78d87a793e6b8f021a43e672ff1df3a6212bccf69b9fcdb2b1118dee4d83222e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Size

216KB
MD5

86a0d93408eab1c6a012783fcc232055
SHA1

f309a672aad041afe72203db6edc5795cc204108
SHA256

78d87a793e6b8f021a43e672ff1df3a6212bccf69b9fcdb2b1118dee4d83222e
SHA512

417a35ecc6c15339608b66b79f31ac2685df1a1e26e18c9d915897fa8a4cc9775f36942a2957d2350e982075c3390428bc40cfb54d9ea21e702fd7cf4220b95b
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001230f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001233a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001230f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a00000001233a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b00000001233a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c00000001233a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003d00000001233a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E539977-EDEA-437b-B134-914DB853F047}\stubpath = "C:\\Windows\\{1E539977-EDEA-437b-B134-914DB853F047}.exe"	{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F79EE706-DC8A-46dd-9EF8-821A194D257D}\stubpath = "C:\\Windows\\{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe"	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295ED733-BF57-4203-9087-E90F2C765547}\stubpath = "C:\\Windows\\{295ED733-BF57-4203-9087-E90F2C765547}.exe"	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2111C850-8687-4e5c-B028-5B813843577B}	{295ED733-BF57-4203-9087-E90F2C765547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}\stubpath = "C:\\Windows\\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe"	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E61206F-2CE3-43cd-BC66-BA6700986716}	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11920A7-2C9F-4bab-9978-8ADA1065B392}	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11920A7-2C9F-4bab-9978-8ADA1065B392}\stubpath = "C:\\Windows\\{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe"	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}\stubpath = "C:\\Windows\\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe"	{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}	{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295ED733-BF57-4203-9087-E90F2C765547}	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2111C850-8687-4e5c-B028-5B813843577B}\stubpath = "C:\\Windows\\{2111C850-8687-4e5c-B028-5B813843577B}.exe"	{295ED733-BF57-4203-9087-E90F2C765547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D623E16E-D65A-44cd-90BC-708CA7A82A49}	{2111C850-8687-4e5c-B028-5B813843577B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D623E16E-D65A-44cd-90BC-708CA7A82A49}\stubpath = "C:\\Windows\\{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe"	{2111C850-8687-4e5c-B028-5B813843577B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}\stubpath = "C:\\Windows\\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe"	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E539977-EDEA-437b-B134-914DB853F047}	{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F79EE706-DC8A-46dd-9EF8-821A194D257D}	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E61206F-2CE3-43cd-BC66-BA6700986716}\stubpath = "C:\\Windows\\{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe"	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021A8D98-428E-4513-9A10-7E6B16F855E2}	{1E539977-EDEA-437b-B134-914DB853F047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021A8D98-428E-4513-9A10-7E6B16F855E2}\stubpath = "C:\\Windows\\{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe"	{1E539977-EDEA-437b-B134-914DB853F047}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe
2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe
2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
1028	{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
2584	{1E539977-EDEA-437b-B134-914DB853F047}.exe
2876	{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
1424	{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
File created	C:\Windows\{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	{2111C850-8687-4e5c-B028-5B813843577B}.exe
File created	C:\Windows\{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
File created	C:\Windows\{1E539977-EDEA-437b-B134-914DB853F047}.exe	{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
File created	C:\Windows\{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe	{1E539977-EDEA-437b-B134-914DB853F047}.exe
File created	C:\Windows\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe	{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
File created	C:\Windows\{295ED733-BF57-4203-9087-E90F2C765547}.exe	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
File created	C:\Windows\{2111C850-8687-4e5c-B028-5B813843577B}.exe	{295ED733-BF57-4203-9087-E90F2C765547}.exe
File created	C:\Windows\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
File created	C:\Windows\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
File created	C:\Windows\{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
Token: SeIncBasePriorityPrivilege	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe
Token: SeIncBasePriorityPrivilege	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe
Token: SeIncBasePriorityPrivilege	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
Token: SeIncBasePriorityPrivilege	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
Token: SeIncBasePriorityPrivilege	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
Token: SeIncBasePriorityPrivilege	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
Token: SeIncBasePriorityPrivilege	1028	{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
Token: SeIncBasePriorityPrivilege	2584	{1E539977-EDEA-437b-B134-914DB853F047}.exe
Token: SeIncBasePriorityPrivilege	2876	{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2684	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	28
PID 2924 wrote to memory of 2684	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	28
PID 2924 wrote to memory of 2684	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	28
PID 2924 wrote to memory of 2684	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	28
PID 2924 wrote to memory of 2968	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	29
PID 2924 wrote to memory of 2968	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	29
PID 2924 wrote to memory of 2968	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	29
PID 2924 wrote to memory of 2968	2924	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	29
PID 2684 wrote to memory of 2484	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	30
PID 2684 wrote to memory of 2484	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	30
PID 2684 wrote to memory of 2484	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	30
PID 2684 wrote to memory of 2484	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	30
PID 2684 wrote to memory of 2512	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	31
PID 2684 wrote to memory of 2512	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	31
PID 2684 wrote to memory of 2512	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	31
PID 2684 wrote to memory of 2512	2684	{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe	31
PID 2484 wrote to memory of 2516	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	32
PID 2484 wrote to memory of 2516	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	32
PID 2484 wrote to memory of 2516	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	32
PID 2484 wrote to memory of 2516	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	32
PID 2484 wrote to memory of 2416	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	33
PID 2484 wrote to memory of 2416	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	33
PID 2484 wrote to memory of 2416	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	33
PID 2484 wrote to memory of 2416	2484	{295ED733-BF57-4203-9087-E90F2C765547}.exe	33
PID 2516 wrote to memory of 2472	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	34
PID 2516 wrote to memory of 2472	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	34
PID 2516 wrote to memory of 2472	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	34
PID 2516 wrote to memory of 2472	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	34
PID 2516 wrote to memory of 2932	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	35
PID 2516 wrote to memory of 2932	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	35
PID 2516 wrote to memory of 2932	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	35
PID 2516 wrote to memory of 2932	2516	{2111C850-8687-4e5c-B028-5B813843577B}.exe	35
PID 2472 wrote to memory of 2692	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	38
PID 2472 wrote to memory of 2692	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	38
PID 2472 wrote to memory of 2692	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	38
PID 2472 wrote to memory of 2692	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	38
PID 2472 wrote to memory of 848	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	39
PID 2472 wrote to memory of 848	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	39
PID 2472 wrote to memory of 848	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	39
PID 2472 wrote to memory of 848	2472	{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe	39
PID 2692 wrote to memory of 356	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	40
PID 2692 wrote to memory of 356	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	40
PID 2692 wrote to memory of 356	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	40
PID 2692 wrote to memory of 356	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	40
PID 2692 wrote to memory of 1912	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	41
PID 2692 wrote to memory of 1912	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	41
PID 2692 wrote to memory of 1912	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	41
PID 2692 wrote to memory of 1912	2692	{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe	41
PID 356 wrote to memory of 2328	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	42
PID 356 wrote to memory of 2328	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	42
PID 356 wrote to memory of 2328	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	42
PID 356 wrote to memory of 2328	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	42
PID 356 wrote to memory of 1204	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	43
PID 356 wrote to memory of 1204	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	43
PID 356 wrote to memory of 1204	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	43
PID 356 wrote to memory of 1204	356	{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe	43
PID 2328 wrote to memory of 1028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	44
PID 2328 wrote to memory of 1028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	44
PID 2328 wrote to memory of 1028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	44
PID 2328 wrote to memory of 1028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	44
PID 2328 wrote to memory of 2028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	45
PID 2328 wrote to memory of 2028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	45
PID 2328 wrote to memory of 2028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	45
PID 2328 wrote to memory of 2028	2328	{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
  C:\Windows\{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{295ED733-BF57-4203-9087-E90F2C765547}.exe
    C:\Windows\{295ED733-BF57-4203-9087-E90F2C765547}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\{2111C850-8687-4e5c-B028-5B813843577B}.exe
      C:\Windows\{2111C850-8687-4e5c-B028-5B813843577B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
        
        C:\Windows\{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
        
        C:\Windows\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
        
        C:\Windows\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
        
        C:\Windows\{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
        
        C:\Windows\{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\{1E539977-EDEA-437b-B134-914DB853F047}.exe
        
        C:\Windows\{1E539977-EDEA-437b-B134-914DB853F047}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
        
        C:\Windows\{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe
        
        C:\Windows\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{021A8~1.EXE > nul
        12⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E539~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1192~1.EXE > nul
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E612~1.EXE > nul
        9⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AAC5~1.EXE > nul
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F09~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D623E~1.EXE > nul
        6⤵
        
        PID:848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2111C~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{295ED~1.EXE > nul
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F79EE~1.EXE > nul
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021A8D98-428E-4513-9A10-7E6B16F855E2}.exe

Filesize
216KB

MD5
8b8770c7442807ac08cc49af33c800aa

SHA1
157686a81a6386d52e54be398201d9b59b240a47

SHA256
59ddcf3b39773fe000586614cf0622b81aaf1b083c9873fbcf2f31b8ef08d655

SHA512
b681fab01a9973e5f1c2816914c31b2de1028e269532ec1ae6158adb3ac9339f865fcd1869765e32591512a4c397fe25409001fab62baae031723e833742302e

Download Submit
C:\Windows\{1E539977-EDEA-437b-B134-914DB853F047}.exe

Filesize
216KB

MD5
ca6754c57c3638b503e98a4d70662dfe

SHA1
97a5f51d88508f09837eb2f68c3d1e71d30df332

SHA256
7e6c0e2f51b22b22826218f332abda1bea3774219c4f345ae97a33ad86adc197

SHA512
8594c188733777000810ccf60cef46eb56bb45cddb1a8b425f6f2536fe0e73ac5f4bcdaabf973f3c5dbc8e9912f552112b26f596a3f0f0a235baee8606cf13bd

Download Submit
C:\Windows\{2111C850-8687-4e5c-B028-5B813843577B}.exe

Filesize
216KB

MD5
d0c108e68446e0b7de98e6e185fbe605

SHA1
cf774cbb1cf293e9b80af8ec75900750b4f60692

SHA256
a1a0dc0dbd9d8ffacce339a268fe7bede4fbddb34aeaf45691c1811c959d158a

SHA512
7c61d2e7577ceac3521f7b152000ee217314bca5aec4c9912ebf853c4755eae34495ae37e34952c076b81d44cf27da97057282aa528dbef693a4974ed175252e

Download Submit
C:\Windows\{295ED733-BF57-4203-9087-E90F2C765547}.exe

Filesize
216KB

MD5
510a449424c14a9a1db09a3a02f6906c

SHA1
f3ffc99e22723c34f3318a47d839f47694a45b2b

SHA256
5b8575dd0e9ed9c32728862cdb0fa4ca68f72cda3123cbe441b6b46e4390d56e

SHA512
0ed86267fb6d5564f057d1c0a37de1c70ab648ec661d0863ec60c25d77e23e244e0d7245311f7f67c32195a2529ef4f31da6ad3a7f617b0bb46caf34ef2f941b

Download Submit
C:\Windows\{358FB068-0EF9-423d-AB1F-AF791A9EEAA0}.exe

Filesize
216KB

MD5
07974f9cc960b4920b5863f83c0c4564

SHA1
7d220448cd7403f271698c43d6a4d89f7013368b

SHA256
1d5a9b61a9edbd83506fda9d3959ae6be62973a0ad2278e08016b603cf7ff4a8

SHA512
3bdb3dd00da7430c907adbbd46144adc4424177772be13555b9e82bac25cf1f85f576b19f4090294a4b905bac19dc2b612f5d1ca8fcd5f7717c63999f537740e

Download Submit
C:\Windows\{5E61206F-2CE3-43cd-BC66-BA6700986716}.exe

Filesize
216KB

MD5
cd4a59b07df4c13d84530294e0dafc6c

SHA1
21108ea529af201c37eb36f082bb676e139aeee4

SHA256
26416ee5bc09fb91e4d29a572df2ea39c062c6b1f48c5332a6c909ec6b5a6581

SHA512
941915d2b67241d734e64c57d21ab6052feadb2647e61d8d9ebcb0b3f0aa8c25977572ec101fc5624f6f619782bf850e328620425f37e02d872aacc9fe7f7c33

Download Submit
C:\Windows\{79F0999F-9C0D-4a1b-BC3B-C704DD8DDC77}.exe

Filesize
216KB

MD5
db90076eba97991ea6d2b31e42ec115f

SHA1
f5d98c6f30b180ade142586136fe304fe59b37d7

SHA256
da402e49ae23aad8a850ee03aa1179f6f5434cfcd39bf7a62396669d5036973c

SHA512
9fe815d74cf4997b1fdf60cab1004d7f194289aa7e4f0459e5146667ca2669d3e128b122c32acced57fc83ec9486b81a6336cb36ef662d531862d2c9f6a93685

Download Submit
C:\Windows\{7AAC515D-6035-4aa9-A5B9-39CAA73D21CF}.exe

Filesize
216KB

MD5
e081eaaa80666521037573761e976451

SHA1
17e3ca22bf2adcba0a41d2f14a2ffb13dd8b5b69

SHA256
5384ea17238b08006b51912770ba8433c81f1fe2d0f968efea49ecac082e7787

SHA512
58a3386a77691986682716b6d5ce1a2dde7f6d39a43f7c2f1e127977c8520babc7d66c4f8cbd22ac4aa0c9b38eaf1e8f2b6bb68ccb6c04190e4dae2fa9f7e0e3

Download Submit
C:\Windows\{B11920A7-2C9F-4bab-9978-8ADA1065B392}.exe

Filesize
216KB

MD5
89e03ed701d12fb7bff6620448fc252d

SHA1
45ba63d64aa69abc984fa743f3a552a4b6b5e4e1

SHA256
315083e3242fedbdfab8b9f9700f2d61086825108d510b8f5e20eee4dc678ab4

SHA512
b761e51a28dbdcf4eeb01eb7b95ea0d06d457de3b3d659eb1234409823a268158579b76a87e1adec44248d9864caf96259ef4d12edbbb4c102d4868d868f3111

Download Submit
C:\Windows\{D623E16E-D65A-44cd-90BC-708CA7A82A49}.exe

Filesize
216KB

MD5
fbf139aa45ee026888b06ff17edc117f

SHA1
1adb697835431114c6b6898e22e818ad5d01da6a

SHA256
488be3d124062bd4fae564e1e1fedee84cad6be997de7f6f501f605bbfd64f1d

SHA512
4cc31219e7a0e1e45fb6f1a1e687c0a51e6f8561a9ff3e1a558c6ffff62e979004c9512dc49ce9ef6f8dab652fea5723c38444349161296a269aeb98a16717eb

Download Submit
C:\Windows\{F79EE706-DC8A-46dd-9EF8-821A194D257D}.exe

Filesize
216KB

MD5
99fec3f4a31e8e43643fd8bb542240de

SHA1
1e9526f22cd6e17593746be5594b16775dbf1c67

SHA256
b1459479a8e93c02d889045d2fadd58a665502a664452ceb1eac8a073e898f44

SHA512
b15a363eaae292a056abc3304be1a5481c5fb3cd2a59b43dda9a09a0d93dc174b61bfd5f56c94095904909d5f973e36c80f67a94d906e616018fdf4df287ff89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads