bd2cba23cec112cae45f61c1f762a668a776f60ad1935cfedf425df2e034ba7f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Size

408KB
MD5

60a6673391cc62d419422fed3451d48d
SHA1

7333a968cf44eeccb4d6487313f8c8977f158e68
SHA256

bd2cba23cec112cae45f61c1f762a668a776f60ad1935cfedf425df2e034ba7f
SHA512

f6fe7e4a1686a5222a103026e799dcde552763d25080ff20ba365679f3833d2920b766fb3a697685dec75bebd04e18c43443b678d3c45c9a831f749042df44a7
SSDEEP

3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012262-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001230d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012262-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}\stubpath = "C:\\Windows\\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe"	{BA1F5510-652A-44a0-879E-8641833FC814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}\stubpath = "C:\\Windows\\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe"	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEEE0639-BE43-4763-9B88-F8D007B026BD}	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}\stubpath = "C:\\Windows\\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe"	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}	{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}\stubpath = "C:\\Windows\\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe"	{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA1F5510-652A-44a0-879E-8641833FC814}\stubpath = "C:\\Windows\\{BA1F5510-652A-44a0-879E-8641833FC814}.exe"	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B005D12-F38F-4858-B62D-47EFE1B7F407}\stubpath = "C:\\Windows\\{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe"	{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}	{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B005D12-F38F-4858-B62D-47EFE1B7F407}	{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA1F5510-652A-44a0-879E-8641833FC814}	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}\stubpath = "C:\\Windows\\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe"	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521ED06A-8FF1-49db-B316-E559CAD347E0}	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEEE0639-BE43-4763-9B88-F8D007B026BD}\stubpath = "C:\\Windows\\{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe"	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}	{BA1F5510-652A-44a0-879E-8641833FC814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521ED06A-8FF1-49db-B316-E559CAD347E0}\stubpath = "C:\\Windows\\{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe"	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}\stubpath = "C:\\Windows\\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe"	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}\stubpath = "C:\\Windows\\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe"	{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe

Executes dropped EXE 11 IoCs

pid	Process
2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe
1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
752	{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
1680	{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
880	{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe
2356	{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
File created	C:\Windows\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
File created	C:\Windows\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
File created	C:\Windows\{BA1F5510-652A-44a0-879E-8641833FC814}.exe	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
File created	C:\Windows\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	{BA1F5510-652A-44a0-879E-8641833FC814}.exe
File created	C:\Windows\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
File created	C:\Windows\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
File created	C:\Windows\{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
File created	C:\Windows\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe	{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
File created	C:\Windows\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe	{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
File created	C:\Windows\{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe	{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe
Token: SeIncBasePriorityPrivilege	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
Token: SeIncBasePriorityPrivilege	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
Token: SeIncBasePriorityPrivilege	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
Token: SeIncBasePriorityPrivilege	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
Token: SeIncBasePriorityPrivilege	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
Token: SeIncBasePriorityPrivilege	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
Token: SeIncBasePriorityPrivilege	752	{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
Token: SeIncBasePriorityPrivilege	1680	{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
Token: SeIncBasePriorityPrivilege	880	{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2664	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	28
PID 2076 wrote to memory of 2664	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	28
PID 2076 wrote to memory of 2664	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	28
PID 2076 wrote to memory of 2664	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	28
PID 2076 wrote to memory of 1528	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	29
PID 2076 wrote to memory of 1528	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	29
PID 2076 wrote to memory of 1528	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	29
PID 2076 wrote to memory of 1528	2076	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	29
PID 2664 wrote to memory of 1736	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	31
PID 2664 wrote to memory of 1736	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	31
PID 2664 wrote to memory of 1736	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	31
PID 2664 wrote to memory of 1736	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	31
PID 2664 wrote to memory of 1172	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	30
PID 2664 wrote to memory of 1172	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	30
PID 2664 wrote to memory of 1172	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	30
PID 2664 wrote to memory of 1172	2664	{BA1F5510-652A-44a0-879E-8641833FC814}.exe	30
PID 1736 wrote to memory of 2888	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	33
PID 1736 wrote to memory of 2888	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	33
PID 1736 wrote to memory of 2888	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	33
PID 1736 wrote to memory of 2888	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	33
PID 1736 wrote to memory of 2940	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	32
PID 1736 wrote to memory of 2940	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	32
PID 1736 wrote to memory of 2940	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	32
PID 1736 wrote to memory of 2940	1736	{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe	32
PID 2888 wrote to memory of 2848	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	36
PID 2888 wrote to memory of 2848	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	36
PID 2888 wrote to memory of 2848	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	36
PID 2888 wrote to memory of 2848	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	36
PID 2888 wrote to memory of 2596	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	37
PID 2888 wrote to memory of 2596	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	37
PID 2888 wrote to memory of 2596	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	37
PID 2888 wrote to memory of 2596	2888	{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe	37
PID 2848 wrote to memory of 3032	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	39
PID 2848 wrote to memory of 3032	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	39
PID 2848 wrote to memory of 3032	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	39
PID 2848 wrote to memory of 3032	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	39
PID 2848 wrote to memory of 3036	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	38
PID 2848 wrote to memory of 3036	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	38
PID 2848 wrote to memory of 3036	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	38
PID 2848 wrote to memory of 3036	2848	{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe	38
PID 3032 wrote to memory of 1088	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	41
PID 3032 wrote to memory of 1088	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	41
PID 3032 wrote to memory of 1088	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	41
PID 3032 wrote to memory of 1088	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	41
PID 3032 wrote to memory of 2164	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	40
PID 3032 wrote to memory of 2164	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	40
PID 3032 wrote to memory of 2164	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	40
PID 3032 wrote to memory of 2164	3032	{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe	40
PID 1088 wrote to memory of 1064	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	42
PID 1088 wrote to memory of 1064	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	42
PID 1088 wrote to memory of 1064	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	42
PID 1088 wrote to memory of 1064	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	42
PID 1088 wrote to memory of 1960	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	43
PID 1088 wrote to memory of 1960	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	43
PID 1088 wrote to memory of 1960	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	43
PID 1088 wrote to memory of 1960	1088	{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe	43
PID 1064 wrote to memory of 752	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	44
PID 1064 wrote to memory of 752	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	44
PID 1064 wrote to memory of 752	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	44
PID 1064 wrote to memory of 752	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	44
PID 1064 wrote to memory of 1056	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	45
PID 1064 wrote to memory of 1056	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	45
PID 1064 wrote to memory of 1056	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	45
PID 1064 wrote to memory of 1056	1064	{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{BA1F5510-652A-44a0-879E-8641833FC814}.exe
  C:\Windows\{BA1F5510-652A-44a0-879E-8641833FC814}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA1F5~1.EXE > nul
    3⤵
    PID:1172
- - C:\Windows\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
    C:\Windows\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B37DB~1.EXE > nul
      4⤵
      PID:2940
  - - C:\Windows\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
      C:\Windows\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
        
        C:\Windows\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD14E~1.EXE > nul
        6⤵
        
        PID:3036
      - C:\Windows\{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
        
        C:\Windows\{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{521ED~1.EXE > nul
        7⤵
        
        PID:2164
        
        C:\Windows\{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
        
        C:\Windows\{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
        
        C:\Windows\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
        
        C:\Windows\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
        
        C:\Windows\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe
        
        C:\Windows\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe
        
        C:\Windows\{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe
        12⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C85~1.EXE > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9612~1.EXE > nul
        11⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A24C~1.EXE > nul
        10⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4379~1.EXE > nul
        9⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEEE0~1.EXE > nul
        8⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CCDC~1.EXE > nul
        5⤵
        
        PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15C8592C-6102-40f9-8C29-1AE5F6CEF67E}.exe

Filesize
408KB

MD5
4039faf22c503082159e3849177da4b1

SHA1
07c7c345fe44f733d337ad16d997dafcf5aa16a2

SHA256
eaf180e8b8d61d6ec82448e5555dad56ac1f2c8621938bfd1d3d4f45c5b830e2

SHA512
991d3ce33a926ef8d927fe1defe842413ce46516302e51083b1cca57a369493fc8ddee06e69921d41ca96ff25037bac1955b30fcecd3305e1cb3007e3bd45122

Download Submit
C:\Windows\{1A24CCB7-FEA4-4c6c-B27C-154DE8C1231D}.exe

Filesize
408KB

MD5
be5670206a5249380b14e77264710b69

SHA1
29cabde4098e941d57896068865714e4d05d8b5a

SHA256
98cebb6480a03757b00eac0e7d185c6c944b58f0f38fde05c8c8f342d5f8b371

SHA512
c408ec1640cdd98f8e486626b41f7c33f3477db911f57e9b133bfee5a8db15347ba0ede86d7e128cee19aabe1d21077f6de179006bf25ef172feca76e76440c7

Download Submit
C:\Windows\{521ED06A-8FF1-49db-B316-E559CAD347E0}.exe

Filesize
408KB

MD5
039440fc42c8f324ecd35cabeed2bf23

SHA1
8d8ee107e44d27a75cd05d66db90cda351992560

SHA256
01a8262faf217c76a0da14b9fde7f09715199cbb24dd3d5fc348785cb28261db

SHA512
170c805e0687178ed206fe4c1e7eb7b0cba18aa64de6ef1b3111363f8234e1546fccf5850a23774f2db89f221e6278d928570aafd9265f358d17a21db87f3f0c

Download Submit
C:\Windows\{6B005D12-F38F-4858-B62D-47EFE1B7F407}.exe

Filesize
408KB

MD5
12debe03c084ebfdd7ef6bd6373dfec6

SHA1
7fb2a9e506cfc3be70e2e7ec82e4477484a096be

SHA256
75d579c19c145ceef1ac10019d1df1e1a0d0056aeae96b4dcf29d4195c228e0c

SHA512
162294df5836c319ad7f178b5ec0f52e4444ef65e18a260ed3bc0dc38ce85a3c82f50c3fe573f251039dc82f8aae1d9e8b0afe2971cf421a67396bf6076acc3c

Download Submit
C:\Windows\{6CCDCA19-B330-42c3-B2B4-AA5ACAFE04CF}.exe

Filesize
408KB

MD5
e975c80a57472667661e6c320b22cf4e

SHA1
f1890fd4e657a0f7375b2ca38c42e5e9e99042d3

SHA256
272c2a819fa6ca7b974d91db1f5cd6976dd2d91aee8ed476f31d1548cf694262

SHA512
3a7c54126cf06847ad95e8d512b9e569c283f8a3cfa9621e2bd8c878f5d40b9bc1ac40970f77fa1ed848fba59835685c137b41c496238de11b9784005d0419e2

Download Submit
C:\Windows\{A4379B2C-B3DB-4b07-AAAD-B0B86A84407F}.exe

Filesize
408KB

MD5
4f5d8cbca2b93dedd64724ed8dd33adc

SHA1
fa04fc82850f47477797821bcacb467bde1a33b1

SHA256
1ff50b3952622848c69de5eddfd2825b702fa5499128ee9be3a460914ad6c017

SHA512
977573aa896e5000edcfa58acb91d61ba645edeab2b0bbf2017f4b27ea8f49c06912fad0da5b0ac624be660fe56a4c2275971f4337aba55eec1806a9f0034404

Download Submit
C:\Windows\{AD14EB7B-BB1C-4710-9545-32DEAF13AF02}.exe

Filesize
408KB

MD5
c494f999df3a6cc2f163545a10930e09

SHA1
0c4e8995fe81d9c57f3181ae4f8042321c6eedb2

SHA256
35fa86811281d9b8fbad535c69858cd5ee0d380843688ba21d67a22d7ea1427f

SHA512
accb6e570b4ab1912a5e1cccc74a0d3a02d420c91ed4d66f892bf765af844bf269f1d61b040d2dd19919b8ae5c5ee75238b2e43b5a579059683b77f8b3f78629

Download Submit
C:\Windows\{B37DB78E-70EB-4e22-BB5F-A72CAB311223}.exe

Filesize
408KB

MD5
18fd67df1014f63b49822c97c85c9e86

SHA1
bf1c79e58bbc3ab7b0cc4ffca64e9f7bfc4cc3c5

SHA256
ed78991cb6b861a00fe48c3851aed327abdcb15f9f4d886ed86a028215e18b5c

SHA512
658079051681463a423f38d00a416f25d17f7e39d34b37aa4e1d73b81842f11d3668dd25f9dea893d39f72e909a7453503d3741bc6aabe504bfe514ef122066a

Download Submit
C:\Windows\{BA1F5510-652A-44a0-879E-8641833FC814}.exe

Filesize
408KB

MD5
16753d75c759f147f0e3022efff59272

SHA1
c77aa15be16c3bef858a63c253b8b5337828c51b

SHA256
6b149d6885c6e1ae5931683d06d3101d8bbdc844ddadf8c34c1b7e5d2c4c832f

SHA512
d96d8a4e6a55a0c7543c32217771e6c1e79b53360c9710a5eaf76dd7defac778201a9be33c63994f3f1b140c3d0e8c7e0a4cd2a81f540683019f04236d2faff7

Download Submit
C:\Windows\{CEEE0639-BE43-4763-9B88-F8D007B026BD}.exe

Filesize
408KB

MD5
cb419bc78a956e41642d90f26c7cfc35

SHA1
37c822532503bf4cb82512de64df342351f731dd

SHA256
bd7150649e7dfe8f167f50404cfa33783b957d35d9b229fdde742fb0f1aae003

SHA512
768eee8c99e2a833d910be6614834dcfd4cd8595578abfb1e163ee1ec09a6f6fea702b4693f51996b95e16f6d39beb016f609320b7ab57a77ebf3471adc252d9

Download Submit
C:\Windows\{E9612A81-B9D8-4c7f-A5A8-B0B205EC26C5}.exe

Filesize
408KB

MD5
06a39ad4dc8c9237b98ead8bb1f3ffc0

SHA1
fd03dc74c615397800c73b4c7fa72c99f00aa9e9

SHA256
1e59c3575c2b4fdc9a76d7239e6d1a3a1ff846dbcfbc4bd6d3fe76c989b0a766

SHA512
384779644ca972344d75db5f502822abe4d4e408f002c0adad54e08d6696465a0f1258cd877747ca0f75f65a7ca1ec25808990486432b51005d601996b79d566

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads