2d79d3ea2510600681300ba0ecdf645aa35b1723ab6e601427c492d64b0ba0ad

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
Size

372KB
MD5

5f7751470340039eda4d1b6a9b967b9e
SHA1

84d2f3b8b8bc1abff735fc74e4dce4468991286c
SHA256

2d79d3ea2510600681300ba0ecdf645aa35b1723ab6e601427c492d64b0ba0ad
SHA512

0b90391bab203e156f0fa7a1f088408e726481ca7f0ec0505f67b0eb28fca79eb4293966759c6584ebcf6e7b2049bcc7e73713c61f75a9e12d7b4b26fd357303
SSDEEP

3072:CEGh0oSlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGolkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023438-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023439-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002343d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023440-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023446-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023440-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023446-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023440-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023446-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023440-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023446-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023440-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69CB83A5-DB76-4020-A44A-F201EE933F44}\stubpath = "C:\\Windows\\{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe"	{918920AF-2502-4d10-80B7-EC1C9295E617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496D5534-78C7-485f-AA19-076E96C7D43D}\stubpath = "C:\\Windows\\{496D5534-78C7-485f-AA19-076E96C7D43D}.exe"	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}\stubpath = "C:\\Windows\\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe"	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D26FF6E-430A-4ac3-B514-940D63329AD5}	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918920AF-2502-4d10-80B7-EC1C9295E617}	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918920AF-2502-4d10-80B7-EC1C9295E617}\stubpath = "C:\\Windows\\{918920AF-2502-4d10-80B7-EC1C9295E617}.exe"	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496D5534-78C7-485f-AA19-076E96C7D43D}	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36BA51F6-56AB-4431-8B58-70B12B825394}	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36BA51F6-56AB-4431-8B58-70B12B825394}\stubpath = "C:\\Windows\\{36BA51F6-56AB-4431-8B58-70B12B825394}.exe"	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}\stubpath = "C:\\Windows\\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe"	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D26FF6E-430A-4ac3-B514-940D63329AD5}\stubpath = "C:\\Windows\\{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe"	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF0277B-177A-4f72-A993-A57F89448C65}	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D4E9D5-2339-488d-918C-1DFD130523F1}\stubpath = "C:\\Windows\\{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe"	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9733512-C450-44e0-9B28-2223267AC6DE}	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}\stubpath = "C:\\Windows\\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe"	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF0277B-177A-4f72-A993-A57F89448C65}\stubpath = "C:\\Windows\\{9BF0277B-177A-4f72-A993-A57F89448C65}.exe"	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D4E9D5-2339-488d-918C-1DFD130523F1}	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9733512-C450-44e0-9B28-2223267AC6DE}\stubpath = "C:\\Windows\\{A9733512-C450-44e0-9B28-2223267AC6DE}.exe"	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}\stubpath = "C:\\Windows\\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe"	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69CB83A5-DB76-4020-A44A-F201EE933F44}	{918920AF-2502-4d10-80B7-EC1C9295E617}.exe

Executes dropped EXE 12 IoCs

pid	Process
2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
1524	{918920AF-2502-4d10-80B7-EC1C9295E617}.exe
3364	{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
File created	C:\Windows\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
File created	C:\Windows\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
File created	C:\Windows\{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
File created	C:\Windows\{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
File created	C:\Windows\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
File created	C:\Windows\{918920AF-2502-4d10-80B7-EC1C9295E617}.exe	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
File created	C:\Windows\{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe	{918920AF-2502-4d10-80B7-EC1C9295E617}.exe
File created	C:\Windows\{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
File created	C:\Windows\{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
File created	C:\Windows\{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
File created	C:\Windows\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
Token: SeIncBasePriorityPrivilege	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
Token: SeIncBasePriorityPrivilege	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
Token: SeIncBasePriorityPrivilege	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
Token: SeIncBasePriorityPrivilege	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
Token: SeIncBasePriorityPrivilege	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
Token: SeIncBasePriorityPrivilege	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
Token: SeIncBasePriorityPrivilege	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
Token: SeIncBasePriorityPrivilege	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
Token: SeIncBasePriorityPrivilege	4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
Token: SeIncBasePriorityPrivilege	1524	{918920AF-2502-4d10-80B7-EC1C9295E617}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2788	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	81
PID 1352 wrote to memory of 2788	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	81
PID 1352 wrote to memory of 2788	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	81
PID 1352 wrote to memory of 448	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	82
PID 1352 wrote to memory of 448	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	82
PID 1352 wrote to memory of 448	1352	2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe	82
PID 2788 wrote to memory of 3224	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	83
PID 2788 wrote to memory of 3224	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	83
PID 2788 wrote to memory of 3224	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	83
PID 2788 wrote to memory of 4560	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	84
PID 2788 wrote to memory of 4560	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	84
PID 2788 wrote to memory of 4560	2788	{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe	84
PID 3224 wrote to memory of 4260	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	87
PID 3224 wrote to memory of 4260	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	87
PID 3224 wrote to memory of 4260	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	87
PID 3224 wrote to memory of 1040	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	88
PID 3224 wrote to memory of 1040	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	88
PID 3224 wrote to memory of 1040	3224	{9BF0277B-177A-4f72-A993-A57F89448C65}.exe	88
PID 4260 wrote to memory of 4728	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	93
PID 4260 wrote to memory of 4728	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	93
PID 4260 wrote to memory of 4728	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	93
PID 4260 wrote to memory of 3412	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	94
PID 4260 wrote to memory of 3412	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	94
PID 4260 wrote to memory of 3412	4260	{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe	94
PID 4728 wrote to memory of 4920	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	96
PID 4728 wrote to memory of 4920	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	96
PID 4728 wrote to memory of 4920	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	96
PID 4728 wrote to memory of 4264	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	97
PID 4728 wrote to memory of 4264	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	97
PID 4728 wrote to memory of 4264	4728	{496D5534-78C7-485f-AA19-076E96C7D43D}.exe	97
PID 4920 wrote to memory of 2136	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	98
PID 4920 wrote to memory of 2136	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	98
PID 4920 wrote to memory of 2136	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	98
PID 4920 wrote to memory of 3860	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	99
PID 4920 wrote to memory of 3860	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	99
PID 4920 wrote to memory of 3860	4920	{36BA51F6-56AB-4431-8B58-70B12B825394}.exe	99
PID 2136 wrote to memory of 4528	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	100
PID 2136 wrote to memory of 4528	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	100
PID 2136 wrote to memory of 4528	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	100
PID 2136 wrote to memory of 5080	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	101
PID 2136 wrote to memory of 5080	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	101
PID 2136 wrote to memory of 5080	2136	{A9733512-C450-44e0-9B28-2223267AC6DE}.exe	101
PID 4528 wrote to memory of 3316	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	102
PID 4528 wrote to memory of 3316	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	102
PID 4528 wrote to memory of 3316	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	102
PID 4528 wrote to memory of 3172	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	103
PID 4528 wrote to memory of 3172	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	103
PID 4528 wrote to memory of 3172	4528	{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe	103
PID 3316 wrote to memory of 4140	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	104
PID 3316 wrote to memory of 4140	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	104
PID 3316 wrote to memory of 4140	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	104
PID 3316 wrote to memory of 3096	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	105
PID 3316 wrote to memory of 3096	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	105
PID 3316 wrote to memory of 3096	3316	{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe	105
PID 4140 wrote to memory of 4536	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	106
PID 4140 wrote to memory of 4536	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	106
PID 4140 wrote to memory of 4536	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	106
PID 4140 wrote to memory of 1376	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	107
PID 4140 wrote to memory of 1376	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	107
PID 4140 wrote to memory of 1376	4140	{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe	107
PID 4536 wrote to memory of 1524	4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe	108
PID 4536 wrote to memory of 1524	4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe	108
PID 4536 wrote to memory of 1524	4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe	108
PID 4536 wrote to memory of 4352	4536	{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_5f7751470340039eda4d1b6a9b967b9e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
  C:\Windows\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
    C:\Windows\{9BF0277B-177A-4f72-A993-A57F89448C65}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
      C:\Windows\{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
        
        C:\Windows\{496D5534-78C7-485f-AA19-076E96C7D43D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
        
        C:\Windows\{36BA51F6-56AB-4431-8B58-70B12B825394}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
        
        C:\Windows\{A9733512-C450-44e0-9B28-2223267AC6DE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
        
        C:\Windows\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
        
        C:\Windows\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
        
        C:\Windows\{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
        
        C:\Windows\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{918920AF-2502-4d10-80B7-EC1C9295E617}.exe
        
        C:\Windows\{918920AF-2502-4d10-80B7-EC1C9295E617}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe
        
        C:\Windows\{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe
        13⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91892~1.EXE > nul
        13⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42C8D~1.EXE > nul
        12⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D26F~1.EXE > nul
        11⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4713A~1.EXE > nul
        10⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C57F~1.EXE > nul
        9⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9733~1.EXE > nul
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36BA5~1.EXE > nul
        7⤵
        
        PID:3860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{496D5~1.EXE > nul
        6⤵
        
        PID:4264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05D4E~1.EXE > nul
        5⤵
        
        PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF02~1.EXE > nul
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E0570~1.EXE > nul
    3⤵
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D4E9D5-2339-488d-918C-1DFD130523F1}.exe

Filesize
372KB

MD5
19e9c547112bc2c6a02d6a9a9a41f561

SHA1
35e1d4447bc9d29df238f5f0cb618687ab943d7f

SHA256
e764752ec3ab50ebde6b8da2b9ec27f01392b6204a4891b7350e002cd965d7ac

SHA512
67ee97c835004d7f2ba379699d388962308f1bdb07e8bf32b69f5df05803667636a5de859c918b7b20abe9668a7445de29414be51db2eb66e3926ef2f58ff387

Download Submit
C:\Windows\{0D26FF6E-430A-4ac3-B514-940D63329AD5}.exe

Filesize
372KB

MD5
6fb268db1b4fe2e4cf261ab837d65044

SHA1
01728772ac0785c51ecbc02bdbb1e97e8e8cac26

SHA256
c1923232f8240ea58d5249d76c3cb8f774973e260f09801013931a7365df251d

SHA512
99325faf39371a92e7eb61dbab05748a0f0e910cdc1e0f5f7b0fe8b2b55fded7aa3f2d302309347320d66ff2b3d35e85a099946926bba8fe6ff0d0ca360defc5

Download Submit
C:\Windows\{36BA51F6-56AB-4431-8B58-70B12B825394}.exe

Filesize
372KB

MD5
6dafb6aa9f765f03311c5b794e75ff72

SHA1
a01319f16bfb178951327f029a3607c2bbd4b2e1

SHA256
17d827c26be3fc07611d1f3a5177ce04d305693335747e2dc3fe2e91d49e0ba2

SHA512
0723e21b0622a647b43e9a5c7c028a41d93f947f4ca72593f9f1be7e04144b83500def3db9ad6a0af007900ec4cb7ecbd27d559aac5cbdde04351e55d98f8501

Download Submit
C:\Windows\{42C8DF97-7C0D-429b-A5DC-DF168499AB8C}.exe

Filesize
372KB

MD5
296ab9775f7ef706773f48073cb15d9b

SHA1
8213405f5e95d3746c289aa111bea1ef87dd9d48

SHA256
a47366d820a01eb6c46953e95087f4171a44b8b0ab0e3388423350d7f269420c

SHA512
ec896d988c2043e95c97336cd6c20bca3db9ce78ae0f9d94e9ed8385fb21690cf8cfac7016e3763b518fe497aa32a5f42e203a3a9020e68186c1ee2dfd035d03

Download Submit
C:\Windows\{4713ABAB-43FD-49d3-9215-706F5A0F9F33}.exe

Filesize
372KB

MD5
e14cfa9d8494a783202e0029d2b82fc7

SHA1
151009c0615a03d3224e019fa3a80fc08f57be03

SHA256
c3983a49dfaf5eca3aca3260cfe267f38302374bc1fdea51686b91cf639e2c67

SHA512
04a31b87c495b467288eb9ebef4fbf5e89e3d1259f8174bd91e1dd3dd4143c72000efd7e217f85378479cb3365e92e7987bdd617cc0c8ffb7ba233b3c516d424

Download Submit
C:\Windows\{496D5534-78C7-485f-AA19-076E96C7D43D}.exe

Filesize
372KB

MD5
a294620ebdee0db25d78746833bf44c3

SHA1
b2246b38cce44cdf733a706b71ecd399748e8861

SHA256
a7caf62534d9b985a8b171fffd8360cb00f096a032bab26a37a05ab33bbaac20

SHA512
267b5de7248bb21c05cc4593769f0ef4916d391f0e3d4f5d10750133c8b81b0f9fbbc967fdc0345d812d3afb453da1c75674f7a1046e024bdf6408ce82e73243

Download Submit
C:\Windows\{69CB83A5-DB76-4020-A44A-F201EE933F44}.exe

Filesize
372KB

MD5
d47f8146a58bf32a86325e5edc2d2058

SHA1
21b1c3c1d2b782c80ba080aae0b1cf35884444fa

SHA256
7394d9053fa17d23f6a2c553cd48f0a0850038991801741d126b141bc132d9d5

SHA512
19e0fcd1dfadbfa4e25cf6005d33e39227e53bec62a83cbeebc63aa0a2dbdadefe650494a0b0ae213b268d2fea7e472c91f9ab2b94f73e46b4be0e90bb1dcfff

Download Submit
C:\Windows\{918920AF-2502-4d10-80B7-EC1C9295E617}.exe

Filesize
372KB

MD5
0718bafa14e6a4d9d4a632fd74714158

SHA1
828cd3988153a9f9632f680c8eb983effb513079

SHA256
35196645f37bc0d3fac17c64020fa40bd66a9e474cacf19f0babf0ad84deb0b8

SHA512
aa575f7707e6a616726f8282e11d5c888f65bb0895e27d0e8bdf3a2451f5f2562854f443722cb35692ebdbdd706b0284d2b6cc98f12435d59b674a4a0f296576

Download Submit
C:\Windows\{9BF0277B-177A-4f72-A993-A57F89448C65}.exe

Filesize
372KB

MD5
12926a107cdf38f754dc0386d55e5f7d

SHA1
5b8bec543c87af0d914c93691948552848aad03e

SHA256
b35a4f73723096c59967e5264410dc17097f7de473359146e26f3259dacae4af

SHA512
9bdf021286e05d5d974256b0f6880f883febeb638a88537094378cdc0b4493e6c88605d73906cc0097c30782934f3e5533c11a3a4cb6cbfad2828812ad54b61a

Download Submit
C:\Windows\{9C57F77F-63B5-4722-BCA1-9B9C2646E1E1}.exe

Filesize
372KB

MD5
8019fce9c9b127fca18a51fbe341b840

SHA1
024e367c0a167da032b6eb3687cef9760bc8312f

SHA256
afe887025e62f40225398aaac0442a040118ffa31c8160762c36617021ea655b

SHA512
34fae6635da61f56a6882f93fb854366df0306bf713c5eb061f7c747e22386117ccf8b05d4e7d4bc556d703f634e029a60df210370be548e2cbd9b5dfdd3e6cf

Download Submit
C:\Windows\{A9733512-C450-44e0-9B28-2223267AC6DE}.exe

Filesize
372KB

MD5
4c678db9d03d9d5ee04bc3a05077e809

SHA1
0894695f1e6f04c6e07be2aeeeac3028e1a1dd71

SHA256
d90c3f58980bb65cef29c5c93c2c39a5ef71d636a2f37743868090d5d52312d0

SHA512
07418fe78a0ab0a92c1e5eac82aeaf0889de6acccf0a29b901d0ba8e77b35f284fc791e5c5cb9bc18056c57f7e212c3e764224f4b7bd8c8debf455e7d8483ab3

Download Submit
C:\Windows\{E0570111-B5B8-45e3-ADF0-2D0FB9631985}.exe

Filesize
372KB

MD5
1923785c8d47c58b65ebf33a1d162793

SHA1
b9f47cb09c245b8a232255bfe2df85fd7c97af25

SHA256
256ef723bcaced7bb19fde2215c4fdf3f3bb9948e3b7c17341e1ead1f35b8f6c

SHA512
a2fe8a54bd20b95ff97643dbcddd377e52df1eea3224b7cf9248a0f2de59e0455dc5ad83283e89b320c7f806f08ce0e3650a620baeff3be89cbccbe56309eadb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads