8870cbab260386651d2f7a8591489d26c245cf94a85e91b1cfa515b999fd9818

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 19:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
Size

216KB
MD5

e6f0de99cdf81f4152f2b447f7aa358a
SHA1

7e6077d9a34986cabd67e88c1c09d45f5458948e
SHA256

8870cbab260386651d2f7a8591489d26c245cf94a85e91b1cfa515b999fd9818
SHA512

e4f435337e27de65020d0720d28cdaa94884d81743ac74914f461f11f4f7b5ebeb0e21bf8f6116faf4348200606898ff4d6a4c4fdcf05db18e2671c096fbb805
SSDEEP

3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGBlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014721-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE2E488B-9750-438b-916C-5D6454B4153B}\stubpath = "C:\\Windows\\{BE2E488B-9750-438b-916C-5D6454B4153B}.exe"	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}	{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7587A8DF-3FF3-458a-8749-25E53011D231}	{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790037BF-8765-4ac2-9A7D-F4727180017A}	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790037BF-8765-4ac2-9A7D-F4727180017A}\stubpath = "C:\\Windows\\{790037BF-8765-4ac2-9A7D-F4727180017A}.exe"	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F77EC-809D-4410-BB68-F8E6491DAC56}\stubpath = "C:\\Windows\\{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe"	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE2E488B-9750-438b-916C-5D6454B4153B}	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7587A8DF-3FF3-458a-8749-25E53011D231}\stubpath = "C:\\Windows\\{7587A8DF-3FF3-458a-8749-25E53011D231}.exe"	{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}\stubpath = "C:\\Windows\\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe"	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}\stubpath = "C:\\Windows\\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe"	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}\stubpath = "C:\\Windows\\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe"	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513BB453-F144-4148-84EA-9B75E10DF0CB}	{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513BB453-F144-4148-84EA-9B75E10DF0CB}\stubpath = "C:\\Windows\\{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe"	{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}\stubpath = "C:\\Windows\\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe"	{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}\stubpath = "C:\\Windows\\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe"	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F77EC-809D-4410-BB68-F8E6491DAC56}	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}\stubpath = "C:\\Windows\\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe"	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe

Deletes itself 1 IoCs

pid	Process
2060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
2904	{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
1756	{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
2068	{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
480	{7587A8DF-3FF3-458a-8749-25E53011D231}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
File created	C:\Windows\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
File created	C:\Windows\{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
File created	C:\Windows\{BE2E488B-9750-438b-916C-5D6454B4153B}.exe	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
File created	C:\Windows\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe	{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
File created	C:\Windows\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
File created	C:\Windows\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
File created	C:\Windows\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
File created	C:\Windows\{7587A8DF-3FF3-458a-8749-25E53011D231}.exe	{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
File created	C:\Windows\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
File created	C:\Windows\{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe	{BE2E488B-9750-438b-916C-5D6454B4153B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
Token: SeIncBasePriorityPrivilege	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
Token: SeIncBasePriorityPrivilege	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
Token: SeIncBasePriorityPrivilege	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
Token: SeIncBasePriorityPrivilege	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
Token: SeIncBasePriorityPrivilege	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
Token: SeIncBasePriorityPrivilege	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
Token: SeIncBasePriorityPrivilege	2904	{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
Token: SeIncBasePriorityPrivilege	1756	{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
Token: SeIncBasePriorityPrivilege	2068	{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2848	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	28
PID 2232 wrote to memory of 2848	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	28
PID 2232 wrote to memory of 2848	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	28
PID 2232 wrote to memory of 2848	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	28
PID 2232 wrote to memory of 2060	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	29
PID 2232 wrote to memory of 2060	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	29
PID 2232 wrote to memory of 2060	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	29
PID 2232 wrote to memory of 2060	2232	2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe	29
PID 2848 wrote to memory of 2796	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	31
PID 2848 wrote to memory of 2796	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	31
PID 2848 wrote to memory of 2796	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	31
PID 2848 wrote to memory of 2796	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	31
PID 2848 wrote to memory of 2736	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	30
PID 2848 wrote to memory of 2736	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	30
PID 2848 wrote to memory of 2736	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	30
PID 2848 wrote to memory of 2736	2848	{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe	30
PID 2796 wrote to memory of 2628	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	32
PID 2796 wrote to memory of 2628	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	32
PID 2796 wrote to memory of 2628	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	32
PID 2796 wrote to memory of 2628	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	32
PID 2796 wrote to memory of 2740	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	33
PID 2796 wrote to memory of 2740	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	33
PID 2796 wrote to memory of 2740	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	33
PID 2796 wrote to memory of 2740	2796	{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe	33
PID 2628 wrote to memory of 2100	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	37
PID 2628 wrote to memory of 2100	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	37
PID 2628 wrote to memory of 2100	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	37
PID 2628 wrote to memory of 2100	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	37
PID 2628 wrote to memory of 1804	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	36
PID 2628 wrote to memory of 1804	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	36
PID 2628 wrote to memory of 1804	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	36
PID 2628 wrote to memory of 1804	2628	{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe	36
PID 2100 wrote to memory of 2924	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	38
PID 2100 wrote to memory of 2924	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	38
PID 2100 wrote to memory of 2924	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	38
PID 2100 wrote to memory of 2924	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	38
PID 2100 wrote to memory of 1968	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	39
PID 2100 wrote to memory of 1968	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	39
PID 2100 wrote to memory of 1968	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	39
PID 2100 wrote to memory of 1968	2100	{790037BF-8765-4ac2-9A7D-F4727180017A}.exe	39
PID 2924 wrote to memory of 1676	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	41
PID 2924 wrote to memory of 1676	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	41
PID 2924 wrote to memory of 1676	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	41
PID 2924 wrote to memory of 1676	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	41
PID 2924 wrote to memory of 1688	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	40
PID 2924 wrote to memory of 1688	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	40
PID 2924 wrote to memory of 1688	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	40
PID 2924 wrote to memory of 1688	2924	{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe	40
PID 1676 wrote to memory of 1520	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	42
PID 1676 wrote to memory of 1520	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	42
PID 1676 wrote to memory of 1520	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	42
PID 1676 wrote to memory of 1520	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	42
PID 1676 wrote to memory of 1700	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	43
PID 1676 wrote to memory of 1700	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	43
PID 1676 wrote to memory of 1700	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	43
PID 1676 wrote to memory of 1700	1676	{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe	43
PID 1520 wrote to memory of 2904	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	44
PID 1520 wrote to memory of 2904	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	44
PID 1520 wrote to memory of 2904	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	44
PID 1520 wrote to memory of 2904	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	44
PID 1520 wrote to memory of 1360	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	45
PID 1520 wrote to memory of 1360	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	45
PID 1520 wrote to memory of 1360	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	45
PID 1520 wrote to memory of 1360	1520	{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_e6f0de99cdf81f4152f2b447f7aa358a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
  C:\Windows\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6C6F~1.EXE > nul
    3⤵
    PID:2736
- - C:\Windows\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
    C:\Windows\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
      C:\Windows\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F7A~1.EXE > nul
        5⤵
        
        PID:1804
    - - C:\Windows\{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
        
        C:\Windows\{790037BF-8765-4ac2-9A7D-F4727180017A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
        
        C:\Windows\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22618~1.EXE > nul
        7⤵
        
        PID:1688
        
        C:\Windows\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
        
        C:\Windows\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
        
        C:\Windows\{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
        
        C:\Windows\{BE2E488B-9750-438b-916C-5D6454B4153B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE2E4~1.EXE > nul
        10⤵
        
        PID:2252
        
        C:\Windows\{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
        
        C:\Windows\{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{513BB~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
        
        C:\Windows\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{378CA~1.EXE > nul
        12⤵
        
        PID:1492
        
        C:\Windows\{7587A8DF-3FF3-458a-8749-25E53011D231}.exe
        
        C:\Windows\{7587A8DF-3FF3-458a-8749-25E53011D231}.exe
        12⤵
        Executes dropped EXE
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{112F7~1.EXE > nul
        9⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51A42~1.EXE > nul
        8⤵
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79003~1.EXE > nul
        6⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CE2B~1.EXE > nul
      4⤵
      PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{112F77EC-809D-4410-BB68-F8E6491DAC56}.exe

Filesize
216KB

MD5
ecfdaccfde445d908926a1b5d38a00fb

SHA1
b42cf9e61617794961ac94d518b4b3c046909b43

SHA256
19fa97d42e5dd1ccf6b57c31946e0464749ff150600332f07690279b61282bcb

SHA512
d44c7671770b8cdf8b0655475997e414afc8264002d0c6dfd5810f711c5c7eec73939c666f2f93de5ddb2ca086e3a99c2c59ad5fe4d5b428163ac2848724a35b

Download Submit
C:\Windows\{22618E1E-D4A4-4d6c-A53F-9509BF09BC12}.exe

Filesize
216KB

MD5
ea69c485d9938598d40ae8bc048a179c

SHA1
80a7a9cb2d96bfb56d99a6c19d4ece50f52d6431

SHA256
5d523af24f2abf2ce82f51847b0f826151756779ad29ad8ecbb3a8f5798a2f6a

SHA512
d3e09f360c5ea63be66d1674a31474a9efe30280adf86aa1478e3f247669ef9fa034ea4a2f25c5035fddb29680f6b23d1fd8e578b7ad0df2b7e0919978af0dd7

Download Submit
C:\Windows\{378CA9F0-740C-4ba0-9AFF-750A0B9BA4B8}.exe

Filesize
216KB

MD5
dada4d35c680bf63bb865a10786cb4ed

SHA1
4387ad50fce46ca332900f090d63f8ab6f8c07d5

SHA256
18df28e9df8b6792c10237ee1d9951db384e6fcbaefc3734a18cd83554526926

SHA512
8ba12ca8f3e8a20236efbe99c9d6d571d07d020684bffe735673045bba1d7272c3e985d9788a2f756d792f80d17817c93b9b23fc4f810fe3b48b7e0672feebc1

Download Submit
C:\Windows\{3CE2B44D-C53E-46cb-980E-2C9BAA5E42F7}.exe

Filesize
216KB

MD5
48b3f31f94eba6fadbb121c294259e6c

SHA1
5b8fffc3aab4b1d937cd545f66d2812adc9933eb

SHA256
8e35aa64653b7ccb556edc2be610234ff9862993a03a8698980435e8a8dee904

SHA512
365854a2ac2d6a0ff6c9afc8c4662669c76446c539064db34f711a9dc70bb9ce3210d633f30fcb1c786cb34107ab6800077f8d51f017508c08727871b7a2c9e6

Download Submit
C:\Windows\{513BB453-F144-4148-84EA-9B75E10DF0CB}.exe

Filesize
216KB

MD5
c1ec76e2a12d04f819550a747167647a

SHA1
3a74298e85df444f0124299643d9b1e21bad9c0a

SHA256
146f2a3ccfcce4df3b3e055199f44fadd310a9760a605b1c330640cc3083305d

SHA512
891382702192c54f133fe1f015e80c38ef3411016f4fa37534fa439c0541e0c51c17794c5f8123737cc16579966f989dd74d79077686de4a9269c090987642c5

Download Submit
C:\Windows\{51A42073-95FE-4518-8217-3FC1A2FDD2A0}.exe

Filesize
216KB

MD5
3d88d2ad7f15472c9efb4d455c19b5e1

SHA1
b104ab51b7172ecc72e77fc3ca9c95205553d1f0

SHA256
918c921f6b7ee1ad377e5324f1bb9ba39508d031e4dd24537c78accb6fbacd52

SHA512
10cdb92860f64ab049e9a0a0c28a48a1d0ab18cd654a47cb5048d6efc079a808d6eb68efa23333ebf0b547ce0139ab21d947bb731b070c800277d5be3f6ea174

Download Submit
C:\Windows\{7587A8DF-3FF3-458a-8749-25E53011D231}.exe

Filesize
216KB

MD5
8e67e0a3b2fc889a37bc17272adcaa44

SHA1
db45bea625950f199c08d447a61cdeb163c46227

SHA256
66d488f09f91a6b730edcc292dda5d4e4cc4705d0af479b1bb1eabc017d889e3

SHA512
28ca371ab6f23111b2d9a0e3baad55a8134a229052cb61088c348f4c9d74ae00f097740e2280d60c22957e61b6f5cf315b06208a3973850ef0734fd1c40406be

Download Submit
C:\Windows\{790037BF-8765-4ac2-9A7D-F4727180017A}.exe

Filesize
216KB

MD5
bc7930039e631bc630e7da532924562b

SHA1
a44709cdb50ed71299fbf1099c2ef4491e42d07b

SHA256
c4a42f18f721188b63a74a8ee23fe721048736bf255fa43cefb37efea8a2d5db

SHA512
07c1acc9a0c5a199b33a7c85481d4c729a92066fb8fb7ebfe29ad323710ae1e70285b302d7e287cd2c6978f7aee55719ed73e3e67b459673fc13a92873377799

Download Submit
C:\Windows\{A4F7AEC8-3BA1-430b-96E3-9E11271C346B}.exe

Filesize
216KB

MD5
1af4acdd33a5aa506e0270a640576e04

SHA1
8f49c1132194c6795ca26a368059e4c8f2944952

SHA256
68cfd84a4145c5e8ae6899288b13488eaacb56bbdf1c7493cc42a2d3eb9320b9

SHA512
f2bea4044b3c4ca6433e4fda5ff2ceebf4848eba79bb55ffd3ab69ed71574b394b054744bcd6a647db5dd05ee08bc2907609e2e3b2349a0fb42d8cbfa190a936

Download Submit
C:\Windows\{BE2E488B-9750-438b-916C-5D6454B4153B}.exe

Filesize
216KB

MD5
20969d6c211a30e7795300bf1852fc79

SHA1
f4e03c9d1d8984ff7ebfff229bc87b9d6058c1c9

SHA256
2aaced96e6e8c3c986c73c8bb9545d5aa91a40ca9a20c28fdaf42c5dfd9f5d97

SHA512
909c678fad2012fa5058e12ba44d843f4851332e729c0656e01a3a23bc87e2a0cef6213c72d615255c053172f8621537f7a78e010e4696731241817c678634b1

Download Submit
C:\Windows\{D6C6F3B2-4295-4385-B02F-ADBEE304AC44}.exe

Filesize
216KB

MD5
aaf35c0a562a5f68ff6514b5ae9d1871

SHA1
2481278887b44fe05075dc510f220146ceca5e93

SHA256
46828b784b6b71be05eeb75c44f15733e182586a8f85f121bd559a380e7f61e9

SHA512
559ae34002a3a15ad7e36f7ce14e358711a31d9c63eb448c53cf67bab46239588812b7ea047c5a85f186db2d4ef44b187e54852dddcd79f4818a5e2111f06af5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads