48af3cbbba95ee3c43f5724b62f69e15dc8692970dbc6a94fd8c2fe75a1c7441

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
Size

372KB
MD5

ee15e820199935d50a3f8fb1b686591f
SHA1

88806c11204e8a5d2ce490054b59b3b6cc116669
SHA256

48af3cbbba95ee3c43f5724b62f69e15dc8692970dbc6a94fd8c2fe75a1c7441
SHA512

42bc61aae9db0a1d138ee8aef5d40326fe6492a92b58654c53d80402dbe2e0ed78c2eba1152844410a8be64e0a23377397460e3d2d5bb805db8d50acf5a7abf5
SSDEEP

3072:CEGh0oalMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGolkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012242-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012695-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012242-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015c9e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012242-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012242-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012242-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}\stubpath = "C:\\Windows\\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe"	{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC76241-E0DB-4663-A36A-53A3384C9F55}\stubpath = "C:\\Windows\\{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe"	{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}\stubpath = "C:\\Windows\\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe"	{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A5A563-2254-49db-B6C4-4D47A219FD7D}\stubpath = "C:\\Windows\\{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe"	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}\stubpath = "C:\\Windows\\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe"	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F92A251D-FEE8-4610-A036-7F5492403150}\stubpath = "C:\\Windows\\{F92A251D-FEE8-4610-A036-7F5492403150}.exe"	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}\stubpath = "C:\\Windows\\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe"	{F92A251D-FEE8-4610-A036-7F5492403150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D1EE343-CA6F-4815-8117-A7B90720FB02}	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D1EE343-CA6F-4815-8117-A7B90720FB02}\stubpath = "C:\\Windows\\{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe"	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}	{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887282D2-CA0C-42dc-A964-1EA0946E0D73}	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887282D2-CA0C-42dc-A964-1EA0946E0D73}\stubpath = "C:\\Windows\\{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe"	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFAAED1-02F7-4d85-8921-D275BC15C643}	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A5A563-2254-49db-B6C4-4D47A219FD7D}	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}	{F92A251D-FEE8-4610-A036-7F5492403150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC76241-E0DB-4663-A36A-53A3384C9F55}	{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFAAED1-02F7-4d85-8921-D275BC15C643}\stubpath = "C:\\Windows\\{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe"	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}\stubpath = "C:\\Windows\\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe"	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F92A251D-FEE8-4610-A036-7F5492403150}	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}	{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe
1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
2276	{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
2940	{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
796	{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe
2452	{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F92A251D-FEE8-4610-A036-7F5492403150}.exe	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
File created	C:\Windows\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	{F92A251D-FEE8-4610-A036-7F5492403150}.exe
File created	C:\Windows\{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
File created	C:\Windows\{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
File created	C:\Windows\{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
File created	C:\Windows\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
File created	C:\Windows\{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe	{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
File created	C:\Windows\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe	{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe
File created	C:\Windows\{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
File created	C:\Windows\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
File created	C:\Windows\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe	{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
Token: SeIncBasePriorityPrivilege	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
Token: SeIncBasePriorityPrivilege	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
Token: SeIncBasePriorityPrivilege	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
Token: SeIncBasePriorityPrivilege	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
Token: SeIncBasePriorityPrivilege	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe
Token: SeIncBasePriorityPrivilege	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
Token: SeIncBasePriorityPrivilege	2276	{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
Token: SeIncBasePriorityPrivilege	2940	{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
Token: SeIncBasePriorityPrivilege	796	{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2724	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	28
PID 3016 wrote to memory of 2724	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	28
PID 3016 wrote to memory of 2724	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	28
PID 3016 wrote to memory of 2724	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	28
PID 3016 wrote to memory of 2804	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	29
PID 3016 wrote to memory of 2804	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	29
PID 3016 wrote to memory of 2804	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	29
PID 3016 wrote to memory of 2804	3016	2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe	29
PID 2724 wrote to memory of 2736	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	31
PID 2724 wrote to memory of 2736	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	31
PID 2724 wrote to memory of 2736	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	31
PID 2724 wrote to memory of 2736	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	31
PID 2724 wrote to memory of 2836	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	30
PID 2724 wrote to memory of 2836	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	30
PID 2724 wrote to memory of 2836	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	30
PID 2724 wrote to memory of 2836	2724	{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe	30
PID 2736 wrote to memory of 2748	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	32
PID 2736 wrote to memory of 2748	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	32
PID 2736 wrote to memory of 2748	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	32
PID 2736 wrote to memory of 2748	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	32
PID 2736 wrote to memory of 2596	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	33
PID 2736 wrote to memory of 2596	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	33
PID 2736 wrote to memory of 2596	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	33
PID 2736 wrote to memory of 2596	2736	{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe	33
PID 2748 wrote to memory of 2872	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	36
PID 2748 wrote to memory of 2872	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	36
PID 2748 wrote to memory of 2872	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	36
PID 2748 wrote to memory of 2872	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	36
PID 2748 wrote to memory of 2984	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	37
PID 2748 wrote to memory of 2984	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	37
PID 2748 wrote to memory of 2984	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	37
PID 2748 wrote to memory of 2984	2748	{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe	37
PID 2872 wrote to memory of 2304	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	38
PID 2872 wrote to memory of 2304	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	38
PID 2872 wrote to memory of 2304	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	38
PID 2872 wrote to memory of 2304	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	38
PID 2872 wrote to memory of 2216	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	39
PID 2872 wrote to memory of 2216	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	39
PID 2872 wrote to memory of 2216	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	39
PID 2872 wrote to memory of 2216	2872	{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe	39
PID 2304 wrote to memory of 1472	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	41
PID 2304 wrote to memory of 1472	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	41
PID 2304 wrote to memory of 1472	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	41
PID 2304 wrote to memory of 1472	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	41
PID 2304 wrote to memory of 1680	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	40
PID 2304 wrote to memory of 1680	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	40
PID 2304 wrote to memory of 1680	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	40
PID 2304 wrote to memory of 1680	2304	{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe	40
PID 1472 wrote to memory of 1464	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	42
PID 1472 wrote to memory of 1464	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	42
PID 1472 wrote to memory of 1464	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	42
PID 1472 wrote to memory of 1464	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	42
PID 1472 wrote to memory of 1528	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	43
PID 1472 wrote to memory of 1528	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	43
PID 1472 wrote to memory of 1528	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	43
PID 1472 wrote to memory of 1528	1472	{F92A251D-FEE8-4610-A036-7F5492403150}.exe	43
PID 1464 wrote to memory of 2276	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	45
PID 1464 wrote to memory of 2276	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	45
PID 1464 wrote to memory of 2276	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	45
PID 1464 wrote to memory of 2276	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	45
PID 1464 wrote to memory of 2256	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	44
PID 1464 wrote to memory of 2256	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	44
PID 1464 wrote to memory of 2256	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	44
PID 1464 wrote to memory of 2256	1464	{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ee15e820199935d50a3f8fb1b686591f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
  C:\Windows\{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88728~1.EXE > nul
    3⤵
    PID:2836
- - C:\Windows\{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
    C:\Windows\{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
      C:\Windows\{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
        
        C:\Windows\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
        
        C:\Windows\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73737~1.EXE > nul
        7⤵
        
        PID:1680
        
        C:\Windows\{F92A251D-FEE8-4610-A036-7F5492403150}.exe
        
        C:\Windows\{F92A251D-FEE8-4610-A036-7F5492403150}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
        
        C:\Windows\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA62D~1.EXE > nul
        9⤵
        
        PID:2256
        
        C:\Windows\{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
        
        C:\Windows\{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D1EE~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
        
        C:\Windows\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2BA7~1.EXE > nul
        11⤵
        
        PID:580
        
        C:\Windows\{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe
        
        C:\Windows\{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe
        
        C:\Windows\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC76~1.EXE > nul
        12⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F92A2~1.EXE > nul
        8⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0BD~1.EXE > nul
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34A5A~1.EXE > nul
        5⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAFAA~1.EXE > nul
      4⤵
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34A5A563-2254-49db-B6C4-4D47A219FD7D}.exe

Filesize
372KB

MD5
1745af49f4f134b57318e2b6cbd4fa7e

SHA1
d330f9b5699edfc6c3625776b57f82271cebc861

SHA256
a638bde46b4253c7fb1d9ce600c8f90e031819be60c2a56cdb1d4840ccaa1e20

SHA512
f3bcb2cbafa84f8ea76f868c16171059f251a552d35a51ddb47bf73651a9d2d5f1215cc6a2c698212e1dd3719625b91f893f42b387b6c2249c9d02f00014c4d5

Download Submit
C:\Windows\{5B0BD6DE-4D0E-4430-AE80-B978B2865DCE}.exe

Filesize
372KB

MD5
8c4fa88106d04780f8188693c15eba7a

SHA1
18a0153177f4d53f0c5dd98b313391cdf778ad84

SHA256
25d75d1fcd634291b26a3a90cc4aa15b1e127f739ce55af0f6fe2ca8cb045200

SHA512
a90dbc04dae595e0ff8cc0cd9d2b10dc2e3ca640e0b1166fa6c809829bb91b01272efda68bb9005b0926ab2bd93ff67a040286311944b0b8195b2aecb394f482

Download Submit
C:\Windows\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe

Filesize
372KB

MD5
ff03e6a1e93092e443617edad459b1f9

SHA1
ecd9f43c41eb0e8f93143f9836cab95b13d5f750

SHA256
90d19a678e3bc8fdfd898ada200d5b7b039652582b001bea3ea3e9a1d4edba3b

SHA512
c4961a594e022ad2eff6aa4dad9eab35343f6523afdc4da2b7aa40371c1239885e81beb8e343a72c5bdb0a7b2edf9ea0812f5084a4bb24ee942401d570f69c08

Download Submit
C:\Windows\{737371CD-1934-4ee9-B89A-39D6DFEC0E4C}.exe

Filesize
66KB

MD5
77b1e8b9235484868e5923382234796f

SHA1
1399c1cafe2fbe46ffbc1312db529c63d9b64d31

SHA256
b8285eb351a08af88cd84de3441a2aa25159e6ba9a86e0699b13a52fbf4f77b5

SHA512
b637bd06ea4230896ec74781e43f2a9ed916fec03fa5fdce977447ee1dd9a63a8e21bf59fe2a4d8d542eac0e84ab81a5d86f0e3c927e09b0778d6988b71766a4

Download Submit
C:\Windows\{887282D2-CA0C-42dc-A964-1EA0946E0D73}.exe

Filesize
372KB

MD5
f9aec5505b7ff7f9bef73b89c58cccf0

SHA1
4b4624a5797f86dd62dd44561310ca93f2667678

SHA256
34d2f72dc39b1d8d6dba7e7753537bff9938f9dcee0fd31c6b8543dc71894a14

SHA512
d35b5e497b54f72631740b94fc4081e18d164348538de194db56b3b5861de0833097ecbcc0a778e7a3fd92f3aaa724372abe2355fb93358c010ab15f481c113b

Download Submit
C:\Windows\{9D1EE343-CA6F-4815-8117-A7B90720FB02}.exe

Filesize
372KB

MD5
ce3a465c8a73e2f1f183e365cf6f61d3

SHA1
eeacb6a2139cef014ff6929c4ade1d5416016fd8

SHA256
ecb8fd8a7f2ee4bc552a0114f303d94e2f7c857b87f0287a6f2c2ed9ced39a4a

SHA512
f74de5673f69ec8e2673211f2460958c45352d26fa0ac6fcd9ed944218fea542aee7ea5e679bc0a4d915471dbfd75b39181ce891e6a3f526407a06bbecf06f38

Download Submit
C:\Windows\{BAFAAED1-02F7-4d85-8921-D275BC15C643}.exe

Filesize
372KB

MD5
25620894d6a8fa276890718d350c9f57

SHA1
97c8b221ddcd7edb9a32cfcd9202af1c8235db3b

SHA256
f2299f5f877d8c10b911a83f6f9218bbca05f17df8de571086d3bc51c2c34d8d

SHA512
4bbca6e57eacc14cc37e78d2ca65e40cc37fd12c10cfc8c44f089c568f4fc0eda46ad25618457dd550855253eb0ad46a8f36a1fff7480c0799ea3b4972bf1f6e

Download Submit
C:\Windows\{CA62D9D8-EA2E-4d9d-9996-6F01D83BD458}.exe

Filesize
372KB

MD5
57f8405a8b328b1490b1bcb1b26fa12f

SHA1
1e67f40375f1918f1d1831b460ac61d568a36327

SHA256
1f409ece95509aa15e769f4bc14a61df5392f715a35eb57756fa78d7d6c3a2b7

SHA512
ac1763e912b8fd1ac1154a1d795fab8cf297076a4d9a4875b81383b28b62881281de8bef01cd0624c578b4f36706532c8afdf11110ea61156992b5a352215ab5

Download Submit
C:\Windows\{F2BA7C37-8C2D-46ed-9E50-5747742FB5A6}.exe

Filesize
372KB

MD5
474f2ef4612bd34f3863a6322ad46465

SHA1
204dad6d285265640409f574e57d2aaf35bb84d0

SHA256
f57501ea1c760cdf2975f8708e6ba6feba9f5b6cb48a38566597964c549090fb

SHA512
d7b7350a2cc4bbf36e2cac3a0257624f0105649a110f5a32acb6d33cfa9ca5d3634cd752479b8a3e4867f692634f5379abc08600ff634c902ab97fdf6f3ec2f9

Download Submit
C:\Windows\{F5434C35-B8BD-470c-A157-1FEFC3BB88A1}.exe

Filesize
372KB

MD5
67658ecf9b8c778e513422b9ad52322b

SHA1
82c5c359e3f8947ac5954874bea5e45a576d556b

SHA256
6d36a0237ae069d79a3143ccd9311100c2502399c0dfb51440f6b3e930c6865f

SHA512
d1819efbb069ec70e639a8df268250047d4a336c01374f8352e15d31d99b8d909eaa0c37ce82e66c99fc7fd426ef02dfe7ed8f9c6f10ea6346e03441301ce43d

Download Submit
C:\Windows\{F92A251D-FEE8-4610-A036-7F5492403150}.exe

Filesize
372KB

MD5
323c8ad3b6ed90e8f66e4b5a367f067c

SHA1
afc99e63dbc0bab721e9b4cee1d2d9bc8887fec8

SHA256
e99b5bfc4bff074518c5c4e34f89d389d75f25bccb83d35670bd83f97f2fe8b4

SHA512
dbc0e3867ec4c08d14276e6584bdae81f230e0186da5de82e24b0192767c1f77506f1d7046f494a306d662904b21838e3846a69b89bb21ad810bd728d8ab26f5

Download Submit
C:\Windows\{FAC76241-E0DB-4663-A36A-53A3384C9F55}.exe

Filesize
372KB

MD5
7043e0d3f2d053acb41dbdcda5119809

SHA1
6b0d82f8273f15e047eae9d6e0db23e743ad1a8c

SHA256
baa812074cb4626a9a938c6eb2736a382cca148bcd8d09b1ca6cf6ba077f10cb

SHA512
709c36276e853a04f000e4dcea9c6815cee8ca106832dbfb13b865cf66aa4dbe72625b6d0f6f5b3419db150d7f17837f66db501f36cc5cf303a10b78ff5553d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads