a6bc704a2097160cca4ec3d5e71e22afccca9ed47e57d5e789248dc5ac2dcf3f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Size

344KB
MD5

227d7b377cff96068fbb75ee0c57b572
SHA1

a5d1142c3b040452a796057988829216613f7b7a
SHA256

a6bc704a2097160cca4ec3d5e71e22afccca9ed47e57d5e789248dc5ac2dcf3f
SHA512

5402b1e324f3c7d4ee99720c6fdea35d4a9ef0507e2a1d7c556eac8f519cc8dec85b88d84b0db9acc7b19903cf0539d30139b835bf1facffa3129bfcf4df2b0a
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016176-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016287-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016176-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001650c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016176-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016176-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001650c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016176-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001650c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}\stubpath = "C:\\Windows\\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe"	{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}\stubpath = "C:\\Windows\\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe"	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}	{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61DD46F-6D96-498f-AB66-560A6070469A}	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}\stubpath = "C:\\Windows\\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe"	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0485BC84-DAF9-4deb-8010-E68132652DA5}\stubpath = "C:\\Windows\\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe"	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}	{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}	{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}\stubpath = "C:\\Windows\\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe"	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0485BC84-DAF9-4deb-8010-E68132652DA5}	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}\stubpath = "C:\\Windows\\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe"	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCF3296-796A-497a-8647-565073A58DA5}	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}	{7DCF3296-796A-497a-8647-565073A58DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61DD46F-6D96-498f-AB66-560A6070469A}\stubpath = "C:\\Windows\\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe"	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}\stubpath = "C:\\Windows\\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe"	{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}\stubpath = "C:\\Windows\\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe"	{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCF3296-796A-497a-8647-565073A58DA5}\stubpath = "C:\\Windows\\{7DCF3296-796A-497a-8647-565073A58DA5}.exe"	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}\stubpath = "C:\\Windows\\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe"	{7DCF3296-796A-497a-8647-565073A58DA5}.exe

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe
2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
1904	{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
2852	{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
2332	{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
640	{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
File created	C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	{7DCF3296-796A-497a-8647-565073A58DA5}.exe
File created	C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
File created	C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
File created	C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
File created	C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
File created	C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
File created	C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
File created	C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe	{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
File created	C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe	{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
File created	C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe	{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe
Token: SeIncBasePriorityPrivilege	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
Token: SeIncBasePriorityPrivilege	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
Token: SeIncBasePriorityPrivilege	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
Token: SeIncBasePriorityPrivilege	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
Token: SeIncBasePriorityPrivilege	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
Token: SeIncBasePriorityPrivilege	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
Token: SeIncBasePriorityPrivilege	1904	{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
Token: SeIncBasePriorityPrivilege	2852	{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
Token: SeIncBasePriorityPrivilege	2332	{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1940	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	28
PID 2044 wrote to memory of 1940	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	28
PID 2044 wrote to memory of 2396	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	29
PID 2044 wrote to memory of 2396	2044	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	29
PID 1940 wrote to memory of 2584	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	30
PID 1940 wrote to memory of 2584	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	30
PID 1940 wrote to memory of 2584	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	30
PID 1940 wrote to memory of 2584	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	30
PID 1940 wrote to memory of 2688	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	31
PID 1940 wrote to memory of 2688	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	31
PID 1940 wrote to memory of 2688	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	31
PID 1940 wrote to memory of 2688	1940	{7DCF3296-796A-497a-8647-565073A58DA5}.exe	31
PID 2584 wrote to memory of 2744	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	32
PID 2584 wrote to memory of 2744	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	32
PID 2584 wrote to memory of 2744	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	32
PID 2584 wrote to memory of 2744	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	32
PID 2584 wrote to memory of 2868	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	33
PID 2584 wrote to memory of 2868	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	33
PID 2584 wrote to memory of 2868	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	33
PID 2584 wrote to memory of 2868	2584	{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe	33
PID 2744 wrote to memory of 2556	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	36
PID 2744 wrote to memory of 2556	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	36
PID 2744 wrote to memory of 2556	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	36
PID 2744 wrote to memory of 2556	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	36
PID 2744 wrote to memory of 2796	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	37
PID 2744 wrote to memory of 2796	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	37
PID 2744 wrote to memory of 2796	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	37
PID 2744 wrote to memory of 2796	2744	{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe	37
PID 2556 wrote to memory of 1988	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	38
PID 2556 wrote to memory of 1988	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	38
PID 2556 wrote to memory of 1988	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	38
PID 2556 wrote to memory of 1988	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	38
PID 2556 wrote to memory of 940	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	39
PID 2556 wrote to memory of 940	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	39
PID 2556 wrote to memory of 940	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	39
PID 2556 wrote to memory of 940	2556	{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe	39
PID 1988 wrote to memory of 2360	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	40
PID 1988 wrote to memory of 2360	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	40
PID 1988 wrote to memory of 2360	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	40
PID 1988 wrote to memory of 2360	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	40
PID 1988 wrote to memory of 952	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	41
PID 1988 wrote to memory of 952	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	41
PID 1988 wrote to memory of 952	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	41
PID 1988 wrote to memory of 952	1988	{D61DD46F-6D96-498f-AB66-560A6070469A}.exe	41
PID 2360 wrote to memory of 1708	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	42
PID 2360 wrote to memory of 1708	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	42
PID 2360 wrote to memory of 1708	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	42
PID 2360 wrote to memory of 1708	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	42
PID 2360 wrote to memory of 1736	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	43
PID 2360 wrote to memory of 1736	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	43
PID 2360 wrote to memory of 1736	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	43
PID 2360 wrote to memory of 1736	2360	{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe	43
PID 1708 wrote to memory of 1904	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	44
PID 1708 wrote to memory of 1904	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	44
PID 1708 wrote to memory of 1904	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	44
PID 1708 wrote to memory of 1904	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	44
PID 1708 wrote to memory of 1664	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	45
PID 1708 wrote to memory of 1664	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	45
PID 1708 wrote to memory of 1664	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	45
PID 1708 wrote to memory of 1664	1708	{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe
  C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
    C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
      C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
        
        C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
        
        C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
        
        C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
        
        C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
        
        C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
        
        C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
        
        C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe
        
        C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe
        12⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59B90~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39390~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82DE1~1.EXE > nul
        10⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0485B~1.EXE > nul
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E16B~1.EXE > nul
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D61DD~1.EXE > nul
        7⤵
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB84C~1.EXE > nul
        6⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{719CA~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A13D~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DCF3~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe

Filesize
344KB

MD5
15dd62c11ca89f32577609166d649f86

SHA1
b6239ce81f480ff5dc6fa426fdafb5c336854352

SHA256
33a246b289779912ecb4fd6f41b31603acfe1e51e94e52dc88c2e1bcee8d4af3

SHA512
0bc111f3d04f19f158a367ea2cb10a80ee0a2dd17513c31d4eab40cd198b4ae277553ee5fe2ad8c97bcd228145b7b1abb354e0fba6761883fa48a06bace9f923

Download Submit
C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe

Filesize
344KB

MD5
ca825449638ef9e611a6f764c67c7f25

SHA1
17e2875f6788a52a788b11f05cff953fdfa4d3c5

SHA256
254cab64ee0139c7587506ac8dbbf383d5cde619a4e57d358e7945e143c85a10

SHA512
4179e467423201fc663dcf6b3cf8679e0a2065dc61fe0626bff7754e91588ae54e5eb44444a4eb75350609c13f58b81a8002ffd4cf05d3d37008ad6f3efe1b55

Download Submit
C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe

Filesize
344KB

MD5
f8d5291da606b8e94339d1558c7af8c6

SHA1
3fad2fea10ac97addf4d56e4e4c69ea213c9d07b

SHA256
4143c36c2ede93a9903897590099be34ffd32a36f8bc1f5545eb3e66123f4cb4

SHA512
38167ca4c6e44fb526b2147e5415550c780d7fa2febfa371498aa6ff7554b80ca6665934a77205c279680d78b6d6f710c6440d2819c55ee86792c1b5c9e0285f

Download Submit
C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe

Filesize
344KB

MD5
5a3436717f6f2e2350c9b8e630c032e4

SHA1
d2e6faeb62c14aaf61a7ea42a2bf94051fa14615

SHA256
15f6c8bf5594794e1db7f07ce418d1445b691b17fe6ce6048b515ca3684aa0fe

SHA512
a480940ef3d18f31b9524386a8e71f815ae0f20f595eb6808fdf827847dc03abbc7389f6bf8d969131d2a3c03df4ec10525936c15326aff3270eea6791877b61

Download Submit
C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe

Filesize
344KB

MD5
edc4e679f4574a3053f1f4e532a8502c

SHA1
6501ed6a4f6b9cb92dbbe679595963085cbd672a

SHA256
0596e4faedd1d934ef586db86436201ad50cbe71ad93497da1632dae62614060

SHA512
22b22ce9a3c8943660fc59e0435ed752dd1e1cd78f8789c343289f7f21cb753ea8f7e3754cc03491f0b74af9b910c9828a6440730b45fe82cd2a7f519e51bfef

Download Submit
C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe

Filesize
344KB

MD5
a5a171c6f282d8614b59562fc709601a

SHA1
8380e64727df1f976bba3a23f320732942ada310

SHA256
f6858296662a0ba53b5cb3f868aea769b203573f3a64a08f7af42c98188c5468

SHA512
86634f1dce46ed47ba2be31b1d819faeafc9371f5c5da3e997163e714d531a3900bb3c35776b59b324e8650cf8c308abdf24252814f8f41adcdaba66a48a7cb8

Download Submit
C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe

Filesize
344KB

MD5
a089ad975b0e21aef67511ac51ad6567

SHA1
31ce128b5ab24b0b6406626fce4102f14959e19c

SHA256
45ef968a2549c6570d7f8c6648e036f180c15f11d1d8b3d95dd3d4950d078fb5

SHA512
143de9f9dd7c5764d646b515501d3e8628b86785df934dca3bf78ad4fa68ec52c51e6aaa2815b86afdd409f6671dc04bd229c4cccbb6bbf7d6e4c03c3baed12e

Download Submit
C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe

Filesize
344KB

MD5
e525e93e51eaff6545b0066931cbc29f

SHA1
bfc300cee5c098abd0b8eb1ed5ffa2033a45c76c

SHA256
2602b325bac4b9834f02f0d69c1191093cdcd3b84f96cdaf529e28b63bf5929d

SHA512
de9c163d89abfaf1488dc4466369e92fd588aa20af22cb5c1fba2ad67efaf27a705400327b97cd5e53adbc3c819c9103e1f01ebced911ac3fd420e6b973421fb

Download Submit
C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe

Filesize
344KB

MD5
ac3ca3d9a77fa161536de523f3d86aeb

SHA1
746349b34b9f0041aba546bdffb79629b5c1f60f

SHA256
a161296ebb0915b7b3947923099ed46d79d8b04c2d8a6dbf7cdc4c3dfe24f81e

SHA512
71b6a4ca5010b9f23e9e7ce1c662c327a0f8beb4a792ba0cee8f3d6c54b1232bca351776de7ed2d76f71c78ebc962352d0ab1ff408639a1ea9383cfd43d0786f

Download Submit
C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe

Filesize
344KB

MD5
2cb8e6a1b26f48445fd9334e6ad05de9

SHA1
c4a41a4a78546de0209cb2dfdbbc805476e3f85d

SHA256
72a11baf3fc8a684ca0aed0394eaf8377f0b93ae537f87f2cb9d9299f85458ad

SHA512
41063f9fe5f82c1bd38dfd8e36d79178dcac4410cfdd7188ba855241def9b031795165ef0c4504c10736e63123b605135102b091cec691a3b21976b7486a136d

Download Submit
C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe

Filesize
344KB

MD5
07c9fdbe5dba5a3738ad054ea7d5f908

SHA1
82bd8ebb5c90cbc8e1bb5fd36bdd0757c26aeac3

SHA256
6576e94eec72820d9d71f31198b27c8d5dc3a381c57ab1859295a0a4610fb298

SHA512
c8c7797bacf075e7c7171541bb3ca6149e7b47ce6f0b3eff3b4e70cf628b408631e002ad4ceccf8462be9f4a3a16917cfd7113c61db0d5f68f019124635113d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads