f740bc992f87f6e6d6af3b6d88d61b92adb59e03eeb6f605f6a8b945bda63fc6

Analysis

max time kernel
138s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Size

408KB
MD5

19ac4565f46841411a12a6b4e51f5a14
SHA1

20b7d0f0368134b00e21c69c0e5db1352fff68b2
SHA256

f740bc992f87f6e6d6af3b6d88d61b92adb59e03eeb6f605f6a8b945bda63fc6
SHA512

ed3e710e2f80df509c46ce8f79cfd92c8b63b1b5f3cc1b0320dda513e814392c92b450027f44a5cf3813d16f7af57576eae9bf2ff6d7fa6995f2fc83dc008f29
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGSldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000126af-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012704-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000126af-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000133a9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000126af-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000126af-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126af-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126af-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA1CC3-B808-4994-970B-DBA4738B7337}	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}\stubpath = "C:\\Windows\\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe"	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04729361-3A80-49c1-A106-DC4EF24467E5}	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04729361-3A80-49c1-A106-DC4EF24467E5}\stubpath = "C:\\Windows\\{04729361-3A80-49c1-A106-DC4EF24467E5}.exe"	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84ED8D34-28E5-4361-8C7E-380617FF927F}	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84ED8D34-28E5-4361-8C7E-380617FF927F}\stubpath = "C:\\Windows\\{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe"	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}\stubpath = "C:\\Windows\\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe"	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}	{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5866B4AD-B1C7-4408-9252-59D462A63683}	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5866B4AD-B1C7-4408-9252-59D462A63683}\stubpath = "C:\\Windows\\{5866B4AD-B1C7-4408-9252-59D462A63683}.exe"	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F9C910-DA6E-42af-B0B4-A179F455F62F}\stubpath = "C:\\Windows\\{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe"	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}	{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}\stubpath = "C:\\Windows\\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe"	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}\stubpath = "C:\\Windows\\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe"	{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}\stubpath = "C:\\Windows\\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe"	{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA1CC3-B808-4994-970B-DBA4738B7337}\stubpath = "C:\\Windows\\{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe"	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F9C910-DA6E-42af-B0B4-A179F455F62F}	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}	{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}\stubpath = "C:\\Windows\\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe"	{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
1680	{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
2120	{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
2096	{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe
1248	{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
File created	C:\Windows\{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
File created	C:\Windows\{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
File created	C:\Windows\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe	{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
File created	C:\Windows\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe	{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
File created	C:\Windows\{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
File created	C:\Windows\{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
File created	C:\Windows\{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
File created	C:\Windows\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
File created	C:\Windows\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
File created	C:\Windows\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe	{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
Token: SeIncBasePriorityPrivilege	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
Token: SeIncBasePriorityPrivilege	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
Token: SeIncBasePriorityPrivilege	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
Token: SeIncBasePriorityPrivilege	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
Token: SeIncBasePriorityPrivilege	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
Token: SeIncBasePriorityPrivilege	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
Token: SeIncBasePriorityPrivilege	1680	{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
Token: SeIncBasePriorityPrivilege	2120	{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
Token: SeIncBasePriorityPrivilege	2096	{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2620	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	28
PID 2940 wrote to memory of 2620	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	28
PID 2940 wrote to memory of 2620	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	28
PID 2940 wrote to memory of 2620	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	28
PID 2940 wrote to memory of 2524	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	29
PID 2940 wrote to memory of 2524	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	29
PID 2940 wrote to memory of 2524	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	29
PID 2940 wrote to memory of 2524	2940	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	29
PID 2620 wrote to memory of 2276	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	31
PID 2620 wrote to memory of 2276	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	31
PID 2620 wrote to memory of 2276	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	31
PID 2620 wrote to memory of 2276	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	31
PID 2620 wrote to memory of 2640	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	30
PID 2620 wrote to memory of 2640	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	30
PID 2620 wrote to memory of 2640	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	30
PID 2620 wrote to memory of 2640	2620	{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe	30
PID 2276 wrote to memory of 2884	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	33
PID 2276 wrote to memory of 2884	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	33
PID 2276 wrote to memory of 2884	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	33
PID 2276 wrote to memory of 2884	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	33
PID 2276 wrote to memory of 2556	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	32
PID 2276 wrote to memory of 2556	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	32
PID 2276 wrote to memory of 2556	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	32
PID 2276 wrote to memory of 2556	2276	{5866B4AD-B1C7-4408-9252-59D462A63683}.exe	32
PID 2884 wrote to memory of 2460	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	36
PID 2884 wrote to memory of 2460	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	36
PID 2884 wrote to memory of 2460	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	36
PID 2884 wrote to memory of 2460	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	36
PID 2884 wrote to memory of 2608	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	37
PID 2884 wrote to memory of 2608	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	37
PID 2884 wrote to memory of 2608	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	37
PID 2884 wrote to memory of 2608	2884	{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe	37
PID 2460 wrote to memory of 3024	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	38
PID 2460 wrote to memory of 3024	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	38
PID 2460 wrote to memory of 3024	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	38
PID 2460 wrote to memory of 3024	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	38
PID 2460 wrote to memory of 2624	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	39
PID 2460 wrote to memory of 2624	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	39
PID 2460 wrote to memory of 2624	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	39
PID 2460 wrote to memory of 2624	2460	{04729361-3A80-49c1-A106-DC4EF24467E5}.exe	39
PID 3024 wrote to memory of 1676	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	41
PID 3024 wrote to memory of 1676	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	41
PID 3024 wrote to memory of 1676	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	41
PID 3024 wrote to memory of 1676	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	41
PID 3024 wrote to memory of 1436	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	40
PID 3024 wrote to memory of 1436	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	40
PID 3024 wrote to memory of 1436	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	40
PID 3024 wrote to memory of 1436	3024	{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe	40
PID 1676 wrote to memory of 2852	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	43
PID 1676 wrote to memory of 2852	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	43
PID 1676 wrote to memory of 2852	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	43
PID 1676 wrote to memory of 2852	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	43
PID 1676 wrote to memory of 2820	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	42
PID 1676 wrote to memory of 2820	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	42
PID 1676 wrote to memory of 2820	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	42
PID 1676 wrote to memory of 2820	1676	{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe	42
PID 2852 wrote to memory of 1680	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	45
PID 2852 wrote to memory of 1680	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	45
PID 2852 wrote to memory of 1680	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	45
PID 2852 wrote to memory of 1680	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	45
PID 2852 wrote to memory of 1672	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	44
PID 2852 wrote to memory of 1672	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	44
PID 2852 wrote to memory of 1672	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	44
PID 2852 wrote to memory of 1672	2852	{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
  C:\Windows\{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00EA1~1.EXE > nul
    3⤵
    PID:2640
- - C:\Windows\{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
    C:\Windows\{5866B4AD-B1C7-4408-9252-59D462A63683}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5866B~1.EXE > nul
      4⤵
      PID:2556
  - - C:\Windows\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
      C:\Windows\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
        
        C:\Windows\{04729361-3A80-49c1-A106-DC4EF24467E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
        
        C:\Windows\{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84ED8~1.EXE > nul
        7⤵
        
        PID:1436
        
        C:\Windows\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
        
        C:\Windows\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90878~1.EXE > nul
        8⤵
        
        PID:2820
        
        C:\Windows\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
        
        C:\Windows\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C07~1.EXE > nul
        9⤵
        
        PID:1672
        
        C:\Windows\{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
        
        C:\Windows\{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
        
        C:\Windows\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1198~1.EXE > nul
        11⤵
        
        PID:1508
        
        C:\Windows\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe
        
        C:\Windows\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe
        
        C:\Windows\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2C70~1.EXE > nul
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F9C~1.EXE > nul
        10⤵
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04729~1.EXE > nul
        6⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22A61~1.EXE > nul
        5⤵
        
        PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00EA1CC3-B808-4994-970B-DBA4738B7337}.exe

Filesize
408KB

MD5
e3d2427232a6aada8f0f4bcd2c29bcc7

SHA1
340f8ab22a797932b2a8df83c1c03d57472a30dd

SHA256
7c57319cf9bd36af2b8f583fcc81906579e046667918b22399381745c26b5185

SHA512
797a80ee618a807766930c9916df1ad9824f7d9f590cb166fdfed55c2b3b5557b1856a237dba188d32cd5eac924f581a9f617398ef788152a5c3aeead8fa2f99

Download Submit
C:\Windows\{04729361-3A80-49c1-A106-DC4EF24467E5}.exe

Filesize
408KB

MD5
4375d18c1226a7dc795cb13765c6855b

SHA1
b3e9d42b9c1d5f4ec7a9e99c76ec46eecf1326ad

SHA256
b2586215c8ebf9db98537a366fb9a6db6902ec76112cf425df16939137907c48

SHA512
a3fb1e22a6fe593e1d267be11eae7ca3bb498ea83524b10a03194bd43ef71c7e934c1c52ca8e9f2695fc211c316d1170007b5e6bb97b8d046c54fadf1a0ee20d

Download Submit
C:\Windows\{22A61773-10FF-44e4-9ECC-DB7DAC62DA2B}.exe

Filesize
408KB

MD5
a171d8649b97963d26d8140846cb7c98

SHA1
dfa2868c54bf3e7b6df48c77fa070c170aa3c054

SHA256
1e51aca2ecbaf37ca75e314506e42d68429f4b421323ba325acc00587c48e608

SHA512
23f2a6d6a088c97a9b00432112644b999717c45af97e8b8db00fb0faf174d5411d3b7be589d96a747903d7187b921fa7f175fd0100eaf17d6e6c4900febb323f

Download Submit
C:\Windows\{5866B4AD-B1C7-4408-9252-59D462A63683}.exe

Filesize
408KB

MD5
2274d6b0df2db710a3b3078a71a67599

SHA1
23c20d5d4bae0103a94508fa98328dedafeb49bc

SHA256
a82cc30187aac71f3d5e1acd988f34f226857a480ed8904e2333dceea250b0ef

SHA512
19ca0731d2549b171f6ed0fbc4bc0c37de5fff5526442357c8aeb33e660ba8864d2b59207969abdb28c4912eb3a1fc3eff4256327a3c792039101fa3efe36e5f

Download Submit
C:\Windows\{62C07A9D-33DB-421a-B80A-2D8CAFCD3153}.exe

Filesize
408KB

MD5
8291f5d03137768d290a5c2a80eb9e2a

SHA1
73e286d6a0947a5d544af6930405b093da8c5711

SHA256
d672d33f97434f9b6f5c53a80eeb48a9ced249a60780ec397087463a86d94493

SHA512
aa260c6bc7656e61decc6f1473beeb5d35b0092c37d56f54be749941c690ecce6ee2ded4fbbf8757a72815e672115e1972b08fe47fb88bc9c2ffc5d0b1a0416d

Download Submit
C:\Windows\{78F9C910-DA6E-42af-B0B4-A179F455F62F}.exe

Filesize
408KB

MD5
ccd9716a8b94119698e45006d86e4377

SHA1
d8a1fc715102877d86077c424da48911b07bf0fc

SHA256
7c7ceda1e55035be93c2ef27fa42ef0729342ebd16d193e292ec2841bea54647

SHA512
65882ca994c095e1710965dfc07f16028e7a044f13d7a40083bd94e0cc4ab12dbb4817eafb65ec2322866af5deb75fda6c140badbeca1a36c592a1fb7f831f87

Download Submit
C:\Windows\{84ED8D34-28E5-4361-8C7E-380617FF927F}.exe

Filesize
408KB

MD5
aa81c3c8355c3e1d1e0230cc1a4033b4

SHA1
b7d4ead5d9831a6f316ee09765466097310cc818

SHA256
2eb71057e3313f1a1657a36a35de9d1a15a621b8e48471182a8b29c211ec5f9a

SHA512
0891c879cbe8a7c2a31f75b337fa4ff4c0be9cccf27450c64dc8972a491076cba56b15f58750bafbc58bee62515489bb8b129c61f1f53c3628e1ce0e14ca50c6

Download Submit
C:\Windows\{908782E1-5B61-4c0a-9AAF-A9BFCC4961EF}.exe

Filesize
408KB

MD5
2fa714f336a896ec8f08dbcbdb862b60

SHA1
3435f259d4e4179814747bd19638027787da5471

SHA256
a777cdeeaedf17d2bacd962988a363f3d351435ce416c108e821938bce8eb2c9

SHA512
1e8fcf13d0d721f2a2de27af016b71e3e4217ca9d2836a1d13fd7bba809970aa2e814a9ee79e243289ab0d42042b987016071bc44dd68db1b506c0203d5e5f54

Download Submit
C:\Windows\{EADAB099-9B66-400b-B99D-ABAF4F54F24F}.exe

Filesize
58KB

MD5
2b5c72fcbcb503547a33e059b83c94b1

SHA1
86511315b6c788ced33a2bd448d7166d7ef94899

SHA256
4bcc58fc6c7860ebd2484268e398ab02d36845c6765c7154f81fdb2bd6aec511

SHA512
f2a1d58676d290245f5a53319924a12b8a39d618cdd38dca48be28c8df89d5541bf8c1903ec9ca46495a3567c00e4508a55753baf7b6b6fcceb5d83e54e97cc9

Download Submit
C:\Windows\{F1198895-DFF2-45fa-B5BC-B8041DEB640D}.exe

Filesize
408KB

MD5
722858c739b023af7065cf41592f0bc4

SHA1
0f49299d7f0a5cb87c6fe5bc69af120c00507307

SHA256
575a3fa5a7735bbc587bb33b06c6c9c12c4fc26eadd160ab1782d4ad2109b327

SHA512
e9b1a82cadb33381b5dcda8f9d71252af4d5547be2de34985e3a15cf88d5e344756d19a7648bb11cd5ea6dc290e8471d98e29e07756aa15e75f06380b995ff9d

Download Submit
C:\Windows\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe

Filesize
408KB

MD5
806d6896d6565acb42e95a3a1963a0b9

SHA1
07d66cc76db85992d4adb331a410701f176d03a3

SHA256
8b65730ed56a76ebbb2c90f0ecb1f088fd1e9dd617a13e7c922f1bcfb832cd66

SHA512
09c2a461aeeed6afec49f7429c676768e233e37b5bad62690a1ef15f75f38e63e2e7b27102f33ae391de11f2a081fc4fae96dbdc93ef6832bd0012b57f7901d3

Download Submit
C:\Windows\{F2C70470-3CE8-4f9e-B54E-F8F15F613B7F}.exe

Filesize
178KB

MD5
2d6c7916d9eff33984f906a19f94f1aa

SHA1
42104e210c40d337dee2b65a88546bf5a32cdefc

SHA256
d31000b9a615d6159107a3d5087f87689466c325010e2641bc68ac9c86c056bc

SHA512
83a98cd9671c398391a13d859986f7a360fc499948dc2cb0d203ebc5fbb1736714e50f868efc8ce88fb9c621d16533f2d8c2d104bedb5aacec512be8767b91f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads