179cf98d0d63e295a0cb64646bbce64019cab2c965550fbf53cd4a733f954ca3

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 16:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Size

197KB
MD5

dd54c12867ad188735f3eed6eb2809c9
SHA1

835fd7fab20bdef6350d77ba3af8188632bcea7a
SHA256

179cf98d0d63e295a0cb64646bbce64019cab2c965550fbf53cd4a733f954ca3
SHA512

143d336ec9a0103aced41f9fcc037eb3b21f6cc5625ca39acc7b0b1dff6c1c3c2ad4c188444bb60349c4f2790e9aa103fa429f5c0eb7e114013a7e63ec805885
SSDEEP

3072:jEGh0oyl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGQlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122b9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012243-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}\stubpath = "C:\\Windows\\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe"	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC62A3A-F131-45cd-8717-63E94AD01825}\stubpath = "C:\\Windows\\{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe"	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}	{27C717F6-818D-4763-916A-0612025C8B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1D0437-6116-42ff-811B-C062605B50DA}	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FCB231-DA39-445e-B5EC-B4BDC625898D}	{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD464C2-9995-4850-8B85-158FF779D394}	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52276C47-F408-4e6c-9CF3-6B6096C40B34}	{DCD464C2-9995-4850-8B85-158FF779D394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C717F6-818D-4763-916A-0612025C8B54}\stubpath = "C:\\Windows\\{27C717F6-818D-4763-916A-0612025C8B54}.exe"	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}	{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1D0437-6116-42ff-811B-C062605B50DA}\stubpath = "C:\\Windows\\{2E1D0437-6116-42ff-811B-C062605B50DA}.exe"	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FCB231-DA39-445e-B5EC-B4BDC625898D}\stubpath = "C:\\Windows\\{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe"	{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C717F6-818D-4763-916A-0612025C8B54}	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}\stubpath = "C:\\Windows\\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe"	{27C717F6-818D-4763-916A-0612025C8B54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}\stubpath = "C:\\Windows\\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe"	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}\stubpath = "C:\\Windows\\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe"	{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C998162-6A2C-447f-B59D-18183D10FC96}	{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C998162-6A2C-447f-B59D-18183D10FC96}\stubpath = "C:\\Windows\\{4C998162-6A2C-447f-B59D-18183D10FC96}.exe"	{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD464C2-9995-4850-8B85-158FF779D394}\stubpath = "C:\\Windows\\{DCD464C2-9995-4850-8B85-158FF779D394}.exe"	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52276C47-F408-4e6c-9CF3-6B6096C40B34}\stubpath = "C:\\Windows\\{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe"	{DCD464C2-9995-4850-8B85-158FF779D394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC62A3A-F131-45cd-8717-63E94AD01825}	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe
2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe
1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
2808	{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
1104	{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
1936	{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
2064	{4C998162-6A2C-447f-B59D-18183D10FC96}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4C998162-6A2C-447f-B59D-18183D10FC96}.exe	{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
File created	C:\Windows\{DCD464C2-9995-4850-8B85-158FF779D394}.exe	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
File created	C:\Windows\{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	{DCD464C2-9995-4850-8B85-158FF779D394}.exe
File created	C:\Windows\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	{27C717F6-818D-4763-916A-0612025C8B54}.exe
File created	C:\Windows\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
File created	C:\Windows\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe	{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
File created	C:\Windows\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
File created	C:\Windows\{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
File created	C:\Windows\{27C717F6-818D-4763-916A-0612025C8B54}.exe	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
File created	C:\Windows\{2E1D0437-6116-42ff-811B-C062605B50DA}.exe	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
File created	C:\Windows\{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe	{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe
Token: SeIncBasePriorityPrivilege	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
Token: SeIncBasePriorityPrivilege	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
Token: SeIncBasePriorityPrivilege	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
Token: SeIncBasePriorityPrivilege	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe
Token: SeIncBasePriorityPrivilege	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
Token: SeIncBasePriorityPrivilege	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
Token: SeIncBasePriorityPrivilege	2808	{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
Token: SeIncBasePriorityPrivilege	1104	{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
Token: SeIncBasePriorityPrivilege	1936	{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2764	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	28
PID 2188 wrote to memory of 2764	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	28
PID 2188 wrote to memory of 2764	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	28
PID 2188 wrote to memory of 2764	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	28
PID 2188 wrote to memory of 2140	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	29
PID 2188 wrote to memory of 2140	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	29
PID 2188 wrote to memory of 2140	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	29
PID 2188 wrote to memory of 2140	2188	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	29
PID 2764 wrote to memory of 2776	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	30
PID 2764 wrote to memory of 2776	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	30
PID 2764 wrote to memory of 2776	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	30
PID 2764 wrote to memory of 2776	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	30
PID 2764 wrote to memory of 2704	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	31
PID 2764 wrote to memory of 2704	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	31
PID 2764 wrote to memory of 2704	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	31
PID 2764 wrote to memory of 2704	2764	{DCD464C2-9995-4850-8B85-158FF779D394}.exe	31
PID 2776 wrote to memory of 2916	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	33
PID 2776 wrote to memory of 2916	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	33
PID 2776 wrote to memory of 2916	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	33
PID 2776 wrote to memory of 2916	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	33
PID 2776 wrote to memory of 2672	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	32
PID 2776 wrote to memory of 2672	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	32
PID 2776 wrote to memory of 2672	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	32
PID 2776 wrote to memory of 2672	2776	{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe	32
PID 2916 wrote to memory of 2284	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	37
PID 2916 wrote to memory of 2284	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	37
PID 2916 wrote to memory of 2284	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	37
PID 2916 wrote to memory of 2284	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	37
PID 2916 wrote to memory of 1952	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	36
PID 2916 wrote to memory of 1952	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	36
PID 2916 wrote to memory of 1952	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	36
PID 2916 wrote to memory of 1952	2916	{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe	36
PID 2284 wrote to memory of 2920	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	38
PID 2284 wrote to memory of 2920	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	38
PID 2284 wrote to memory of 2920	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	38
PID 2284 wrote to memory of 2920	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	38
PID 2284 wrote to memory of 2948	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	39
PID 2284 wrote to memory of 2948	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	39
PID 2284 wrote to memory of 2948	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	39
PID 2284 wrote to memory of 2948	2284	{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe	39
PID 2920 wrote to memory of 1972	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	40
PID 2920 wrote to memory of 1972	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	40
PID 2920 wrote to memory of 1972	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	40
PID 2920 wrote to memory of 1972	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	40
PID 2920 wrote to memory of 2460	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	41
PID 2920 wrote to memory of 2460	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	41
PID 2920 wrote to memory of 2460	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	41
PID 2920 wrote to memory of 2460	2920	{27C717F6-818D-4763-916A-0612025C8B54}.exe	41
PID 1972 wrote to memory of 1488	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	42
PID 1972 wrote to memory of 1488	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	42
PID 1972 wrote to memory of 1488	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	42
PID 1972 wrote to memory of 1488	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	42
PID 1972 wrote to memory of 1720	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	43
PID 1972 wrote to memory of 1720	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	43
PID 1972 wrote to memory of 1720	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	43
PID 1972 wrote to memory of 1720	1972	{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe	43
PID 1488 wrote to memory of 2808	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	45
PID 1488 wrote to memory of 2808	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	45
PID 1488 wrote to memory of 2808	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	45
PID 1488 wrote to memory of 2808	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	45
PID 1488 wrote to memory of 1100	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	44
PID 1488 wrote to memory of 1100	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	44
PID 1488 wrote to memory of 1100	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	44
PID 1488 wrote to memory of 1100	1488	{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{DCD464C2-9995-4850-8B85-158FF779D394}.exe
  C:\Windows\{DCD464C2-9995-4850-8B85-158FF779D394}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
    C:\Windows\{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{52276~1.EXE > nul
      4⤵
      PID:2672
  - - C:\Windows\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
      C:\Windows\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF9D2~1.EXE > nul
        5⤵
        
        PID:1952
    - - C:\Windows\{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
        
        C:\Windows\{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\{27C717F6-818D-4763-916A-0612025C8B54}.exe
        
        C:\Windows\{27C717F6-818D-4763-916A-0612025C8B54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
        
        C:\Windows\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
        
        C:\Windows\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB36A~1.EXE > nul
        9⤵
        
        PID:1100
        
        C:\Windows\{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
        
        C:\Windows\{2E1D0437-6116-42ff-811B-C062605B50DA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
        
        C:\Windows\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
        
        C:\Windows\{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{4C998162-6A2C-447f-B59D-18183D10FC96}.exe
        
        C:\Windows\{4C998162-6A2C-447f-B59D-18183D10FC96}.exe
        12⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02FCB~1.EXE > nul
        12⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{007E9~1.EXE > nul
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E1D0~1.EXE > nul
        10⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95E5B~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27C71~1.EXE > nul
        7⤵
        
        PID:2460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBC62~1.EXE > nul
        6⤵
        
        PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD46~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{007E912D-AED9-43cc-81BB-1D9AAE6134D6}.exe

Filesize
197KB

MD5
08af996b148cf41f50cfd8f555a774a3

SHA1
2ddf14b85d07dfa3d5dd154d3cb43b9515e519c7

SHA256
0b3ecec74d2aa7661544db04561f0037aee6c0f4c57eeb0b5ac84a784150a19c

SHA512
10a9b2bb1aaab5e613f0623f82178b39d0dd6a4da09965613102554f14aa763f9356e464462e0ba2ebf0d41ab3546cc7cf99518b59854de2e026857e95adabdc

Download Submit
C:\Windows\{02FCB231-DA39-445e-B5EC-B4BDC625898D}.exe

Filesize
197KB

MD5
1af7b69088e8756ecae6a2c70999bc3e

SHA1
651dc1ebc4d8fb51ac6b901f04dbdaf8dca0637d

SHA256
bb0a289bbb70e532df3d62af157999bae681c5cb38eaaaef5122440671e9fa77

SHA512
87925365694f6cfaa848ea11a885ca4804f424a74287cdbd1311864d9e4a49149943e4c85d94a3d8aab8915b7b8def15bf93623c37c7383de1e9534bd3ba0e4e

Download Submit
C:\Windows\{27C717F6-818D-4763-916A-0612025C8B54}.exe

Filesize
197KB

MD5
3f966bb4077361270b2587086aec23df

SHA1
47f3caa96bdb799d7949ab3679ab36834e5ea60b

SHA256
2199a35db98ab8bbbc4761b93406e2b875568095c3f9d44215f023f034108dc4

SHA512
e7ff2d54e8e267e728f1541bc32f6388fb4478157c7fa97c7962a5690a9ad60c891c66f34a550c5874fc44c169e60676e475fa35a6a15169e33eee1c3fde2e66

Download Submit
C:\Windows\{2E1D0437-6116-42ff-811B-C062605B50DA}.exe

Filesize
197KB

MD5
8abc51c532b6cf163ba3e0478eef4c88

SHA1
b815d4968552b1fa915c783f0904b2cd6195c0af

SHA256
1a9839f2b789c12eeddd30272cb2ed41a35337c7cca629f04798393803f07f6e

SHA512
9750e964b03052bb22172cbfdbcdc569976aaa3c2f905b3b78eee87317f5beef933a952072d914379fec5ab2923d05bc26d8a98b4e8014c1791cde8cee606944

Download Submit
C:\Windows\{4C998162-6A2C-447f-B59D-18183D10FC96}.exe

Filesize
197KB

MD5
a428219b3b42f1e2ea980868a6f98a7f

SHA1
25f0dc456390b21906bb6d2b0ba57de4c69d24be

SHA256
184c86043e56ca9b47d8799622421e5fea79386b34ac94647a34b7311ccac92e

SHA512
2731f04372713d3e4d2fca1c3fe6d256fbd8cdf1adfc89508c332c20aedb8a5159643fd151dddb204ac8a08b726fcd6fea7ef8c6b5863e1cc8360cdda1bcec13

Download Submit
C:\Windows\{52276C47-F408-4e6c-9CF3-6B6096C40B34}.exe

Filesize
197KB

MD5
8886c51a4023353160655c659e1a5e65

SHA1
62f1b4078d3d177da2f4d0ceaf71e9c9c0f02007

SHA256
a9f64d65085cc1c63006b1c445bbbbe848507c71f7f93658785669298d318171

SHA512
2e171c72c5e085a0ef38f837d0b40929965bae586576f25b50347d02a92608e3b43948ebb6a1a336f340f8ccc98fdaedbd7c6f1830fbd01921b31939a701893e

Download Submit
C:\Windows\{95E5B1DE-A239-471d-9259-0FFD1CADDD58}.exe

Filesize
197KB

MD5
66b36d835ce91790c24e1274b3784f8c

SHA1
dc7f07f758a50e744081bab5aad9e80eebb2f875

SHA256
afd65ddec970af73480d2d6d057423f48b60215739079684c51583709b5a0f64

SHA512
0d17dab9caa745bf19603d6fef0ae6244187855475dab6dcd91c80711a959384ef8f42cc7a947f29d493a7554e36010d71a8b18b86525491d1f2c27bc010af97

Download Submit
C:\Windows\{AB36A51A-E1C3-413b-A7C6-EEEA15ED6C3A}.exe

Filesize
197KB

MD5
7b2fe87e39f4bacdf4966e720348da97

SHA1
c69104a3062b3bb19350430a70ef80e5a41bf6aa

SHA256
1c89d1ffac90c01818113d328ec05d5c8e7d45ab776bcfbd56a159124e050af4

SHA512
7e60f52c6da02caa1d6a96808ac03af1869fd2e83351e7e2a80cc8ab42222350e543f92d52ffdfaaa717b1a409819e81ec485da2f4994dfb3a1105d2dd930eee

Download Submit
C:\Windows\{DBC62A3A-F131-45cd-8717-63E94AD01825}.exe

Filesize
197KB

MD5
227f29ea809f8e2e32022d807ae2f7a2

SHA1
73d246b0b9b080a04a6a08d04d7f761b0531476b

SHA256
51de51a74d0b2ccc47aac5fcf5bfb8dcf6b79eab9a9140de5de651a28d283a50

SHA512
1d91a614c128ef224a1c973a0c5e89e8b57a702154b14fa51b381344d13f7b4bc9d133a24fd064eabcb7e97080c966487bfb40222b90791a3b51c4548aa704e0

Download Submit
C:\Windows\{DCD464C2-9995-4850-8B85-158FF779D394}.exe

Filesize
197KB

MD5
07ad0fe8a29c001d2c3d9aad7493200c

SHA1
01125158d5017b91728b614a82ad556a37aba07b

SHA256
328f476ad95125de2288eddec4b58fde6f861f636ae680165ce57fa85bd499ef

SHA512
98d1380463d7005c26c648886e2dcbe9953b83a7ebd3a9cc1b0b3b5a659608787ea4393b726d40eb34d81849fdcb970ca2369f285cd3fa97d334df93c8d428be

Download Submit
C:\Windows\{FF9D2A08-84FD-4564-995C-EE7BB9B36E7C}.exe

Filesize
197KB

MD5
b645cb95e461d93be790e8dcbe4f4c5c

SHA1
6677c543a8901bc4f9cc8d60999eaaaf495df01d

SHA256
86e7ca6bc9cdb27ce23a5421c5e656806bb4871cc80c04384227960f156d7efa

SHA512
46c8b8be3b6dc0d241f5674f47303e87d5c80f8990ed350977076ea1b5d9d699fc1d886054d0412547f077786ddf674b9780648a2dfc60a65e66811efca6306e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads