e8c145bff035fb0138727df0641ec496256f98a4745978097763bc395754a4ac

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Size

408KB
MD5

edb97fb23228e6125056ba1ab97ece68
SHA1

5c2442d2a177a62832c456b305e0aa7e8b92f4b7
SHA256

e8c145bff035fb0138727df0641ec496256f98a4745978097763bc395754a4ac
SHA512

9ee4efe15b9289901f249ee65135a189a077d9834ddc4044e52de0f78e2b8f816b4337c8f76d235f9fb510c50d17da202033fd1a1b9824b3cb3767d9cb5e2820
SSDEEP

3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGCldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012281-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}\stubpath = "C:\\Windows\\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe"	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42079918-EE41-4fad-AB41-5ABAE6EAE224}	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{832CAF1A-4F0A-456a-A879-464C3A3454DC}\stubpath = "C:\\Windows\\{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe"	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{832CAF1A-4F0A-456a-A879-464C3A3454DC}	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}	{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}\stubpath = "C:\\Windows\\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe"	{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8552483-FE69-441f-ABC4-647DD7FFE32C}	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}\stubpath = "C:\\Windows\\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe"	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42079918-EE41-4fad-AB41-5ABAE6EAE224}\stubpath = "C:\\Windows\\{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe"	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}\stubpath = "C:\\Windows\\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe"	{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}	{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}\stubpath = "C:\\Windows\\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe"	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B3673A7-04D8-421e-97C4-91C5425D936C}	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B3673A7-04D8-421e-97C4-91C5425D936C}\stubpath = "C:\\Windows\\{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe"	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}	{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8552483-FE69-441f-ABC4-647DD7FFE32C}\stubpath = "C:\\Windows\\{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe"	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}\stubpath = "C:\\Windows\\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe"	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}\stubpath = "C:\\Windows\\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe"	{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
572	{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
2300	{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
2060	{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
1216	{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
File created	C:\Windows\{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
File created	C:\Windows\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe	{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
File created	C:\Windows\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe	{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
File created	C:\Windows\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
File created	C:\Windows\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
File created	C:\Windows\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
File created	C:\Windows\{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
File created	C:\Windows\{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
File created	C:\Windows\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
File created	C:\Windows\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe	{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
Token: SeIncBasePriorityPrivilege	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
Token: SeIncBasePriorityPrivilege	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
Token: SeIncBasePriorityPrivilege	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
Token: SeIncBasePriorityPrivilege	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
Token: SeIncBasePriorityPrivilege	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
Token: SeIncBasePriorityPrivilege	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
Token: SeIncBasePriorityPrivilege	572	{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
Token: SeIncBasePriorityPrivilege	2300	{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
Token: SeIncBasePriorityPrivilege	2060	{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2660	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	28
PID 2200 wrote to memory of 2660	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	28
PID 2200 wrote to memory of 2660	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	28
PID 2200 wrote to memory of 2660	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	28
PID 2200 wrote to memory of 2324	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	29
PID 2200 wrote to memory of 2324	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	29
PID 2200 wrote to memory of 2324	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	29
PID 2200 wrote to memory of 2324	2200	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	29
PID 2660 wrote to memory of 2908	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	31
PID 2660 wrote to memory of 2908	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	31
PID 2660 wrote to memory of 2908	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	31
PID 2660 wrote to memory of 2908	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	31
PID 2660 wrote to memory of 2700	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	30
PID 2660 wrote to memory of 2700	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	30
PID 2660 wrote to memory of 2700	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	30
PID 2660 wrote to memory of 2700	2660	{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe	30
PID 2908 wrote to memory of 2888	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	33
PID 2908 wrote to memory of 2888	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	33
PID 2908 wrote to memory of 2888	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	33
PID 2908 wrote to memory of 2888	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	33
PID 2908 wrote to memory of 2732	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	32
PID 2908 wrote to memory of 2732	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	32
PID 2908 wrote to memory of 2732	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	32
PID 2908 wrote to memory of 2732	2908	{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe	32
PID 2888 wrote to memory of 1804	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	36
PID 2888 wrote to memory of 1804	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	36
PID 2888 wrote to memory of 1804	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	36
PID 2888 wrote to memory of 1804	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	36
PID 2888 wrote to memory of 2552	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	37
PID 2888 wrote to memory of 2552	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	37
PID 2888 wrote to memory of 2552	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	37
PID 2888 wrote to memory of 2552	2888	{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe	37
PID 1804 wrote to memory of 2964	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	38
PID 1804 wrote to memory of 2964	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	38
PID 1804 wrote to memory of 2964	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	38
PID 1804 wrote to memory of 2964	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	38
PID 1804 wrote to memory of 320	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	39
PID 1804 wrote to memory of 320	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	39
PID 1804 wrote to memory of 320	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	39
PID 1804 wrote to memory of 320	1804	{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe	39
PID 2964 wrote to memory of 1980	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	41
PID 2964 wrote to memory of 1980	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	41
PID 2964 wrote to memory of 1980	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	41
PID 2964 wrote to memory of 1980	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	41
PID 2964 wrote to memory of 808	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	40
PID 2964 wrote to memory of 808	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	40
PID 2964 wrote to memory of 808	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	40
PID 2964 wrote to memory of 808	2964	{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe	40
PID 1980 wrote to memory of 1680	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	43
PID 1980 wrote to memory of 1680	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	43
PID 1980 wrote to memory of 1680	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	43
PID 1980 wrote to memory of 1680	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	43
PID 1980 wrote to memory of 668	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	42
PID 1980 wrote to memory of 668	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	42
PID 1980 wrote to memory of 668	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	42
PID 1980 wrote to memory of 668	1980	{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe	42
PID 1680 wrote to memory of 572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	44
PID 1680 wrote to memory of 572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	44
PID 1680 wrote to memory of 572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	44
PID 1680 wrote to memory of 572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	44
PID 1680 wrote to memory of 1572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	45
PID 1680 wrote to memory of 1572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	45
PID 1680 wrote to memory of 1572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	45
PID 1680 wrote to memory of 1572	1680	{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
  C:\Windows\{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8552~1.EXE > nul
    3⤵
    PID:2700
- - C:\Windows\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
    C:\Windows\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36A22~1.EXE > nul
      4⤵
      PID:2732
  - - C:\Windows\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
      C:\Windows\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
        
        C:\Windows\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
        
        C:\Windows\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AF00~1.EXE > nul
        7⤵
        
        PID:808
        
        C:\Windows\{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
        
        C:\Windows\{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B367~1.EXE > nul
        8⤵
        
        PID:668
        
        C:\Windows\{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
        
        C:\Windows\{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
        
        C:\Windows\{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
        
        C:\Windows\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
        
        C:\Windows\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe
        
        C:\Windows\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe
        12⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E36DF~1.EXE > nul
        12⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC9E~1.EXE > nul
        11⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{832CA~1.EXE > nul
        10⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42079~1.EXE > nul
        9⤵
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0164~1.EXE > nul
        6⤵
        
        PID:320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11C4F~1.EXE > nul
        5⤵
        
        PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11C4F1AE-59CE-4e90-B7A6-1F410F5E84D2}.exe

Filesize
408KB

MD5
373b3d6efc8dca169b23c9b66ce1f574

SHA1
77dc5d41bf441606472ba250542106bce19f1e2b

SHA256
281603b8764f2e019cba144318a85776bc013a506a9672abbd6e4af61c75e1bf

SHA512
ecfce656ea9a73ff19baf8046ba3af331c5b6b2f434c633af0675994b463b1448226be5f7c16a6842121515aeea2832820e73ae5fa84fa7f6005c9211276738c

Download Submit
C:\Windows\{3584EA5D-1F49-4b67-86E5-61ADBB34B214}.exe

Filesize
408KB

MD5
306140691696da77c9f17ad9e4a24c7f

SHA1
426222264071ec15502bfca6679d4abc05e5df9a

SHA256
e4aaa20d277dee7a057806d8a60bcf6ca4e469612560d923746f06d8f546d8ce

SHA512
c2cf9d0a318d7db7f3c9743209bbfb2157aea077437886fa7b2d519505ac249041109a75a47abb331e290fcc6cece701e404c09f82804ae5a0b9d88adab45990

Download Submit
C:\Windows\{36A22BE3-18CC-43ab-8B41-E114F7C4EB0D}.exe

Filesize
408KB

MD5
75c6f4a6f9835cd1121c67557faaf1c2

SHA1
cf74eb62c38e1749f43d2dba7ef0a58e4d109dd5

SHA256
8f8ce3f8fa99cc4ab162d705ad5dae9efd6a7669c2b71228f5527793f49e20c3

SHA512
26995f51b1b45e74405b9e2503bebdbd7646fe283dfa58108e33092607bab662146d55c304e5fdadcd366894347884ed1ac051ce799ceb60512657117624e576

Download Submit
C:\Windows\{42079918-EE41-4fad-AB41-5ABAE6EAE224}.exe

Filesize
408KB

MD5
bffd7f13d3e8146d4e7c317fa91a3d3c

SHA1
ecf416e66e2b68e55a6d37aadd784c48ed869583

SHA256
4caca3bd427bcaf3621368d845bdb7b4eff5cd9cde99da1550e5ca67dbe99522

SHA512
f036e61e57c6d50e52401cfe1b0cdc389c6ae311ceedc61c9938c127e9e22967da898cdac8015ee4a964cbba183b14c933745542c1336397220e6bbbf8d421a3

Download Submit
C:\Windows\{832CAF1A-4F0A-456a-A879-464C3A3454DC}.exe

Filesize
408KB

MD5
226e2220789cbe26299e2508ff531076

SHA1
86bfb7e45fdb6a9d2be5fc1dfb0785ef56e56225

SHA256
734841b548eba6fcc0ddafd495f294661ae21aa35560e687788ef075e988fc25

SHA512
087288359e700be070f4f9c1870e7a0b1c5dfb574dcdb17f25cde27ee1ed7e894a4c2e0df8df977ab81b97472a2bded2e308833e841c4a58a6a2fc75ab5c8b3f

Download Submit
C:\Windows\{8AF004D2-CED2-4dac-8F49-A8991FE5A885}.exe

Filesize
408KB

MD5
61a8eebd5c1d9e77148fece26ff76f20

SHA1
db631b093a7d3381b94a49743662642ad211ce81

SHA256
730c72e178b39e6fd4eb1199bbda50a59e33f3536cf3bfaa1b9252375434ad37

SHA512
cd362930c457919269fd28496a78a63621ed3d0421b02d7110a65a7e5a6f77c15f3e584a46b6f7aaa80b115fb5ca0451ccbb192759905bc15d92dc7fd41c67da

Download Submit
C:\Windows\{8B3673A7-04D8-421e-97C4-91C5425D936C}.exe

Filesize
408KB

MD5
fa467ca6648426f49630548a7586c2c7

SHA1
d01c9f5491993de5bb0c4ed3b2638754dfcee4cc

SHA256
6f7d46aea9fdd7d919dd938515b28ea57846768cdee89e3993d07bf1cd8ab1f7

SHA512
ff8d807d8721a24bf4f5ec2c70bade8614331544c2739b47d49525a3b3270b17c2377a16931d3f8b66d38a96999a703d3366c1bf8d4cdbd0fc724729043a6246

Download Submit
C:\Windows\{A01647C7-F0F5-4827-AC5B-9CA7D8712F75}.exe

Filesize
408KB

MD5
2bc21d05f5c75edc066510f86bd9e873

SHA1
fb6372172d98fc83910305633621040d3765fe8f

SHA256
94a325909218b470a9db1cd965f83626e39d68441b26b5459e6f260efb16a7b2

SHA512
3ebd10f70371e779f4c45fdd479b23d4e43a34ed07f07dceed8f505be269eced88917249305f746eb988727628e1182ab5ef40e5adbd112a08f3c3ab9cb3b942

Download Submit
C:\Windows\{A8552483-FE69-441f-ABC4-647DD7FFE32C}.exe

Filesize
408KB

MD5
af38c31c059d921224e7f36bdefcd315

SHA1
56b9344e50f981d17a677b4210560fd3e51b5e03

SHA256
b59c0f43f65e088ae0b70119a7290dbc4c296a37ba366cf11bb5f657e30878a8

SHA512
ea927d3eee5db3a0d435b693e25d94cda81c8c14b318a244337c2bb0fa0f07399f48efc660409bda8b2eebf2ae86e634c8757513fcf699659077f93342c9423a

Download Submit
C:\Windows\{E36DF2FA-453C-4a8e-937E-101DA2FD36CC}.exe

Filesize
408KB

MD5
d0cd16554cd5d5d2e1cdb53064cc31a0

SHA1
d8a4ef2017c67a2f4f7b5029ff702621e9836792

SHA256
e4953232d5d36ed2ef4d24212161c9e1671ba11a3e8acaf6c44f2deca7d531ea

SHA512
1f8f234a9a27002642412971bee3eb63467a235692963655683db44b5a1fdc11db19ed3d482aa0814624a59a8577fc73d355d137ffee9f4a75b2aaada6a1a54d

Download Submit
C:\Windows\{ECC9E280-7627-4329-9ACD-EDF6CB51C460}.exe

Filesize
408KB

MD5
9cf66a6b7469635c9f452fe12cd73fbf

SHA1
0d1378e7da15f56d93d13579f8976597b0bd4400

SHA256
73ea1d43d03ca1f746a0c9c4d09d38936205aa88d4eefcf344a37c38f74394dd

SHA512
a07fc5df4dc83d8fd740c387a0ef2a3a7e529460fc7d8155f03a32d0e8b6f190c65d168322ab950bc3534a6461de34e07956d62dabea61fda52d8d9f97b29944

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads