8598d672aa51aef99b6d01afaf3d21a7f2327898d8928d678aa844f0d7a030f5

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
Size

204KB
MD5

4a3b522526cdc234bfb76c6987137247
SHA1

2eaa67efa2e16eefdb093a597ef44844b0f56109
SHA256

8598d672aa51aef99b6d01afaf3d21a7f2327898d8928d678aa844f0d7a030f5
SHA512

2fa4f9804e244fce535253c45987eb0f02dd427017673e62de3206741774e74a85106ab4dfbaa9396ff8177028720b5c36c6e085b3937e1c2cc18de1d23c54f2
SSDEEP

1536:1EGh0o5l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o5l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001226b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016c71-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001226b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001226b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001226b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000001226b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000001226b-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{152202BC-9D22-4a49-9480-4D192FBA0B97}\stubpath = "C:\\Windows\\{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe"	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}\stubpath = "C:\\Windows\\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe"	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}\stubpath = "C:\\Windows\\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe"	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}\stubpath = "C:\\Windows\\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe"	{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64026B5B-BECD-49fc-942A-3265DDF31EB9}\stubpath = "C:\\Windows\\{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe"	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}\stubpath = "C:\\Windows\\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe"	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64026B5B-BECD-49fc-942A-3265DDF31EB9}	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{152202BC-9D22-4a49-9480-4D192FBA0B97}	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}\stubpath = "C:\\Windows\\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe"	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}\stubpath = "C:\\Windows\\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe"	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7043DC6C-7E8F-4458-BF61-24E2913841A7}\stubpath = "C:\\Windows\\{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe"	{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}\stubpath = "C:\\Windows\\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe"	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}	{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}	{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}\stubpath = "C:\\Windows\\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe"	{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7043DC6C-7E8F-4458-BF61-24E2913841A7}	{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
440	{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
2724	{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
2336	{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
1788	{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
File created	C:\Windows\{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
File created	C:\Windows\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
File created	C:\Windows\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe	{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
File created	C:\Windows\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe	{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
File created	C:\Windows\{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe	{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
File created	C:\Windows\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
File created	C:\Windows\{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
File created	C:\Windows\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
File created	C:\Windows\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
File created	C:\Windows\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
Token: SeIncBasePriorityPrivilege	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
Token: SeIncBasePriorityPrivilege	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
Token: SeIncBasePriorityPrivilege	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
Token: SeIncBasePriorityPrivilege	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
Token: SeIncBasePriorityPrivilege	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
Token: SeIncBasePriorityPrivilege	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
Token: SeIncBasePriorityPrivilege	440	{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
Token: SeIncBasePriorityPrivilege	2724	{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
Token: SeIncBasePriorityPrivilege	2336	{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2200	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	28
PID 1960 wrote to memory of 2200	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	28
PID 1960 wrote to memory of 2200	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	28
PID 1960 wrote to memory of 2200	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	28
PID 1960 wrote to memory of 2604	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	29
PID 1960 wrote to memory of 2604	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	29
PID 1960 wrote to memory of 2604	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	29
PID 1960 wrote to memory of 2604	1960	2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe	29
PID 2200 wrote to memory of 2872	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	30
PID 2200 wrote to memory of 2872	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	30
PID 2200 wrote to memory of 2872	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	30
PID 2200 wrote to memory of 2872	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	30
PID 2200 wrote to memory of 2392	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	31
PID 2200 wrote to memory of 2392	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	31
PID 2200 wrote to memory of 2392	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	31
PID 2200 wrote to memory of 2392	2200	{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe	31
PID 2872 wrote to memory of 2828	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	32
PID 2872 wrote to memory of 2828	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	32
PID 2872 wrote to memory of 2828	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	32
PID 2872 wrote to memory of 2828	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	32
PID 2872 wrote to memory of 2636	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	33
PID 2872 wrote to memory of 2636	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	33
PID 2872 wrote to memory of 2636	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	33
PID 2872 wrote to memory of 2636	2872	{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe	33
PID 2828 wrote to memory of 2244	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	36
PID 2828 wrote to memory of 2244	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	36
PID 2828 wrote to memory of 2244	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	36
PID 2828 wrote to memory of 2244	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	36
PID 2828 wrote to memory of 1664	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	37
PID 2828 wrote to memory of 1664	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	37
PID 2828 wrote to memory of 1664	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	37
PID 2828 wrote to memory of 1664	2828	{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe	37
PID 2244 wrote to memory of 1436	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	38
PID 2244 wrote to memory of 1436	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	38
PID 2244 wrote to memory of 1436	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	38
PID 2244 wrote to memory of 1436	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	38
PID 2244 wrote to memory of 620	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	39
PID 2244 wrote to memory of 620	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	39
PID 2244 wrote to memory of 620	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	39
PID 2244 wrote to memory of 620	2244	{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe	39
PID 1436 wrote to memory of 1496	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	40
PID 1436 wrote to memory of 1496	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	40
PID 1436 wrote to memory of 1496	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	40
PID 1436 wrote to memory of 1496	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	40
PID 1436 wrote to memory of 1660	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	41
PID 1436 wrote to memory of 1660	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	41
PID 1436 wrote to memory of 1660	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	41
PID 1436 wrote to memory of 1660	1436	{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe	41
PID 1496 wrote to memory of 1780	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	42
PID 1496 wrote to memory of 1780	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	42
PID 1496 wrote to memory of 1780	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	42
PID 1496 wrote to memory of 1780	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	42
PID 1496 wrote to memory of 2736	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	43
PID 1496 wrote to memory of 2736	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	43
PID 1496 wrote to memory of 2736	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	43
PID 1496 wrote to memory of 2736	1496	{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe	43
PID 1780 wrote to memory of 440	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	44
PID 1780 wrote to memory of 440	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	44
PID 1780 wrote to memory of 440	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	44
PID 1780 wrote to memory of 440	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	44
PID 1780 wrote to memory of 2240	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	45
PID 1780 wrote to memory of 2240	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	45
PID 1780 wrote to memory of 2240	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	45
PID 1780 wrote to memory of 2240	1780	{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_4a3b522526cdc234bfb76c6987137247_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
  C:\Windows\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
    C:\Windows\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
      C:\Windows\{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
        
        C:\Windows\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
        
        C:\Windows\{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
        
        C:\Windows\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
        
        C:\Windows\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
        
        C:\Windows\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
        
        C:\Windows\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
        
        C:\Windows\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe
        
        C:\Windows\{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{334D2~1.EXE > nul
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3A9~1.EXE > nul
        11⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FCC6~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A33D7~1.EXE > nul
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B2C~1.EXE > nul
        8⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15220~1.EXE > nul
        7⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F42FA~1.EXE > nul
        6⤵
        
        PID:620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64026~1.EXE > nul
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{69D2E~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0FBCE~1.EXE > nul
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FBCE8AE-2BAA-4e04-A381-18E773E886CC}.exe

Filesize
204KB

MD5
b4202a87ec0de5b0ff425f2bd9857ae1

SHA1
a11f640f6adbbf3bcaa39436649eb6115f0ad307

SHA256
65055b059568e1f45e4704c109e6e5024d370788b10831fef15aa7ff0c602467

SHA512
424f59272d158f954162f94c70c72f02987ca819c83b2458095e242b6f796347e5c2342377ffb3af56108b39bd7412487cb7aff839903d0e678bd03222c0c72c

Download Submit
C:\Windows\{152202BC-9D22-4a49-9480-4D192FBA0B97}.exe

Filesize
204KB

MD5
e74c3d3d4458d99da8bd7bf231324242

SHA1
b2c984aac02eaa058f51622b928ec010243e4a83

SHA256
7d1730110ff93ba8fb437bb00e6e024ca9a89a1bcce2281f96166f47e133d11d

SHA512
65e6e2b558188fe32716f962fbc5feba0eb0cd27fc8d43912e78227315c750288f86b6f2d7ca50b8de9df204add2d76dacf8883c529e76495405e56f1976fb04

Download Submit
C:\Windows\{334D2193-1B49-45bc-ABE7-25EB1B081D4C}.exe

Filesize
204KB

MD5
5349141a67d09f01ed6f47c5148dbc06

SHA1
199b9ae5776396f7c053d5521d63796822bd70f8

SHA256
7294067c0fe5d89838f49141865396fdabbbc42a9dbecd61ffc544ec853793aa

SHA512
40d83c289f465b16879a90a2e7f0f848289a008938575ede204cbbe695e6c1385f81e8bf93949ddb2f5501d03a82418773be370150793ab0637b58c6a87e1890

Download Submit
C:\Windows\{4FCC6A63-4155-4d13-83E4-DBF27F4ED843}.exe

Filesize
204KB

MD5
b5a53d0d09f9896926f9b7c7ed037a6e

SHA1
fbe55ad0d3e5fa39c22b43a49be5f38364327ed4

SHA256
ae2e075bfb5505424e556ad7a62503fde2820b1ba6c4da23f61fa405569a1d6b

SHA512
1c1acc0ccee6182c4db51e180d29ab24d9c6aef3363e35f8650cc4ceb1072ba4fb08821a4d233d3e731d47e2fcbb85951b03345020202d950272218084bfc379

Download Submit
C:\Windows\{64026B5B-BECD-49fc-942A-3265DDF31EB9}.exe

Filesize
204KB

MD5
466eb2ee6cc6a00ae540c56b5350d3d1

SHA1
03f9dcb0ff29562d03c59849c6b036011f97d6a6

SHA256
a5f08a0af0f3a48d9686e18ad5ddff92c3a65b6186ade644c3b081d220d4639f

SHA512
583ccee42ada82d33cc9b28f18c6d6b50d1e5cc45031f43e2a6d0bc9676dc53e9ff63a0513e0105e573f5bb7a89aa926d369b3184a6deb796a685850cb64018a

Download Submit
C:\Windows\{69D2E03C-7980-42f9-84FF-C0A249B7A2D9}.exe

Filesize
204KB

MD5
28c285f1aecfea876c42603875acbb0e

SHA1
2618058d316c0cd1a12814492851ae7f598a84c7

SHA256
ff3db1e506e479d0c67e98082cc9f4334b06e95d0916ef7f08910ccc35246108

SHA512
bc6adead99c5db4d941203338f70500564cb42c7d51e4241f64d9ab9ba7a4fe5875c07e9e334a0f9f5f241d218ce05b6efd9c5b731c715f5a37e4ee058c97d9f

Download Submit
C:\Windows\{7043DC6C-7E8F-4458-BF61-24E2913841A7}.exe

Filesize
204KB

MD5
5c10531bc71f4c975f75e7679e632c0b

SHA1
62d019667171c58f530173ba8b9324d521294806

SHA256
70575b8f8cd1abf5507bbafc95e4fda4c364f7bdf23ccaa43c22604501209054

SHA512
097baefbb08601d319b2201364c7ea9595c18b344aa185125aef7bb47215db4b4db9e516a4acdb1471268decdea2cf1f98a91f48ac06c73628977db976af1bba

Download Submit
C:\Windows\{7A3A9F0A-C38A-42b2-AA04-AFC9B7804FC8}.exe

Filesize
204KB

MD5
6fd1ea6d1276d634044a782cc6a14c57

SHA1
69c445823feafabe72509098eca5f7f63f95a11c

SHA256
26e82ba472ade1607ab00125597057779594bbf22fab28f93eac99e50d8cf987

SHA512
552663501a22ec4727880e2435991b6ff7b9ba32e9683f5bcec0fe4019e17c2c8a2e608d258ae7b79080ea4b594dfd25de2c6868ae760adfbe966f66ab758f70

Download Submit
C:\Windows\{85B2C1BA-FAB8-42b6-8545-82BCC9910749}.exe

Filesize
204KB

MD5
c84bdda06af1df263d43d14a67a8c088

SHA1
36ddf5042a40143227e535a4785cd10eb6b2884f

SHA256
1c003fdb84be923d9c127916f82ad4e0f26c36aa1e57b8484f5b53f74d9e7ba7

SHA512
768083f71377cad99192a4761d137d5a8be504944a7df51fae44df1b307f04fddb87c2a1bd2156e96e64ac7412de1dc98edce066004125eefbd48874b4ecb5e2

Download Submit
C:\Windows\{A33D7DDA-FB03-4c67-B6A0-1B8666D6E086}.exe

Filesize
204KB

MD5
570878d9e78059d1c666a9eb874638a1

SHA1
af8e3187d9940b86e575210f2bda7582f93e4655

SHA256
fd1892a3461cdb2eb2fda336b55b315191f8ca1c930011bb653130627746f7e7

SHA512
8e071ae80281dafcce75db55dcf2c957a860cefe79a8887f60b99f9d507a62d65fc9e42695e583cc7cb8e03511021533c75e7bb029794634f1c28d77c639017a

Download Submit
C:\Windows\{F42FA0CE-6F15-4b87-B7F7-FB1AEA7687C0}.exe

Filesize
204KB

MD5
9c4b273542731685ccb74608dc156dfc

SHA1
c33025ecd4e189b6e71498dd9ebcfe18539118c6

SHA256
c61740d010ae9fb26e17670c0b5afcf0f2493ad54fe6c14661a5e76ee05a7b32

SHA512
143409ab875584329c4e74b12d77806ae37336361a25da5e1050dc08351d00a21e631c6ef931ad025c61b764a5882919ae16425565c16557dfe3d5b3f0adbf9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads