78d87a793e6b8f021a43e672ff1df3a6212bccf69b9fcdb2b1118dee4d83222e

Analysis

max time kernel
149s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Size

216KB
MD5

86a0d93408eab1c6a012783fcc232055
SHA1

f309a672aad041afe72203db6edc5795cc204108
SHA256

78d87a793e6b8f021a43e672ff1df3a6212bccf69b9fcdb2b1118dee4d83222e
SHA512

417a35ecc6c15339608b66b79f31ac2685df1a1e26e18c9d915897fa8a4cc9775f36942a2957d2350e982075c3390428bc40cfb54d9ea21e702fd7cf4220b95b
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fb-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ff-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023402-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023408-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023402-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023408-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023402-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023408-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023402-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023408-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023402-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673545BC-9389-4910-92A5-0B19C477316D}	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}	{673545BC-9389-4910-92A5-0B19C477316D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}\stubpath = "C:\\Windows\\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe"	{673545BC-9389-4910-92A5-0B19C477316D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}	{B376C253-7D53-436a-9082-2958FD6D9607}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}\stubpath = "C:\\Windows\\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe"	{B376C253-7D53-436a-9082-2958FD6D9607}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96FC94EB-EC0C-49ab-902A-87E161587ADB}\stubpath = "C:\\Windows\\{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe"	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9898A75-F564-44f6-8F3E-70532D77BC79}\stubpath = "C:\\Windows\\{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe"	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}	{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}	{175EC26C-116E-45f0-872C-16804D5F1156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E140BD87-E44A-48c7-9008-03A1AE846FB9}\stubpath = "C:\\Windows\\{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe"	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}\stubpath = "C:\\Windows\\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe"	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}\stubpath = "C:\\Windows\\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe"	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{175EC26C-116E-45f0-872C-16804D5F1156}	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673545BC-9389-4910-92A5-0B19C477316D}\stubpath = "C:\\Windows\\{673545BC-9389-4910-92A5-0B19C477316D}.exe"	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B376C253-7D53-436a-9082-2958FD6D9607}\stubpath = "C:\\Windows\\{B376C253-7D53-436a-9082-2958FD6D9607}.exe"	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96FC94EB-EC0C-49ab-902A-87E161587ADB}	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9898A75-F564-44f6-8F3E-70532D77BC79}	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{175EC26C-116E-45f0-872C-16804D5F1156}\stubpath = "C:\\Windows\\{175EC26C-116E-45f0-872C-16804D5F1156}.exe"	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}\stubpath = "C:\\Windows\\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe"	{175EC26C-116E-45f0-872C-16804D5F1156}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E140BD87-E44A-48c7-9008-03A1AE846FB9}	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B376C253-7D53-436a-9082-2958FD6D9607}	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}\stubpath = "C:\\Windows\\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe"	{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe

Executes dropped EXE 12 IoCs

pid	Process
740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe
4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe
516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe
4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
544	{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe
4408	{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
File created	C:\Windows\{673545BC-9389-4910-92A5-0B19C477316D}.exe	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
File created	C:\Windows\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe	{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe
File created	C:\Windows\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	{673545BC-9389-4910-92A5-0B19C477316D}.exe
File created	C:\Windows\{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
File created	C:\Windows\{B376C253-7D53-436a-9082-2958FD6D9607}.exe	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
File created	C:\Windows\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	{B376C253-7D53-436a-9082-2958FD6D9607}.exe
File created	C:\Windows\{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
File created	C:\Windows\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
File created	C:\Windows\{175EC26C-116E-45f0-872C-16804D5F1156}.exe	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
File created	C:\Windows\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	{175EC26C-116E-45f0-872C-16804D5F1156}.exe
File created	C:\Windows\{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
Token: SeIncBasePriorityPrivilege	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
Token: SeIncBasePriorityPrivilege	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
Token: SeIncBasePriorityPrivilege	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe
Token: SeIncBasePriorityPrivilege	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
Token: SeIncBasePriorityPrivilege	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe
Token: SeIncBasePriorityPrivilege	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
Token: SeIncBasePriorityPrivilege	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
Token: SeIncBasePriorityPrivilege	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe
Token: SeIncBasePriorityPrivilege	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
Token: SeIncBasePriorityPrivilege	3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
Token: SeIncBasePriorityPrivilege	544	{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 740	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	81
PID 1720 wrote to memory of 740	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	81
PID 1720 wrote to memory of 740	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	81
PID 1720 wrote to memory of 1408	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	82
PID 1720 wrote to memory of 1408	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	82
PID 1720 wrote to memory of 1408	1720	2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe	82
PID 740 wrote to memory of 448	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	83
PID 740 wrote to memory of 448	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	83
PID 740 wrote to memory of 448	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	83
PID 740 wrote to memory of 4444	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	84
PID 740 wrote to memory of 4444	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	84
PID 740 wrote to memory of 4444	740	{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe	84
PID 448 wrote to memory of 400	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	87
PID 448 wrote to memory of 400	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	87
PID 448 wrote to memory of 400	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	87
PID 448 wrote to memory of 4532	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	88
PID 448 wrote to memory of 4532	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	88
PID 448 wrote to memory of 4532	448	{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe	88
PID 400 wrote to memory of 4280	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	93
PID 400 wrote to memory of 4280	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	93
PID 400 wrote to memory of 4280	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	93
PID 400 wrote to memory of 3260	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	94
PID 400 wrote to memory of 3260	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	94
PID 400 wrote to memory of 3260	400	{175EC26C-116E-45f0-872C-16804D5F1156}.exe	94
PID 4280 wrote to memory of 4024	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	96
PID 4280 wrote to memory of 4024	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	96
PID 4280 wrote to memory of 4024	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	96
PID 4280 wrote to memory of 2656	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	97
PID 4280 wrote to memory of 2656	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	97
PID 4280 wrote to memory of 2656	4280	{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe	97
PID 4024 wrote to memory of 516	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	98
PID 4024 wrote to memory of 516	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	98
PID 4024 wrote to memory of 516	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	98
PID 4024 wrote to memory of 4536	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	99
PID 4024 wrote to memory of 4536	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	99
PID 4024 wrote to memory of 4536	4024	{673545BC-9389-4910-92A5-0B19C477316D}.exe	99
PID 516 wrote to memory of 4548	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	100
PID 516 wrote to memory of 4548	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	100
PID 516 wrote to memory of 4548	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	100
PID 516 wrote to memory of 4600	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	101
PID 516 wrote to memory of 4600	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	101
PID 516 wrote to memory of 4600	516	{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe	101
PID 4548 wrote to memory of 3512	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	102
PID 4548 wrote to memory of 3512	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	102
PID 4548 wrote to memory of 3512	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	102
PID 4548 wrote to memory of 2760	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	103
PID 4548 wrote to memory of 2760	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	103
PID 4548 wrote to memory of 2760	4548	{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe	103
PID 3512 wrote to memory of 4248	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	104
PID 3512 wrote to memory of 4248	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	104
PID 3512 wrote to memory of 4248	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	104
PID 3512 wrote to memory of 3816	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	105
PID 3512 wrote to memory of 3816	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	105
PID 3512 wrote to memory of 3816	3512	{B376C253-7D53-436a-9082-2958FD6D9607}.exe	105
PID 4248 wrote to memory of 3148	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	106
PID 4248 wrote to memory of 3148	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	106
PID 4248 wrote to memory of 3148	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	106
PID 4248 wrote to memory of 4664	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	107
PID 4248 wrote to memory of 4664	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	107
PID 4248 wrote to memory of 4664	4248	{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe	107
PID 3148 wrote to memory of 544	3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe	108
PID 3148 wrote to memory of 544	3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe	108
PID 3148 wrote to memory of 544	3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe	108
PID 3148 wrote to memory of 612	3148	{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_86a0d93408eab1c6a012783fcc232055_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
  C:\Windows\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
    C:\Windows\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\{175EC26C-116E-45f0-872C-16804D5F1156}.exe
      C:\Windows\{175EC26C-116E-45f0-872C-16804D5F1156}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
        
        C:\Windows\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Windows\{673545BC-9389-4910-92A5-0B19C477316D}.exe
        
        C:\Windows\{673545BC-9389-4910-92A5-0B19C477316D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
        
        C:\Windows\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
        
        C:\Windows\{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{B376C253-7D53-436a-9082-2958FD6D9607}.exe
        
        C:\Windows\{B376C253-7D53-436a-9082-2958FD6D9607}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
        
        C:\Windows\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
        
        C:\Windows\{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe
        
        C:\Windows\{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe
        
        C:\Windows\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe
        13⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9898~1.EXE > nul
        13⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96FC9~1.EXE > nul
        12⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D8E6~1.EXE > nul
        11⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B376C~1.EXE > nul
        10⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E140B~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6714F~1.EXE > nul
        8⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67354~1.EXE > nul
        7⤵
        
        PID:4536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6868~1.EXE > nul
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{175EC~1.EXE > nul
        5⤵
        
        PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D964B~1.EXE > nul
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85C86~1.EXE > nul
    3⤵
    PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{175EC26C-116E-45f0-872C-16804D5F1156}.exe

Filesize
216KB

MD5
8063b0088da862f47d9643de45a81f82

SHA1
8c1bb1e876f0e85d8d3ac9b837507179237ffbfc

SHA256
727fc8ea8650a2f07f3bf15b8bfb5d99d3d4e8c99483152c9bf9020c5b054442

SHA512
38bf04387f840d0cbb5f050b95901b967f2789c54c293a923053fcf1f89431fe8dd1cfab9a8bd7bb0a25a9a33eba991f000543fcff46b672a7773a115aec9dcb

Download Submit
C:\Windows\{6714F079-B781-4cc6-AAFB-66BCFD533E0B}.exe

Filesize
216KB

MD5
004171e11b3e2b477e1a99db76539ffb

SHA1
95bcc9a569c199737f60ae3930f7a8cd236353f5

SHA256
27525ea9bb59e45b9b70a7ad9b46b1f9876946c20525a47467d32b84d954729a

SHA512
ea98916c3e3cce0b4f2808a775f96cb31d868b47f5685d185b6b3fa481fbff6906c43ac5e4a16ee425f3ce32fdf462a62d40664debbbd8a7f1741d0867b6c30c

Download Submit
C:\Windows\{673545BC-9389-4910-92A5-0B19C477316D}.exe

Filesize
216KB

MD5
c3a170df27bb7af93c485340c6102c6b

SHA1
260098f4a5b3b7070ec6228826a05ace63c514c8

SHA256
31c49bf314073cfe9cb02a6ece82c7867fb7e0d69ead8a9623ea2707f9ed8dca

SHA512
12549c80595faeaecfad0eb21b8e821082c1ac82ed1c3655c33f09005e1ca6a0f31d86235609f1ef8f624ba4a6bea562e71ef5f8a5db7bcfb5b4115c24708336

Download Submit
C:\Windows\{6B5677A0-E5E2-41d4-91F6-FE936DDB1EFD}.exe

Filesize
216KB

MD5
2ffc077e42908dcc90c52157e0a6524b

SHA1
ae0b78631c8a6b0488872c22dc4c97ba20532e3c

SHA256
92c8d7c2e1207bde58b784e5697fc8daefd652161f79a06b5035a60bcfdd694f

SHA512
5e295d1c1e56afcb523c9b30fd4239abdbe2a54fbd8593dcca377020150a3028b0de88d192c11b8a44cfd94d9c8628748406e7195b99ef52f93fef31f0ba5ed2

Download Submit
C:\Windows\{7D8E684A-9BD6-4ba7-BAB8-EB48ADAAC1FE}.exe

Filesize
216KB

MD5
7953eb0105e4f02b53b053b1692daf16

SHA1
2c03711d3d8381bfd77ce1b088d509956a5282be

SHA256
b2849649cd70f7a99b9a54fd925f45156d748b90e1d9ea888ab3858d3f9fae03

SHA512
4eddb1c4b764ef83b8c864758e91add10d150ceee5d92cda19795d59cb050cf768dea8191a2b6ce51d1156fdc0e413fe74dc6f501dee31b153430cfac4f39ebe

Download Submit
C:\Windows\{85C86867-8EA1-44fa-BA64-BAD56C6E56F6}.exe

Filesize
216KB

MD5
f91638f1eb2f94a8fee6df729ffb0196

SHA1
b224356c5ca0715d574417dbd8265d6e24bc3f7e

SHA256
8acff9c05846792ef231247a3ed3e640885f362f46f0422bae436464201490de

SHA512
84fb535ec8ce47e4e8c8b078bf5baa325c5b71dfd5f374ae9a5f59391f54659132a426a67d30df795ab4d4f27e6271c7a624b72a784f3d7e913745d697569673

Download Submit
C:\Windows\{96FC94EB-EC0C-49ab-902A-87E161587ADB}.exe

Filesize
216KB

MD5
820ddbea2a2030bef1714696fd4849b0

SHA1
b9ffe68c46f14afc9c9205efcaa12274a60bf500

SHA256
c680ac8b5602e0048c6d719337d248592ed6226c005775a83b8650c5431889a3

SHA512
90c2495b06773eb14bba505c659ff21065d809a58755c04dc1ce4a3d9a95d6342b3d7d72f1f32dff094aeba8214cf67d515c1de84460195aac873de495e0791a

Download Submit
C:\Windows\{B376C253-7D53-436a-9082-2958FD6D9607}.exe

Filesize
216KB

MD5
8e225b638d67cf0d8767ba60b96d5e10

SHA1
e121548b70ad0035f5d796b1c06e5510bb42147a

SHA256
67b075eb3d44e9c4bbe51eaec87482ca6d0fe060cd61c3e9446d56dc4f3d40bb

SHA512
940a16a4b43139e0d535c1f4c62fe70f33a0bc8fcb0dbcae7c5f834129dc549586729153d4701868ee75f8fcd7fa55b7f842c62d00e4458eb42d59ccc6e75693

Download Submit
C:\Windows\{B9898A75-F564-44f6-8F3E-70532D77BC79}.exe

Filesize
216KB

MD5
ba0a08373da58a976d00084b39d64bc6

SHA1
e79fa42392fc6252a58188279b1b7ae528c70758

SHA256
d3002b904b7b097d9f6cad8dc028a533c552f3f554da634425dc069b184be530

SHA512
dec3aa59daab9583e088e726bee35314d364ea4d942e3c755dc996cc7a68142b5147b448a50b039ac77185b2d4ae55eca2ffe8107b144848666f391f1e97abd8

Download Submit
C:\Windows\{D6868408-1C6B-4abc-A237-CFC7C5FAC782}.exe

Filesize
216KB

MD5
d444898e8ba7357e0c1627d292df6c1b

SHA1
405de463d8ac38cb39cc3ce4390db84fce2be4b8

SHA256
b3e441dde6412b547066b391eb808fe10f6075c3e61f4dddc151a0b2510e5019

SHA512
8fa74f5d3e33cc4cc177e97fa1b5f97767e27099b50f8ca929b10923b03ff0a562a5778fdde80b81b42015613eddd7ec80c5979fef0e044e38bb2a7197700dd7

Download Submit
C:\Windows\{D964B639-B8F4-4314-AABD-AE5CAC1004F4}.exe

Filesize
216KB

MD5
523b94e7a7a837322367ab4f07e9e05d

SHA1
4346f6aeb9a4877527dac5034bd8748948b38f35

SHA256
3bc2ca38bce50691cb03d40f04b22a40bc7f0158da788f618420d372d75c8063

SHA512
55dc8870810584bb59fc01fb9e2b1edb0c91ee6b083af27827212b83266fc361b03091a52a39efe240429e793b818043d1da3ca4b95293149335e2c06c4cadea

Download Submit
C:\Windows\{E140BD87-E44A-48c7-9008-03A1AE846FB9}.exe

Filesize
216KB

MD5
d1bd3c2e106b8477f337a66fef84a846

SHA1
0bac5e37e343860f93357bfd4343df4db2f7d0d5

SHA256
504d51a990af2859cafec1b8baa030ba167cb8dca57170d57b09cdf9c51d7b65

SHA512
6d3c1483273dfbe864cb7b7ffe1361cbe567e7bcfd804c9bff4aefde7fe69bafec0200e9a8c0556a6831df48147ef8247e9cb28bd4a74db46beecaf0249442a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads