cea67938829e30a8f5a7ed3edf6ee027760b6627af5c79221e1d4f797df0f955

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Size

372KB
MD5

cb0dca067253ba56502d1f95e5bc1c50
SHA1

9d6d9a133eabcb5b69615bb2b8106e042c3edc84
SHA256

cea67938829e30a8f5a7ed3edf6ee027760b6627af5c79221e1d4f797df0f955
SHA512

2ecdbe7752c2c526d3df705517081217ec642593f125d37f1145001d95afec1ed9cf4a9150d56d58987748c32f94908a217e2a0727696957543c8771abe5df09
SSDEEP

3072:CEGh0oWlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012294-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000016c07-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000f6e4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016c07-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000f6e4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016c07-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6e4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016c07-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6e4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016c07-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6e4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBCB50F9-D017-4d27-A51B-55118B08AD43}	{9892AC89-578A-411e-915D-2FD8438459E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{207156A8-B994-49a3-9453-B61283C10825}\stubpath = "C:\\Windows\\{207156A8-B994-49a3-9453-B61283C10825}.exe"	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{943F47D0-749C-42d5-B606-5ED33B08E7C6}\stubpath = "C:\\Windows\\{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe"	{B8202200-09D2-4106-94FD-C703503C17CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53923360-3C4A-4b43-984D-001675CC80D2}\stubpath = "C:\\Windows\\{53923360-3C4A-4b43-984D-001675CC80D2}.exe"	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10644F9-17F9-493b-8D0A-60CF0BC32849}	{53923360-3C4A-4b43-984D-001675CC80D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10644F9-17F9-493b-8D0A-60CF0BC32849}\stubpath = "C:\\Windows\\{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe"	{53923360-3C4A-4b43-984D-001675CC80D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}	{207156A8-B994-49a3-9453-B61283C10825}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}\stubpath = "C:\\Windows\\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe"	{207156A8-B994-49a3-9453-B61283C10825}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9892AC89-578A-411e-915D-2FD8438459E0}\stubpath = "C:\\Windows\\{9892AC89-578A-411e-915D-2FD8438459E0}.exe"	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D8D23E-26DE-4a88-A014-AAA14021258A}\stubpath = "C:\\Windows\\{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe"	{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CA8668-30B2-42df-888B-315219D10A07}	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53923360-3C4A-4b43-984D-001675CC80D2}	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9892AC89-578A-411e-915D-2FD8438459E0}	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}\stubpath = "C:\\Windows\\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe"	{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D8D23E-26DE-4a88-A014-AAA14021258A}	{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBCB50F9-D017-4d27-A51B-55118B08AD43}\stubpath = "C:\\Windows\\{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe"	{9892AC89-578A-411e-915D-2FD8438459E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}	{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{207156A8-B994-49a3-9453-B61283C10825}	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CA8668-30B2-42df-888B-315219D10A07}\stubpath = "C:\\Windows\\{A3CA8668-30B2-42df-888B-315219D10A07}.exe"	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8202200-09D2-4106-94FD-C703503C17CA}	{A3CA8668-30B2-42df-888B-315219D10A07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8202200-09D2-4106-94FD-C703503C17CA}\stubpath = "C:\\Windows\\{B8202200-09D2-4106-94FD-C703503C17CA}.exe"	{A3CA8668-30B2-42df-888B-315219D10A07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{943F47D0-749C-42d5-B606-5ED33B08E7C6}	{B8202200-09D2-4106-94FD-C703503C17CA}.exe

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{207156A8-B994-49a3-9453-B61283C10825}.exe
2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe
2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe
808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe
2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
1984	{9892AC89-578A-411e-915D-2FD8438459E0}.exe
2428	{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
2252	{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
2304	{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{53923360-3C4A-4b43-984D-001675CC80D2}.exe	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
File created	C:\Windows\{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe	{9892AC89-578A-411e-915D-2FD8438459E0}.exe
File created	C:\Windows\{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe	{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
File created	C:\Windows\{207156A8-B994-49a3-9453-B61283C10825}.exe	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
File created	C:\Windows\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	{207156A8-B994-49a3-9453-B61283C10825}.exe
File created	C:\Windows\{B8202200-09D2-4106-94FD-C703503C17CA}.exe	{A3CA8668-30B2-42df-888B-315219D10A07}.exe
File created	C:\Windows\{9892AC89-578A-411e-915D-2FD8438459E0}.exe	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
File created	C:\Windows\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe	{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
File created	C:\Windows\{A3CA8668-30B2-42df-888B-315219D10A07}.exe	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
File created	C:\Windows\{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	{B8202200-09D2-4106-94FD-C703503C17CA}.exe
File created	C:\Windows\{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	{53923360-3C4A-4b43-984D-001675CC80D2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe
Token: SeIncBasePriorityPrivilege	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
Token: SeIncBasePriorityPrivilege	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe
Token: SeIncBasePriorityPrivilege	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe
Token: SeIncBasePriorityPrivilege	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
Token: SeIncBasePriorityPrivilege	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe
Token: SeIncBasePriorityPrivilege	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
Token: SeIncBasePriorityPrivilege	1984	{9892AC89-578A-411e-915D-2FD8438459E0}.exe
Token: SeIncBasePriorityPrivilege	2428	{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
Token: SeIncBasePriorityPrivilege	2252	{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3068	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	28
PID 2536 wrote to memory of 3068	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	28
PID 2536 wrote to memory of 3068	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	28
PID 2536 wrote to memory of 3068	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	28
PID 2536 wrote to memory of 3000	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	29
PID 2536 wrote to memory of 3000	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	29
PID 2536 wrote to memory of 3000	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	29
PID 2536 wrote to memory of 3000	2536	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	29
PID 3068 wrote to memory of 2668	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	30
PID 3068 wrote to memory of 2668	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	30
PID 3068 wrote to memory of 2668	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	30
PID 3068 wrote to memory of 2668	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	30
PID 3068 wrote to memory of 2712	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	31
PID 3068 wrote to memory of 2712	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	31
PID 3068 wrote to memory of 2712	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	31
PID 3068 wrote to memory of 2712	3068	{207156A8-B994-49a3-9453-B61283C10825}.exe	31
PID 2668 wrote to memory of 2508	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	34
PID 2668 wrote to memory of 2508	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	34
PID 2668 wrote to memory of 2508	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	34
PID 2668 wrote to memory of 2508	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	34
PID 2668 wrote to memory of 2452	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	35
PID 2668 wrote to memory of 2452	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	35
PID 2668 wrote to memory of 2452	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	35
PID 2668 wrote to memory of 2452	2668	{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe	35
PID 2508 wrote to memory of 2968	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	36
PID 2508 wrote to memory of 2968	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	36
PID 2508 wrote to memory of 2968	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	36
PID 2508 wrote to memory of 2968	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	36
PID 2508 wrote to memory of 1844	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	37
PID 2508 wrote to memory of 1844	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	37
PID 2508 wrote to memory of 1844	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	37
PID 2508 wrote to memory of 1844	2508	{A3CA8668-30B2-42df-888B-315219D10A07}.exe	37
PID 2968 wrote to memory of 808	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	38
PID 2968 wrote to memory of 808	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	38
PID 2968 wrote to memory of 808	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	38
PID 2968 wrote to memory of 808	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	38
PID 2968 wrote to memory of 236	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	39
PID 2968 wrote to memory of 236	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	39
PID 2968 wrote to memory of 236	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	39
PID 2968 wrote to memory of 236	2968	{B8202200-09D2-4106-94FD-C703503C17CA}.exe	39
PID 808 wrote to memory of 2800	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	40
PID 808 wrote to memory of 2800	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	40
PID 808 wrote to memory of 2800	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	40
PID 808 wrote to memory of 2800	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	40
PID 808 wrote to memory of 2812	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	41
PID 808 wrote to memory of 2812	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	41
PID 808 wrote to memory of 2812	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	41
PID 808 wrote to memory of 2812	808	{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe	41
PID 2800 wrote to memory of 2132	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	42
PID 2800 wrote to memory of 2132	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	42
PID 2800 wrote to memory of 2132	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	42
PID 2800 wrote to memory of 2132	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	42
PID 2800 wrote to memory of 1680	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	43
PID 2800 wrote to memory of 1680	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	43
PID 2800 wrote to memory of 1680	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	43
PID 2800 wrote to memory of 1680	2800	{53923360-3C4A-4b43-984D-001675CC80D2}.exe	43
PID 2132 wrote to memory of 1984	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	44
PID 2132 wrote to memory of 1984	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	44
PID 2132 wrote to memory of 1984	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	44
PID 2132 wrote to memory of 1984	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	44
PID 2132 wrote to memory of 1548	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	45
PID 2132 wrote to memory of 1548	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	45
PID 2132 wrote to memory of 1548	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	45
PID 2132 wrote to memory of 1548	2132	{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{207156A8-B994-49a3-9453-B61283C10825}.exe
  C:\Windows\{207156A8-B994-49a3-9453-B61283C10825}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
    C:\Windows\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{A3CA8668-30B2-42df-888B-315219D10A07}.exe
      C:\Windows\{A3CA8668-30B2-42df-888B-315219D10A07}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\{B8202200-09D2-4106-94FD-C703503C17CA}.exe
        
        C:\Windows\{B8202200-09D2-4106-94FD-C703503C17CA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
        
        C:\Windows\{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{53923360-3C4A-4b43-984D-001675CC80D2}.exe
        
        C:\Windows\{53923360-3C4A-4b43-984D-001675CC80D2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
        
        C:\Windows\{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{9892AC89-578A-411e-915D-2FD8438459E0}.exe
        
        C:\Windows\{9892AC89-578A-411e-915D-2FD8438459E0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
        
        C:\Windows\{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
        
        C:\Windows\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe
        
        C:\Windows\{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1EE7~1.EXE > nul
        12⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBCB5~1.EXE > nul
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9892A~1.EXE > nul
        10⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1064~1.EXE > nul
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53923~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{943F4~1.EXE > nul
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8202~1.EXE > nul
        6⤵
        
        PID:236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3CA8~1.EXE > nul
        5⤵
        
        PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54D2A~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20715~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{207156A8-B994-49a3-9453-B61283C10825}.exe

Filesize
372KB

MD5
e95c7d8ccb7a7d7f6a63f474c8bcbf0d

SHA1
e0a35865784a870e7a0998a3df01429ed25463c6

SHA256
a58a9830648e44d59048d1f62a40fda749ae16c3e7ca426e796178c66a6abdae

SHA512
ab26c3300ddfd0a1acce72e926cc49de0704e478a906a4ac2f67ba92963c0e8ae9b48e44a8f21e530f9c45bea3c47f66ac8f462026f703f2b55ef29ae5b236f2

Download Submit
C:\Windows\{53923360-3C4A-4b43-984D-001675CC80D2}.exe

Filesize
372KB

MD5
1200538d2adf6222c2defb7845c43bf2

SHA1
cfe27d040f236ef1c52261c0aa0686ae75dd117d

SHA256
e79bb1a58bbb55c65aac20ca2775a6b2d6f6c0d03025c8fa25dc23647029c7b7

SHA512
4978d59661e34b7446f2e6aa5497f548d744ced88923c3a56bbf5bcb4577d3c23d5ef54ebcb6d049e1e00021776b49c299bad14b40b97ae312b49ec0908345a8

Download Submit
C:\Windows\{54D2AFE7-F966-4650-A128-4A4FA8BD513D}.exe

Filesize
372KB

MD5
9673e16ee1539394bf5538b98ef36dac

SHA1
9b2684fddf3316e800693caf3077a5305ffffef7

SHA256
3c110a30f0a0a27bbb7de6845e0d509a2aa16c7c6e6db52a534c4288731d7779

SHA512
5f86c5e81e7ffd2b71921871f59188d3bfc1c98e4b8befa9a74bc9727e6c58775b51f60b135984be0be4543702e8ea5c080097455b91bf795a2310de50492349

Download Submit
C:\Windows\{943F47D0-749C-42d5-B606-5ED33B08E7C6}.exe

Filesize
372KB

MD5
8dc4c3a875c41a6677954b12185a9376

SHA1
e52ef34dc8e64eeeb6270feba7c488055d0dcfa9

SHA256
d527cd8d7cd500953ddac19d940d7c80362c0343fe36079551adec40c3feb0b3

SHA512
efeacdef9476d68f621c7a6f48456ae5cd6acf75c61f4d7e25707c7fba215406801ec7ff93624d7e873ebbcf3b9b69485448ed8d184d475471300bb69e2dbb84

Download Submit
C:\Windows\{9892AC89-578A-411e-915D-2FD8438459E0}.exe

Filesize
372KB

MD5
181d2487f917143ae197d276d2a23781

SHA1
69eebbea49035d20af96db33bf217720b1e19b34

SHA256
bd17fd91eb6896c61acab312ad7b969f6670d9941eb6805dfecfe82cb22c2154

SHA512
ee23e002c451ab47b343d36b96dea1897ccb39536c024d9b0f861321e3cff0282f1942c685ae4c86191d64cfddbe9aad57fede249f50da6226c37e840e6fc6f0

Download Submit
C:\Windows\{A3CA8668-30B2-42df-888B-315219D10A07}.exe

Filesize
372KB

MD5
0e3799b8a094678c6153c390ba4bf47b

SHA1
d25b1a65860ea1a5fdc9cbfc61a981839c841dbb

SHA256
bbbcc064ad8beb2b30895b95bcca0bd71c67e4f52ab1117492cad28d8892dd14

SHA512
5c0fb92d6fdae56a54729de53299fb479084599acde51580ea8aef7d76ab918762887756698132b3792d73e66692afeeadd504d5d2d76c5c229648e0e569997f

Download Submit
C:\Windows\{B8202200-09D2-4106-94FD-C703503C17CA}.exe

Filesize
372KB

MD5
675057a8c4b808050b6a7e50f597dd96

SHA1
2449ec6a93b0c439ea606e147d68317a30849a23

SHA256
3d64a26398023fa6ed5e9a1f305326ee89ce7076e2a24df9a49e92d178d42633

SHA512
f4cfdd9a4ef7b1d6bf039520bc1dc409b65f0a0a1ee4f1d26a3115c4b5ab8643394198675a3073f4f44ebc6292619e233267f089692728724ab54183d6eedbc2

Download Submit
C:\Windows\{BBCB50F9-D017-4d27-A51B-55118B08AD43}.exe

Filesize
372KB

MD5
06822f70855122465656c98a39bc19fe

SHA1
7f1d1d42e6931b3df45f030e2855dde7daf25a91

SHA256
6e5e1aa99ad5ceab8c5e515a9ccba72d82dd25d612f04d7f053bf9c272486cf0

SHA512
d3d15df3c6dc5622a9a92da3d21b3b397f3824433534e01672438137896f002c7d88dc5cc321b1863bb93d8f4bd1c13dd085acc182783f13e6df2747c4174e9e

Download Submit
C:\Windows\{D1EE7CB1-1134-40a3-A253-18542DCBFEFA}.exe

Filesize
372KB

MD5
dfb20e00b035ea26797dd41c842b60d4

SHA1
b7df85965147994a410f5340d844dae890211fc0

SHA256
3e06abbed1973cc8a5d7df7da97a6c4f24f09acb06fd53bfc20e6c4ae9b4172e

SHA512
fcc12686b45e787bbd4e43babc4b9de63ddff87f78bc20345d1345f0ea8410e2c6b94a26d1a53bb4a89e8e561fdf7d431a58dc18f3f4683e64cee09dbe0ae910

Download Submit
C:\Windows\{E10644F9-17F9-493b-8D0A-60CF0BC32849}.exe

Filesize
372KB

MD5
27e829d6de69864793003276c9dc93ce

SHA1
5300f6035d78574f9789f599e5a7df6d24250a67

SHA256
aa2d9d1b509105702dbecd99eb960d044bd3513b8efee113c4e43cc471da1145

SHA512
1419f2535708b23d4e18317a6060be618b2fbca9d831f745a5fd8cde07314d3cfc5fffdb9224eeda6d7c996fdb5b3f1fec355af8759d7d2ab875eb21165ff7b1

Download Submit
C:\Windows\{F4D8D23E-26DE-4a88-A014-AAA14021258A}.exe

Filesize
372KB

MD5
64fa067421ace3c8e06eb1997d9e29b2

SHA1
41d1a56ec7cf22ff605bc23d28d3ce20a21b53a1

SHA256
2f6a378891f80f24adbea39448dc1014bcc25098372c05bedec5316a1ac819c9

SHA512
c15a0b1ca8464abf7bfa6546cf880ff2cac776e451d967dc6814aa827b8ed1567b96eca38725cf06ed388e7c025ce442fb96301bc7df56dd4839d129672788ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads