0b061a2b3d949d375249321c229d1358ac675dd6079e17b81739a5c1911bf5f6

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
Size

180KB
MD5

d0fe570fd6785b45d94d1307919c2057
SHA1

28c505b1f7be26e3888436862e4d8816cab8d74a
SHA256

0b061a2b3d949d375249321c229d1358ac675dd6079e17b81739a5c1911bf5f6
SHA512

8b9dd67ddba8d59360c576b17d5188caf7df989f50c5305d9e91422d1192edc1ae16b11fa5785dbe5c03a8076ce08a67f88f9a1ed743ac290649ff12e3f4bde9
SSDEEP

3072:jEGh0oflfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001211e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a0000000132f2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001211e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000013362-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001211e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001211e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001211e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}\stubpath = "C:\\Windows\\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe"	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B58932-6A25-4156-AF67-1E09920E1B53}\stubpath = "C:\\Windows\\{92B58932-6A25-4156-AF67-1E09920E1B53}.exe"	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}	{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CD4D596-48FA-40c9-90B9-339D24E67221}	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CD4D596-48FA-40c9-90B9-339D24E67221}\stubpath = "C:\\Windows\\{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe"	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}\stubpath = "C:\\Windows\\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe"	{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857D7F62-DF66-4906-A122-A92DC1E98CE9}\stubpath = "C:\\Windows\\{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe"	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}	{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}\stubpath = "C:\\Windows\\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe"	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}\stubpath = "C:\\Windows\\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe"	{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}\stubpath = "C:\\Windows\\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe"	{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}\stubpath = "C:\\Windows\\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe"	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}\stubpath = "C:\\Windows\\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe"	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0277C11-B044-4207-8B3C-1E8834A581DD}\stubpath = "C:\\Windows\\{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe"	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}	{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857D7F62-DF66-4906-A122-A92DC1E98CE9}	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B58932-6A25-4156-AF67-1E09920E1B53}	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0277C11-B044-4207-8B3C-1E8834A581DD}	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
2876	{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
1312	{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
2028	{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe
768	{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
File created	C:\Windows\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe	{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
File created	C:\Windows\{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
File created	C:\Windows\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
File created	C:\Windows\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
File created	C:\Windows\{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
File created	C:\Windows\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
File created	C:\Windows\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe	{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
File created	C:\Windows\{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
File created	C:\Windows\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
File created	C:\Windows\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe	{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
Token: SeIncBasePriorityPrivilege	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
Token: SeIncBasePriorityPrivilege	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
Token: SeIncBasePriorityPrivilege	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
Token: SeIncBasePriorityPrivilege	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
Token: SeIncBasePriorityPrivilege	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
Token: SeIncBasePriorityPrivilege	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
Token: SeIncBasePriorityPrivilege	2876	{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
Token: SeIncBasePriorityPrivilege	1312	{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
Token: SeIncBasePriorityPrivilege	2028	{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2208	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	28
PID 2220 wrote to memory of 2208	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	28
PID 2220 wrote to memory of 2208	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	28
PID 2220 wrote to memory of 2208	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	28
PID 2220 wrote to memory of 2280	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	29
PID 2220 wrote to memory of 2280	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	29
PID 2220 wrote to memory of 2280	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	29
PID 2220 wrote to memory of 2280	2220	2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe	29
PID 2208 wrote to memory of 2804	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	30
PID 2208 wrote to memory of 2804	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	30
PID 2208 wrote to memory of 2804	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	30
PID 2208 wrote to memory of 2804	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	30
PID 2208 wrote to memory of 2696	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	31
PID 2208 wrote to memory of 2696	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	31
PID 2208 wrote to memory of 2696	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	31
PID 2208 wrote to memory of 2696	2208	{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe	31
PID 2804 wrote to memory of 2808	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	32
PID 2804 wrote to memory of 2808	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	32
PID 2804 wrote to memory of 2808	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	32
PID 2804 wrote to memory of 2808	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	32
PID 2804 wrote to memory of 2628	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	33
PID 2804 wrote to memory of 2628	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	33
PID 2804 wrote to memory of 2628	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	33
PID 2804 wrote to memory of 2628	2804	{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe	33
PID 2808 wrote to memory of 2588	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	36
PID 2808 wrote to memory of 2588	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	36
PID 2808 wrote to memory of 2588	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	36
PID 2808 wrote to memory of 2588	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	36
PID 2808 wrote to memory of 308	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	37
PID 2808 wrote to memory of 308	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	37
PID 2808 wrote to memory of 308	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	37
PID 2808 wrote to memory of 308	2808	{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe	37
PID 2588 wrote to memory of 2924	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	38
PID 2588 wrote to memory of 2924	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	38
PID 2588 wrote to memory of 2924	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	38
PID 2588 wrote to memory of 2924	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	38
PID 2588 wrote to memory of 3044	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	39
PID 2588 wrote to memory of 3044	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	39
PID 2588 wrote to memory of 3044	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	39
PID 2588 wrote to memory of 3044	2588	{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe	39
PID 2924 wrote to memory of 1624	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	40
PID 2924 wrote to memory of 1624	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	40
PID 2924 wrote to memory of 1624	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	40
PID 2924 wrote to memory of 1624	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	40
PID 2924 wrote to memory of 1972	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	41
PID 2924 wrote to memory of 1972	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	41
PID 2924 wrote to memory of 1972	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	41
PID 2924 wrote to memory of 1972	2924	{92B58932-6A25-4156-AF67-1E09920E1B53}.exe	41
PID 1624 wrote to memory of 112	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	42
PID 1624 wrote to memory of 112	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	42
PID 1624 wrote to memory of 112	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	42
PID 1624 wrote to memory of 112	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	42
PID 1624 wrote to memory of 1156	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	43
PID 1624 wrote to memory of 1156	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	43
PID 1624 wrote to memory of 1156	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	43
PID 1624 wrote to memory of 1156	1624	{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe	43
PID 112 wrote to memory of 2876	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	44
PID 112 wrote to memory of 2876	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	44
PID 112 wrote to memory of 2876	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	44
PID 112 wrote to memory of 2876	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	44
PID 112 wrote to memory of 2336	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	45
PID 112 wrote to memory of 2336	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	45
PID 112 wrote to memory of 2336	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	45
PID 112 wrote to memory of 2336	112	{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_d0fe570fd6785b45d94d1307919c2057_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
  C:\Windows\{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
    C:\Windows\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
      C:\Windows\{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
        
        C:\Windows\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
        
        C:\Windows\{92B58932-6A25-4156-AF67-1E09920E1B53}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
        
        C:\Windows\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
        
        C:\Windows\{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
        
        C:\Windows\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
        
        C:\Windows\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe
        
        C:\Windows\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe
        
        C:\Windows\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe
        12⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5137E~1.EXE > nul
        12⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D579~1.EXE > nul
        11⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E72~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0277~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1FA7~1.EXE > nul
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B58~1.EXE > nul
        7⤵
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BF19~1.EXE > nul
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{857D7~1.EXE > nul
        5⤵
        
        PID:308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2834E~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD4D~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2834EEB2-1AAE-4b7f-8885-F9F39273F47E}.exe

Filesize
180KB

MD5
bb2ec5ef9c80cc595d36881b5bd428d9

SHA1
8abadc62bcd7dbfbf9d6c17f36135c80d92c9e2f

SHA256
d9504e1a0d47648e0ebdeef3d08add758917e197d13f3ba148be9919f89f870c

SHA512
b3403cbb4bc06df434be325150490b2a267397b9c749362f00043d5b5d3458fa44b91cf49b52d69995ffa8f01aae64e40b50ddd6631c20e06e5791cae15d97f6

Download Submit
C:\Windows\{44E72E28-5CC3-4069-A227-8CFF3A9E3F93}.exe

Filesize
180KB

MD5
ee9d05a29405b58c579c043815e5ab5f

SHA1
b2684c7619710ce6bbe1611590f526f21ca70a31

SHA256
9eb1f91fc63c90faf6ef061f0eb8bda81a266ad4057cb1769a6184e9f1656626

SHA512
051a5e3107f09294780a6e523f9d053998a78359e378ffe471e808c630f1977fda1bb125261c8abc482eeb25379a379aa8506ba601a4e0b2bdf1793d5983a513

Download Submit
C:\Windows\{4BF194D5-D1D0-40e3-AAF0-60D597613B4A}.exe

Filesize
180KB

MD5
942ece90425f5b18c3f8ca02b35b15dc

SHA1
537145fcd0a91670523868f933a5dbda8c9c4fa7

SHA256
cd68fad7630c1346d1eb3f20cf1d4a7b31160f3dc6bbfb0c5fe637722a48565b

SHA512
bcebe9e94e519d9a426862bbb12141568f36df7a420ea352b3b69f80926c983813e5bf3d7682bbcf4a07562233d23162cf022cda6ff2f171628b55b2f950ff41

Download Submit
C:\Windows\{4CD4D596-48FA-40c9-90B9-339D24E67221}.exe

Filesize
180KB

MD5
4b2c842c5e4a5b85a7340f66e19c3133

SHA1
aa84d3d3a3e73ff1868a883946d3d8e7c96b85b0

SHA256
988f99795042c115bcce82cc77c878628299251a9437df9ff943d6a52fc4130a

SHA512
df84e1d27014d682352afbbff20b021de5ea1ef912acf04dec46b4622e6cbe8c29877f7540603a7bc12b625428f819a89c3e980b184988cbc106e7fa4137af62

Download Submit
C:\Windows\{4D579C2C-C14F-4dd1-8EFC-22AD486E9EC0}.exe

Filesize
180KB

MD5
dda135d3f5fc5b966419f3186f937330

SHA1
fb05383969589f3e562b100688ce658f2cc6cf86

SHA256
88f7646cae0a28a1cc22ca4679a0c955c6d7f2d539ce6f4592e369227bec7973

SHA512
09049f5787b122b56dc64fb74fe483be4bd8bba2e0c5c998c52889c95164bdda9f40e8b6f04e6694e076bbdfb3f08e3591d55e8ba9556c29df59a06972d6f31a

Download Submit
C:\Windows\{4FBC9C58-D823-4d3b-84BC-8E581B2DD3D6}.exe

Filesize
180KB

MD5
e8130e80e29c36ab74dd4ff0d188cbd0

SHA1
099b80f370f771c4a20f677a45c9f5df8a1abd35

SHA256
4f6ac168af9e47d6435bb9756f0c16ddba82f8b5bc5d08d567f4b86184ec5d28

SHA512
5facae1636a7464894c30244b81ca78afe370754ae4ef6caadbe76ca6e29e5ce7ee4cad27d4f09a9af3b62ee3e406dfe25084790701727cfa31eca2b415f55b9

Download Submit
C:\Windows\{5137E61F-26F8-4995-B5F4-FEB76954ABDD}.exe

Filesize
180KB

MD5
b692011930bf282038860379faccf635

SHA1
f6af88c1270f41ee510288e4e241cc18837813b6

SHA256
d619b22b3354348ec94db5d0dbc861ab579697afd6fce020b882b7e89c826554

SHA512
683b821e52ac83f0a4d802518bef333fe4f9173a826e795a7fd60cddb2e5ad706d811c0d93c37d1879ea3bd7b3e207ed3edb3e2e8e473493d48c4903add6a175

Download Submit
C:\Windows\{857D7F62-DF66-4906-A122-A92DC1E98CE9}.exe

Filesize
180KB

MD5
d9b926c3bb13fb7490b4b1e73dd2cd7e

SHA1
4484bfad8546aa8747aa5ebd7f90e888cc3260a1

SHA256
b539a0746af03419bb2b068f4a63b6302de88a4f3b625c7fa8c5fa305ab6e90f

SHA512
6db1c9408844f62c8452c5ae6ea317534dbf4da94f0ff1ed15c421efbd6f44e6661d9d1123564e869dc7f83e3146837ed3a1c1115e9bc11e1bb929abd5f9d1d2

Download Submit
C:\Windows\{92B58932-6A25-4156-AF67-1E09920E1B53}.exe

Filesize
180KB

MD5
1843a5f313c45ccaaa8d30dfb9176a7f

SHA1
730a877e2a532b8439ca0dca1d3880eca3fed54f

SHA256
8a8921a69b23941dd5108286bb39c5b359efdf9e0d17a0e25813fe9f1bbba5f8

SHA512
297d7235791653cc442b5dc06abb06741b48ecc9c523d9c80c994389abd6ffa86f56a109a69945aa7e30d9015d45b3b4ba07ffcda1a7a6bbf4d670be93343148

Download Submit
C:\Windows\{D0277C11-B044-4207-8B3C-1E8834A581DD}.exe

Filesize
180KB

MD5
d704e3b72f55274ef5334bd9f4989f90

SHA1
a1644afe2398d330aeb72f2e1758d46443a2f86a

SHA256
820e824b7ed778b7340a59fa908c085c979a6558e081cbaea2e0d27212d4310a

SHA512
925eab063a16927feaab9c1c35b2597a6c712614b0ed236a7db1919cd3327ced7ac62ba81734d8d96a2a84e2641af0a09c72ec6b9e568f85fd294966680c5a23

Download Submit
C:\Windows\{F1FA7A73-4E03-4945-908B-A303AA9CEDB1}.exe

Filesize
180KB

MD5
93b460464cc84a35f8e8413a3cc87834

SHA1
851986453a004344476e06c59c96fef3435308c2

SHA256
ae946b270a0fbada4c1ce4bd641c7eb637c0d25c253dad0dfa02e13f2d742f57

SHA512
d15b87f6db4054b5d3273fc22c5a47ecf7ddf65e4e78cf526ffda3b242e4709117519a726e7c774dd9555ecdd302974c5c3724823e1d6f0bf977ee2848f58f0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads