17df57b00bf37994bcb9fdb61ee02bce1f0eeaf87c6e130d77630ab33c57cbcf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
Size

204KB
MD5

e842df2e149d65afcc8e40a43d7ce684
SHA1

575594b48341bc6ced47314c0e3bbc43ccb2276b
SHA256

17df57b00bf37994bcb9fdb61ee02bce1f0eeaf87c6e130d77630ab33c57cbcf
SHA512

5b442f23b41ca36b4dfc41bd5635c6078ffc096291ae5a48d27d480fe975ae1085d0194df820ff131e91a2fbd993ea25edcf03a45af50b49916acdb781de3015
SSDEEP

1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023528-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002352f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002346d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002352f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002346d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002352f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002346d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001700000002352f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023462-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023465-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023462-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023463-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}\stubpath = "C:\\Windows\\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe"	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7ED2262-A856-41c1-9D63-C7272058F542}\stubpath = "C:\\Windows\\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe"	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}\stubpath = "C:\\Windows\\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe"	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD354967-21D9-462c-AA76-DF0473EB92CC}\stubpath = "C:\\Windows\\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe"	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C099825-A05A-420f-B455-2876C2468E84}\stubpath = "C:\\Windows\\{3C099825-A05A-420f-B455-2876C2468E84}.exe"	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}\stubpath = "C:\\Windows\\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe"	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C748985B-D33A-4072-9478-84AC8E6487C0}\stubpath = "C:\\Windows\\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe"	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C099825-A05A-420f-B455-2876C2468E84}	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D500C2-8E06-426e-9B50-C84D578D4607}\stubpath = "C:\\Windows\\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe"	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}\stubpath = "C:\\Windows\\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe"	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD354967-21D9-462c-AA76-DF0473EB92CC}	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}\stubpath = "C:\\Windows\\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe"	{3C099825-A05A-420f-B455-2876C2468E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7ED2262-A856-41c1-9D63-C7272058F542}	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}\stubpath = "C:\\Windows\\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe"	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C748985B-D33A-4072-9478-84AC8E6487C0}	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D500C2-8E06-426e-9B50-C84D578D4607}	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A812C004-38C6-4039-8970-731EA3C7E7D2}	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A812C004-38C6-4039-8970-731EA3C7E7D2}\stubpath = "C:\\Windows\\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe"	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}	{3C099825-A05A-420f-B455-2876C2468E84}.exe

Executes dropped EXE 12 IoCs

pid	Process
1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
964	{3C099825-A05A-420f-B455-2876C2468E84}.exe
4832	{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
File created	C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
File created	C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
File created	C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
File created	C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
File created	C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
File created	C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe	{3C099825-A05A-420f-B455-2876C2468E84}.exe
File created	C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
File created	C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
File created	C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
File created	C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
File created	C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
Token: SeIncBasePriorityPrivilege	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
Token: SeIncBasePriorityPrivilege	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
Token: SeIncBasePriorityPrivilege	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
Token: SeIncBasePriorityPrivilege	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
Token: SeIncBasePriorityPrivilege	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
Token: SeIncBasePriorityPrivilege	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
Token: SeIncBasePriorityPrivilege	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
Token: SeIncBasePriorityPrivilege	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
Token: SeIncBasePriorityPrivilege	2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
Token: SeIncBasePriorityPrivilege	964	{3C099825-A05A-420f-B455-2876C2468E84}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1964	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	91
PID 2104 wrote to memory of 1964	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	91
PID 2104 wrote to memory of 1964	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	91
PID 2104 wrote to memory of 1048	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	92
PID 2104 wrote to memory of 1048	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	92
PID 2104 wrote to memory of 1048	2104	2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe	92
PID 1964 wrote to memory of 4312	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	94
PID 1964 wrote to memory of 4312	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	94
PID 1964 wrote to memory of 4312	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	94
PID 1964 wrote to memory of 4456	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	95
PID 1964 wrote to memory of 4456	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	95
PID 1964 wrote to memory of 4456	1964	{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe	95
PID 4312 wrote to memory of 3344	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	99
PID 4312 wrote to memory of 3344	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	99
PID 4312 wrote to memory of 3344	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	99
PID 4312 wrote to memory of 3108	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	100
PID 4312 wrote to memory of 3108	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	100
PID 4312 wrote to memory of 3108	4312	{A7ED2262-A856-41c1-9D63-C7272058F542}.exe	100
PID 3344 wrote to memory of 1528	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	101
PID 3344 wrote to memory of 1528	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	101
PID 3344 wrote to memory of 1528	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	101
PID 3344 wrote to memory of 2720	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	102
PID 3344 wrote to memory of 2720	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	102
PID 3344 wrote to memory of 2720	3344	{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe	102
PID 1528 wrote to memory of 544	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	103
PID 1528 wrote to memory of 544	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	103
PID 1528 wrote to memory of 544	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	103
PID 1528 wrote to memory of 2972	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	104
PID 1528 wrote to memory of 2972	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	104
PID 1528 wrote to memory of 2972	1528	{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe	104
PID 544 wrote to memory of 3800	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	106
PID 544 wrote to memory of 3800	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	106
PID 544 wrote to memory of 3800	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	106
PID 544 wrote to memory of 3376	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	107
PID 544 wrote to memory of 3376	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	107
PID 544 wrote to memory of 3376	544	{C748985B-D33A-4072-9478-84AC8E6487C0}.exe	107
PID 3800 wrote to memory of 844	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	108
PID 3800 wrote to memory of 844	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	108
PID 3800 wrote to memory of 844	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	108
PID 3800 wrote to memory of 4520	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	109
PID 3800 wrote to memory of 4520	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	109
PID 3800 wrote to memory of 4520	3800	{19D500C2-8E06-426e-9B50-C84D578D4607}.exe	109
PID 844 wrote to memory of 5004	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	112
PID 844 wrote to memory of 5004	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	112
PID 844 wrote to memory of 5004	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	112
PID 844 wrote to memory of 4408	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	113
PID 844 wrote to memory of 4408	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	113
PID 844 wrote to memory of 4408	844	{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe	113
PID 5004 wrote to memory of 4180	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	119
PID 5004 wrote to memory of 4180	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	119
PID 5004 wrote to memory of 4180	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	119
PID 5004 wrote to memory of 316	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	120
PID 5004 wrote to memory of 316	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	120
PID 5004 wrote to memory of 316	5004	{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe	120
PID 4180 wrote to memory of 2904	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	121
PID 4180 wrote to memory of 2904	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	121
PID 4180 wrote to memory of 2904	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	121
PID 4180 wrote to memory of 2724	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	122
PID 4180 wrote to memory of 2724	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	122
PID 4180 wrote to memory of 2724	4180	{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe	122
PID 2904 wrote to memory of 964	2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe	123
PID 2904 wrote to memory of 964	2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe	123
PID 2904 wrote to memory of 964	2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe	123
PID 2904 wrote to memory of 4412	2904	{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
  C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
    C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
      C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
        
        C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
        
        C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
        
        C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
        
        C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
        
        C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
        
        C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
        
        C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe
        
        C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe
        
        C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C099~1.EXE > nul
        13⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD354~1.EXE > nul
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71EB7~1.EXE > nul
        11⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A812C~1.EXE > nul
        10⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B201~1.EXE > nul
        9⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19D50~1.EXE > nul
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7489~1.EXE > nul
        7⤵
        
        PID:3376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6963~1.EXE > nul
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1E9~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7ED2~1.EXE > nul
      4⤵
      PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{345E2~1.EXE > nul
    3⤵
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe

Filesize
204KB

MD5
709911eab13453c4f02e943517cc77f7

SHA1
3d1da046718dc4ea47e946c99e1971ffe0769247

SHA256
a8ccb361314a77c2c877a76e47b2040f1f70a58651f2dac2b69382077fb3da69

SHA512
36b91b3316c775dff56d8d0726af17d23483dcba9c094c0e9ed351dd3345c9ace2a86f06cfb9b2fb55c156d95ffbe0a476a87e89a765ea6a94450ee4657b12c8

Download Submit
C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe

Filesize
204KB

MD5
cdca339734aef7e9a84ace28ec3136de

SHA1
cde9f4fe4ffd6491e74ae45b183b9a7a8d106352

SHA256
56aaca9d3bb399439d9ab9f233f000dccdb2388ecd67c73a1039f8f3c7f5bb66

SHA512
784b0feb054b28731d8c09967bd560d86f90c584188c8364439247f1f7bace4c44c96817ade48749758b9ebf65fcd4ff35002650357a570343bf22b85da69be1

Download Submit
C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe

Filesize
204KB

MD5
8483c06c714eb160d829d42f6df7f121

SHA1
7b44875036de6b8ee5df027f62e86fbb879dc905

SHA256
1b41701f62d751b757c3c5b623cddbab09247e32efc779e2210056fa26b64cd7

SHA512
fc259b6785cd545689256e59b4008264371e24c810689359034e46cf1325cc26183aa590ca23096d0e38f52ecca74692d43d196070c8f8b98d4d89fc51b0a41b

Download Submit
C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe

Filesize
204KB

MD5
6d5f2e52bcb9a592ce1308487b6ed072

SHA1
de82d328381940745355c29605647d8cac910c44

SHA256
24ed129a7fa95131928af5b73d15dc5adbdf87cb3794a7e70d1ba043e8d9edd6

SHA512
f308e923edcea205748c48f6b707ee75d9d5762efa1585cec56080455d62573000a671d6260572c84e068819e673826154a512da3da654acd584ceff302b34b7

Download Submit
C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe

Filesize
204KB

MD5
230681d0b2dfcd346d5f5c5a33882646

SHA1
7849f9a3e922888b4613b4c6e455ac6c1e8c1632

SHA256
9f42842f75ca0e26c25586c4698ac7cb3ac4942d4a3cc1cae947832bb4781df7

SHA512
dd173987e5a4e6d9918ed275d41fad794a18aad1f24b52b076eb2f355689ecf98e6577f3300034adde5b37c0a92e85130dc2184d8b28c7b9c1ece0b88ac7474f

Download Submit
C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe

Filesize
204KB

MD5
a3c83d0ac16ee4206e70ee44c9627db0

SHA1
ade97a691c0a898e6583af7e5ef2eb9f368d5dd5

SHA256
064aed618a7aa9a885a5be2fe4e2f2674dba165c2821f8a91c74ec9ad6ac543d

SHA512
ffdf1d7a12be15ee4fba7b65cb47de10ccbf6066d2384ec9edf92104d11e3665b847eecd4f3822dda13f174279e01a8573a44c637729df660b14e91b59091621

Download Submit
C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe

Filesize
204KB

MD5
ac09cffc9558ff6e75dee5cbf6063d3c

SHA1
addd7066c5bb1c6d98121e307e1dc29e42d8ec3a

SHA256
de868084e7c38a8761b8569b4592ec929e1b362c9d4f4aabc4b130bf9ae92d90

SHA512
b00cb406dbc67f8bd0643254f5e604f7472aa03c00c7ac00d3670018c4d6f4a1a67b053443114778dc3dd529111f936b59e1d9ab93ecdf16b63a1e9bb2bb7239

Download Submit
C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe

Filesize
204KB

MD5
7c0378196e963f0dcf3722d8083c76ac

SHA1
1fdd7e7dd428410e26ca5bfab9fbf6554985b39f

SHA256
7e5c11c5a7a3f1757402304c98662447927f2cbbd02f22f6b9aba0a75b31ca27

SHA512
27f37baf57fc52dac603ceaa46bd8dc98c5828064f0f8416a22a1cfbe600c3b02a4d5e5dbcdac017ff29b6a2ee6a3331d04f894dd3dc94a2bb4c2623635d18a7

Download Submit
C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe

Filesize
204KB

MD5
01a4e84da04ba8f114976697b9c18ff8

SHA1
3e7f3bce2956f0b9429eca3c1e2181268765df6c

SHA256
17769c03cb20df8e05b0cd8d40a43cdea5de734a3f3e7fb109da5b59d20a9967

SHA512
0c7df1ce744902549c3d193489a936432c329ae00c59a87d0377163c58da45a2db0901b05702c02a374a1224a65bab969bb0d228d5c2f1af117a92544cd82e46

Download Submit
C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe

Filesize
204KB

MD5
da3c83fb9bcb2eb443c47a51049e5d8b

SHA1
a6c14dd9cd0e6f06b7e1a1c30b7fab0b699a1fef

SHA256
d171ff89a2d2de6bd6badd04666f26ef1908c50d9f48edaad5c0c79fd4c7bd15

SHA512
e9f404d656787c999b37062288bad4323d6a43e7526657105591fda5cbf8969c13e23223b35fe11a01a34d3d4fe3be0380236ca4df69c55ebd633047edd3f82d

Download Submit
C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe

Filesize
204KB

MD5
628b2478e61390445090aedcc8951dde

SHA1
e9a956ce9a301cd2c0a15ae7729a0ce4d9d56f6a

SHA256
20a228a6e536fe54f4f63ced0289d1b4c59976c21101b7e43070fed16576cd05

SHA512
2cd1073e00ffeb5286b850dc7deac504f4384ce23b735138b4d1783b2d53abf39020522828fa78a29d6ac9c6e1ce81b4f03220a8c93495a645b929f0f23eba9d

Download Submit
C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe

Filesize
204KB

MD5
575b9daa0ab273147588a077e9af3a0a

SHA1
031ba05532a7036ed83392602c937957100121c6

SHA256
617f300516ea289901889f89a700341c78b526ac9a114a1d9f2ca1c6b3124c56

SHA512
4569933810d34d70035f78554a6ebfde374a97140cb1b3975bfbf442b462417b2c6e05a22ec3ff31417ac613b9b672feb886aae1459a8395563cd47ad249f525

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads