ef

SHA1
cd63e99cdb11235798d18bb7248b3adef5343c1c

SHA256
9e371f56dce05c7b721b7840c886ec5b4102af4d77c593aede6e797a5ea1c371

SHA512
0d311e3beb4454603d0ebf785b9baae23facee8cb15514616817270215bdbdaf81ffad731fda27e048ee6782faf0d90645682271c2a27379f0b33e0ab00c1893

Download Submit
C:\Windows\{F0CAE446-9698-4f0a-AE45-AE67EB7C4F1A}.exe

Filesize
180KB

MD5
057155c1e418e835ba7db2ee8b67e20e

SHA1
35359898f083ec3b2c950362be9048de0dfc94d0

SHA256
aff598536046b3885525bb5d3c207d068a9448748377c03937ae247dfacd086c

SHA512
01e2d330e0d98ed0595a17aedf6e8b50f435283e6e687c65696883de86f03fb0229dc6e792c7684e245a9dc0f6e6f71b1b227161a63385a6b397e4ee3a2865e2

Download Submit
C:\Windows\{F442FA38-CF14-44eb-8B1B-54B178B98F27}.exe

Filesize
180KB

MD5
b93722e818edbd9d1f138ed95405358b

SHA1
81263a3a21eaba034009fa0f5f2459a303d4ce84

SHA256
51fe1fe658a3edee6acba9fb617f8f51c79f23905aca81f37fbf1b1ff5d46720

SHA512
5638a8c8c0d58960fd281fb12147b09876a22224e64d43287402460154cd899c4ffbb875ccb0a04cd07266c5f612bcddfd0452c96ce1878605b1499d93d24d0e

Download Submit
C:\Windows\{F6D0BB54-FC38-4170-BC71-8E67E39E2655}.exe

Filesize
180KB

MD5
8170d0ba35edfff8bbc8259ed2dab2c5

SHA1
4260e7069a762c656eae4994c406f6861cbcc2bc

SHA256
ab8c168775a9f25991c14d64d4b09fb1bc46962b96a08e19b827d8823d62f629

SHA512
32f98206efe4c6ab17e921584b0c7cf89b2bf34effd701bbcb15311161b3222be5753a0977f35cdeecd020f16fd2a25ddece2e471366db0d1353a81810315cc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads