5bb096797906802cc6d002a53987507872df8d38802dfb9ba0eb41167514d8e0

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Size

408KB
MD5

39a5887e6b7ca409173d96fa52f388b5
SHA1

a17da4aa62842e4e9f11430faf5752633bae59ef
SHA256

5bb096797906802cc6d002a53987507872df8d38802dfb9ba0eb41167514d8e0
SHA512

f947a2a08c0886e735d76b967305c75be25e7548a46b2fa449725d84fd7bbd7670067cf52c83aa83ce14d53dee65c3b8fcd84a8ddd46d1b189b718080d8ffdc2
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013a6e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}\stubpath = "C:\\Windows\\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe"	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}	{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D654A15-CE8A-445f-9E69-27457D14DC95}	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C744D1-B561-474b-ADE9-D3D5579DC76E}	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C744D1-B561-474b-ADE9-D3D5579DC76E}\stubpath = "C:\\Windows\\{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe"	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}\stubpath = "C:\\Windows\\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe"	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1226ECD4-11E7-48ae-9528-856373E6187C}\stubpath = "C:\\Windows\\{1226ECD4-11E7-48ae-9528-856373E6187C}.exe"	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B114E6-BC5C-424c-8215-A4415024F74E}	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD51E97-910E-42ae-875D-2E3EEC26989B}\stubpath = "C:\\Windows\\{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe"	{BA14EE1C-5D78-4206-BC68-420741877997}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}\stubpath = "C:\\Windows\\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe"	{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D654A15-CE8A-445f-9E69-27457D14DC95}\stubpath = "C:\\Windows\\{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe"	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1226ECD4-11E7-48ae-9528-856373E6187C}	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B114E6-BC5C-424c-8215-A4415024F74E}\stubpath = "C:\\Windows\\{64B114E6-BC5C-424c-8215-A4415024F74E}.exe"	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA521258-1DD9-460b-910A-537CF79C011D}	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA521258-1DD9-460b-910A-537CF79C011D}\stubpath = "C:\\Windows\\{EA521258-1DD9-460b-910A-537CF79C011D}.exe"	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD51E97-910E-42ae-875D-2E3EEC26989B}	{BA14EE1C-5D78-4206-BC68-420741877997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60C21CA-A566-4b20-A015-412F3B2EE77C}	{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA14EE1C-5D78-4206-BC68-420741877997}	{EA521258-1DD9-460b-910A-537CF79C011D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA14EE1C-5D78-4206-BC68-420741877997}\stubpath = "C:\\Windows\\{BA14EE1C-5D78-4206-BC68-420741877997}.exe"	{EA521258-1DD9-460b-910A-537CF79C011D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60C21CA-A566-4b20-A015-412F3B2EE77C}\stubpath = "C:\\Windows\\{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe"	{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe
1048	{BA14EE1C-5D78-4206-BC68-420741877997}.exe
2112	{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
672	{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe
540	{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
File created	C:\Windows\{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
File created	C:\Windows\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
File created	C:\Windows\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
File created	C:\Windows\{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe	{BA14EE1C-5D78-4206-BC68-420741877997}.exe
File created	C:\Windows\{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe	{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe
File created	C:\Windows\{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
File created	C:\Windows\{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
File created	C:\Windows\{EA521258-1DD9-460b-910A-537CF79C011D}.exe	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
File created	C:\Windows\{BA14EE1C-5D78-4206-BC68-420741877997}.exe	{EA521258-1DD9-460b-910A-537CF79C011D}.exe
File created	C:\Windows\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe	{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
Token: SeIncBasePriorityPrivilege	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
Token: SeIncBasePriorityPrivilege	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
Token: SeIncBasePriorityPrivilege	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
Token: SeIncBasePriorityPrivilege	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
Token: SeIncBasePriorityPrivilege	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
Token: SeIncBasePriorityPrivilege	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe
Token: SeIncBasePriorityPrivilege	1048	{BA14EE1C-5D78-4206-BC68-420741877997}.exe
Token: SeIncBasePriorityPrivilege	2112	{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
Token: SeIncBasePriorityPrivilege	672	{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2500	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	28
PID 1964 wrote to memory of 2500	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	28
PID 1964 wrote to memory of 2500	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	28
PID 1964 wrote to memory of 2500	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	28
PID 1964 wrote to memory of 2908	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	29
PID 1964 wrote to memory of 2908	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	29
PID 1964 wrote to memory of 2908	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	29
PID 1964 wrote to memory of 2908	1964	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	29
PID 2500 wrote to memory of 2648	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	30
PID 2500 wrote to memory of 2648	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	30
PID 2500 wrote to memory of 2648	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	30
PID 2500 wrote to memory of 2648	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	30
PID 2500 wrote to memory of 2096	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	31
PID 2500 wrote to memory of 2096	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	31
PID 2500 wrote to memory of 2096	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	31
PID 2500 wrote to memory of 2096	2500	{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe	31
PID 2648 wrote to memory of 2868	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	33
PID 2648 wrote to memory of 2868	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	33
PID 2648 wrote to memory of 2868	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	33
PID 2648 wrote to memory of 2868	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	33
PID 2648 wrote to memory of 2456	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	32
PID 2648 wrote to memory of 2456	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	32
PID 2648 wrote to memory of 2456	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	32
PID 2648 wrote to memory of 2456	2648	{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe	32
PID 2868 wrote to memory of 1608	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	37
PID 2868 wrote to memory of 1608	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	37
PID 2868 wrote to memory of 1608	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	37
PID 2868 wrote to memory of 1608	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	37
PID 2868 wrote to memory of 1428	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	36
PID 2868 wrote to memory of 1428	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	36
PID 2868 wrote to memory of 1428	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	36
PID 2868 wrote to memory of 1428	2868	{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe	36
PID 1608 wrote to memory of 2396	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	39
PID 1608 wrote to memory of 2396	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	39
PID 1608 wrote to memory of 2396	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	39
PID 1608 wrote to memory of 2396	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	39
PID 1608 wrote to memory of 112	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	38
PID 1608 wrote to memory of 112	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	38
PID 1608 wrote to memory of 112	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	38
PID 1608 wrote to memory of 112	1608	{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe	38
PID 2396 wrote to memory of 2300	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	41
PID 2396 wrote to memory of 2300	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	41
PID 2396 wrote to memory of 2300	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	41
PID 2396 wrote to memory of 2300	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	41
PID 2396 wrote to memory of 1496	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	40
PID 2396 wrote to memory of 1496	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	40
PID 2396 wrote to memory of 1496	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	40
PID 2396 wrote to memory of 1496	2396	{1226ECD4-11E7-48ae-9528-856373E6187C}.exe	40
PID 2300 wrote to memory of 1600	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	42
PID 2300 wrote to memory of 1600	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	42
PID 2300 wrote to memory of 1600	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	42
PID 2300 wrote to memory of 1600	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	42
PID 2300 wrote to memory of 1780	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	43
PID 2300 wrote to memory of 1780	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	43
PID 2300 wrote to memory of 1780	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	43
PID 2300 wrote to memory of 1780	2300	{64B114E6-BC5C-424c-8215-A4415024F74E}.exe	43
PID 1600 wrote to memory of 1048	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	44
PID 1600 wrote to memory of 1048	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	44
PID 1600 wrote to memory of 1048	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	44
PID 1600 wrote to memory of 1048	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	44
PID 1600 wrote to memory of 2020	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	45
PID 1600 wrote to memory of 2020	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	45
PID 1600 wrote to memory of 2020	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	45
PID 1600 wrote to memory of 2020	1600	{EA521258-1DD9-460b-910A-537CF79C011D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
  C:\Windows\{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
    C:\Windows\{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{99C74~1.EXE > nul
      4⤵
      PID:2456
  - - C:\Windows\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
      C:\Windows\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89AD5~1.EXE > nul
        5⤵
        
        PID:1428
    - - C:\Windows\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
        
        C:\Windows\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A92~1.EXE > nul
        6⤵
        
        PID:112
      - C:\Windows\{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
        
        C:\Windows\{1226ECD4-11E7-48ae-9528-856373E6187C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1226E~1.EXE > nul
        7⤵
        
        PID:1496
        
        C:\Windows\{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
        
        C:\Windows\{64B114E6-BC5C-424c-8215-A4415024F74E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{EA521258-1DD9-460b-910A-537CF79C011D}.exe
        
        C:\Windows\{EA521258-1DD9-460b-910A-537CF79C011D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{BA14EE1C-5D78-4206-BC68-420741877997}.exe
        
        C:\Windows\{BA14EE1C-5D78-4206-BC68-420741877997}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
        
        C:\Windows\{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD51~1.EXE > nul
        11⤵
        
        PID:984
        
        C:\Windows\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe
        
        C:\Windows\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DCC8~1.EXE > nul
        12⤵
        
        PID:840
        
        C:\Windows\{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe
        
        C:\Windows\{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe
        12⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA14E~1.EXE > nul
        10⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA521~1.EXE > nul
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64B11~1.EXE > nul
        8⤵
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D654~1.EXE > nul
    3⤵
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1226ECD4-11E7-48ae-9528-856373E6187C}.exe

Filesize
408KB

MD5
acd6be85ed5cd4515d05819945a91a6a

SHA1
1471d7ec0a35d1cf685e7a21cfecca45a9d60188

SHA256
599aeee3cbe0e6dd966818677fc9c03f7a02fd42e2c4324da2e0a247937e900c

SHA512
c842d47f205e343a62070d3c8f4fbaaf6dd2d6136591d0a60a1c0b166c73a04ffd56be66377f8b6709df50b8b6a5ca0e8015f5345e0fbf81c3601164c642f94b

Download Submit
C:\Windows\{2D654A15-CE8A-445f-9E69-27457D14DC95}.exe

Filesize
408KB

MD5
ca6be349e0df786d4a14cdae27ef05e8

SHA1
eec036c78fbbd90fb60f3381a8255869111ef0b5

SHA256
97be68b5ced19761a77eb668486d9f77935023c8bea03470eed16ac0f9722f56

SHA512
d7c9013414df659d111d243937478bc6a9e8db03cbda5cc935f95b4a50869b56cb34432e85a46b2a88fe0c85557c06035abb2e0f6dc9db2c10c4cd0a7cea781d

Download Submit
C:\Windows\{4AD51E97-910E-42ae-875D-2E3EEC26989B}.exe

Filesize
408KB

MD5
b31a912356c2d940deb50e0d8c6d26df

SHA1
0402012eeb51915e25b353632e7c326ae25fa87a

SHA256
0f541c674aafb8002f25d6b837e1445a8d524f2dfe2a5dc38d1f3e4ec4413d3c

SHA512
d7a3140d8efc43baf0389c7852c2cfce51ce36f16760d391e53917c4a5973f19719b2f5ddb50ed2b726bace201a5bbdc0d3704009f86655774fb3c15738482cf

Download Submit
C:\Windows\{5DCC899D-8A51-4f72-874A-8B2F8D037C17}.exe

Filesize
408KB

MD5
836329a01334d3109e1a5d2c1885caf9

SHA1
3e00fa4b574004bc034ed6d3b4a236d6477002a6

SHA256
c76c3330a9722e061d460aec7e7cdd5345daa3a768f09bc563008a09d1a68a2c

SHA512
c483abec3d4ef841e8b2e84116e14332998668bc52ba3237cc1ac7de2cfd6325e9fac1e0532af221d07f5b96f27e4feb624a926c653c7ba679a55593fd563358

Download Submit
C:\Windows\{64B114E6-BC5C-424c-8215-A4415024F74E}.exe

Filesize
408KB

MD5
41e39536d89c70a8a5fa2c2a56bb818c

SHA1
89c254afe4ea8f517227d5dc305015ad87939faa

SHA256
11f88c8ef599107003a3caf01755913d4d9878ef376cb16cb97c75812ef962b1

SHA512
9942fc4443637ec9f96e321a7751c8a19e00193b077683f9198f3f213a4c892c601cabfc9214d72267100b23a58410f44c6ed176f45c8985392676b4b4b815f9

Download Submit
C:\Windows\{71A9252C-6D1C-4c31-805B-F2E5F9DC2985}.exe

Filesize
408KB

MD5
a6d8e504f9c5ced919ab3c6798afcf26

SHA1
f436b61c6b11e532c54aa170747cfbf6fef71ed9

SHA256
bc1dc37003e66083c7137fd6da79449c933121ba25860da3904647f6f3012688

SHA512
0eeb22f6024f58bce1012cff9694f6ba03d0233af22e538f576809f0d88ddb0f9347349a65b4751bdc7792d267f4824c237e32b8a8f18c123c01f61b71a2093d

Download Submit
C:\Windows\{89AD5A22-DB8C-4b53-AC18-C52CBEC211F7}.exe

Filesize
408KB

MD5
20c56dfc0932aa36f71175bc485c8c22

SHA1
c2cb8eb1c8af432e3303bd66c278e1a3b4df7b9b

SHA256
94aa56ba1bb7fd9de993c88fabdc8ae304c87e676f33d9e4a94208c9513f0b39

SHA512
d2d69d0f65fa704055f14e79977fe6884599b6c2584c15f76908027565fb6f2fca4ff012b6505002843a739bf0554a630980e0c84f5526228549fa148bf8001d

Download Submit
C:\Windows\{99C744D1-B561-474b-ADE9-D3D5579DC76E}.exe

Filesize
408KB

MD5
f0855a989aaff572cf4b0ab806486262

SHA1
d67e8d16a322bba21fa9c13fed8a744029e4a667

SHA256
f48798acf7a5afc27c5b5274dd5d1eb3d05671f8dd3d89604f043ef3313c9f3a

SHA512
db4ca1855953fe5aa2829d13b37793cce6903e64374404ead602e9b01dc3ac3a1c706419f1813afe8ba51759b1c5cd92c9d88c03f0b93519206fb388217ed439

Download Submit
C:\Windows\{B60C21CA-A566-4b20-A015-412F3B2EE77C}.exe

Filesize
408KB

MD5
280b154842d941042fb617db5e3589a8

SHA1
03799b2bbb8ba431a2864a11d67344b0023c794e

SHA256
f5438bada901c362625da5efd324c1b3b846937b1217a36e14e5ac18d143dcd7

SHA512
f7448bb2c2bae2faba40981565614e9391277b77b8ce2739cf839678fbbefa8fdda1c6635458ab04587aca065ce32e34763967cb0bfaff0c268317640de4c676

Download Submit
C:\Windows\{BA14EE1C-5D78-4206-BC68-420741877997}.exe

Filesize
408KB

MD5
54b825141d3e6e3bd7029edc0d72392b

SHA1
98ef407b8ab579f3a9250c6b69a17577bdc07cf3

SHA256
481e2ec7ae28871c11c6a67d4bd6258b9a89f36a17c942cf9cd9fc11f0c02ad9

SHA512
faf1bae0815fcb9a1414e07644067c1f0614525c587d255bc141c8d13e70ea828317a74fad2449d79c7592fce21a7310e0eaa6fc070c46942a163bb2ede26809

Download Submit
C:\Windows\{BA14EE1C-5D78-4206-BC68-420741877997}.exe

Filesize
79KB

MD5
e13a334c3c5cca1e6e015cfbaa8122b5

SHA1
a0b7f9ce193beea02491b65b88f041bfa31b1ea1

SHA256
709d4687603e9f4b980ffaeb810fe1d4c4456184f1072e02bf0dfe8e910a5619

SHA512
3ba0ba776fcb2b766b23260ec24ea94f708b0b1de24fb10a9ea736abe84c8ba39df95e5d96c2188127a877939c7bd98ab8da65e8db7c2f125e15e80e09aa60ee

Download Submit
C:\Windows\{EA521258-1DD9-460b-910A-537CF79C011D}.exe

Filesize
408KB

MD5
8218281df11c51982a30f582e3cd08d1

SHA1
d2f87c6160f7cc428ce180d22e72f4444f8c8439

SHA256
8eeb8cd3392f473c2b5ec5d55363196858c49d510336b247a33ee7a348e23cb4

SHA512
79c01207733f54d986d5ef3aa5632ef54771742da0c341c96069529ef7e129e5032e24ceb5f27e04cab45221bafa476f494b3efc254dd0d217cf92da545637ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads