c99bcc928109872994a8effc85bc42aa066b064bbd720bc2d861c4062eb434a0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
Size

216KB
MD5

d699ee1efe5a6a1caeab0030880dc432
SHA1

b7665885d9ae3254985fdd7ef1c73dbcd679a0a3
SHA256

c99bcc928109872994a8effc85bc42aa066b064bbd720bc2d861c4062eb434a0
SHA512

433d27e866d264ae1a2d08267801a1e646fd4c116e3bc5c412bb1bd6b072f0a27d9f8ed15bd8e068bfb36548722ad00ef02c6232c08a1c0a7693e22b2ca84c74
SSDEEP

3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGilEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141c0-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000143ec-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000141c0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001447e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000141c0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000141c0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000141c0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07CA3E15-9D50-46b7-A683-F0285C73B471}	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0777B08D-7E78-4462-BE50-84E48481D952}	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D036260-94E1-435e-84E2-134CAEBB8A59}\stubpath = "C:\\Windows\\{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe"	{0777B08D-7E78-4462-BE50-84E48481D952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E591C2-9E64-4882-98D0-324313E81D0B}	{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}\stubpath = "C:\\Windows\\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe"	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07CA3E15-9D50-46b7-A683-F0285C73B471}\stubpath = "C:\\Windows\\{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe"	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E591C2-9E64-4882-98D0-324313E81D0B}\stubpath = "C:\\Windows\\{68E591C2-9E64-4882-98D0-324313E81D0B}.exe"	{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10F0650B-0886-46cc-94D5-576ED6223DDA}\stubpath = "C:\\Windows\\{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe"	{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C629548-FEEF-43a8-9409-17E79734341A}\stubpath = "C:\\Windows\\{6C629548-FEEF-43a8-9409-17E79734341A}.exe"	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}\stubpath = "C:\\Windows\\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe"	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D245503-78AF-426b-A468-31F2A6440A52}\stubpath = "C:\\Windows\\{6D245503-78AF-426b-A468-31F2A6440A52}.exe"	{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C629548-FEEF-43a8-9409-17E79734341A}	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}	{6C629548-FEEF-43a8-9409-17E79734341A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}\stubpath = "C:\\Windows\\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe"	{6C629548-FEEF-43a8-9409-17E79734341A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}\stubpath = "C:\\Windows\\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe"	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0777B08D-7E78-4462-BE50-84E48481D952}\stubpath = "C:\\Windows\\{0777B08D-7E78-4462-BE50-84E48481D952}.exe"	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D036260-94E1-435e-84E2-134CAEBB8A59}	{0777B08D-7E78-4462-BE50-84E48481D952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10F0650B-0886-46cc-94D5-576ED6223DDA}	{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D245503-78AF-426b-A468-31F2A6440A52}	{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe
2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe
1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
1588	{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
868	{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
2316	{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe
1480	{6D245503-78AF-426b-A468-31F2A6440A52}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	{6C629548-FEEF-43a8-9409-17E79734341A}.exe
File created	C:\Windows\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
File created	C:\Windows\{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
File created	C:\Windows\{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	{0777B08D-7E78-4462-BE50-84E48481D952}.exe
File created	C:\Windows\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
File created	C:\Windows\{6C629548-FEEF-43a8-9409-17E79734341A}.exe	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
File created	C:\Windows\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
File created	C:\Windows\{0777B08D-7E78-4462-BE50-84E48481D952}.exe	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
File created	C:\Windows\{68E591C2-9E64-4882-98D0-324313E81D0B}.exe	{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
File created	C:\Windows\{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe	{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
File created	C:\Windows\{6D245503-78AF-426b-A468-31F2A6440A52}.exe	{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe
Token: SeIncBasePriorityPrivilege	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
Token: SeIncBasePriorityPrivilege	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
Token: SeIncBasePriorityPrivilege	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
Token: SeIncBasePriorityPrivilege	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
Token: SeIncBasePriorityPrivilege	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe
Token: SeIncBasePriorityPrivilege	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
Token: SeIncBasePriorityPrivilege	1588	{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
Token: SeIncBasePriorityPrivilege	868	{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
Token: SeIncBasePriorityPrivilege	2316	{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3024	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	28
PID 2784 wrote to memory of 3024	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	28
PID 2784 wrote to memory of 3024	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	28
PID 2784 wrote to memory of 3024	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	28
PID 2784 wrote to memory of 3068	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	29
PID 2784 wrote to memory of 3068	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	29
PID 2784 wrote to memory of 3068	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	29
PID 2784 wrote to memory of 3068	2784	2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe	29
PID 3024 wrote to memory of 2648	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	30
PID 3024 wrote to memory of 2648	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	30
PID 3024 wrote to memory of 2648	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	30
PID 3024 wrote to memory of 2648	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	30
PID 3024 wrote to memory of 2736	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	31
PID 3024 wrote to memory of 2736	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	31
PID 3024 wrote to memory of 2736	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	31
PID 3024 wrote to memory of 2736	3024	{6C629548-FEEF-43a8-9409-17E79734341A}.exe	31
PID 2648 wrote to memory of 2620	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	32
PID 2648 wrote to memory of 2620	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	32
PID 2648 wrote to memory of 2620	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	32
PID 2648 wrote to memory of 2620	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	32
PID 2648 wrote to memory of 2792	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	33
PID 2648 wrote to memory of 2792	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	33
PID 2648 wrote to memory of 2792	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	33
PID 2648 wrote to memory of 2792	2648	{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe	33
PID 2620 wrote to memory of 1908	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	36
PID 2620 wrote to memory of 1908	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	36
PID 2620 wrote to memory of 1908	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	36
PID 2620 wrote to memory of 1908	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	36
PID 2620 wrote to memory of 2944	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	37
PID 2620 wrote to memory of 2944	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	37
PID 2620 wrote to memory of 2944	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	37
PID 2620 wrote to memory of 2944	2620	{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe	37
PID 1908 wrote to memory of 2964	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	38
PID 1908 wrote to memory of 2964	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	38
PID 1908 wrote to memory of 2964	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	38
PID 1908 wrote to memory of 2964	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	38
PID 1908 wrote to memory of 2548	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	39
PID 1908 wrote to memory of 2548	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	39
PID 1908 wrote to memory of 2548	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	39
PID 1908 wrote to memory of 2548	1908	{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe	39
PID 2964 wrote to memory of 2724	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	40
PID 2964 wrote to memory of 2724	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	40
PID 2964 wrote to memory of 2724	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	40
PID 2964 wrote to memory of 2724	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	40
PID 2964 wrote to memory of 2804	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	41
PID 2964 wrote to memory of 2804	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	41
PID 2964 wrote to memory of 2804	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	41
PID 2964 wrote to memory of 2804	2964	{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe	41
PID 2724 wrote to memory of 1656	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	42
PID 2724 wrote to memory of 1656	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	42
PID 2724 wrote to memory of 1656	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	42
PID 2724 wrote to memory of 1656	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	42
PID 2724 wrote to memory of 3060	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	43
PID 2724 wrote to memory of 3060	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	43
PID 2724 wrote to memory of 3060	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	43
PID 2724 wrote to memory of 3060	2724	{0777B08D-7E78-4462-BE50-84E48481D952}.exe	43
PID 1656 wrote to memory of 1588	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	44
PID 1656 wrote to memory of 1588	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	44
PID 1656 wrote to memory of 1588	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	44
PID 1656 wrote to memory of 1588	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	44
PID 1656 wrote to memory of 932	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	45
PID 1656 wrote to memory of 932	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	45
PID 1656 wrote to memory of 932	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	45
PID 1656 wrote to memory of 932	1656	{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_d699ee1efe5a6a1caeab0030880dc432_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{6C629548-FEEF-43a8-9409-17E79734341A}.exe
  C:\Windows\{6C629548-FEEF-43a8-9409-17E79734341A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
    C:\Windows\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
      C:\Windows\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
        
        C:\Windows\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
        
        C:\Windows\{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{0777B08D-7E78-4462-BE50-84E48481D952}.exe
        
        C:\Windows\{0777B08D-7E78-4462-BE50-84E48481D952}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
        
        C:\Windows\{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
        
        C:\Windows\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
        
        C:\Windows\{68E591C2-9E64-4882-98D0-324313E81D0B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe
        
        C:\Windows\{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{6D245503-78AF-426b-A468-31F2A6440A52}.exe
        
        C:\Windows\{6D245503-78AF-426b-A468-31F2A6440A52}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10F06~1.EXE > nul
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E59~1.EXE > nul
        11⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E954C~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D036~1.EXE > nul
        9⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0777B~1.EXE > nul
        8⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07CA3~1.EXE > nul
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE6F~1.EXE > nul
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD468~1.EXE > nul
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2DBD~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C629~1.EXE > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0777B08D-7E78-4462-BE50-84E48481D952}.exe

Filesize
216KB

MD5
db52f2f613cbd17a4000708579a1fb2f

SHA1
b12db9f974b2715d0f3e7f718bf4ca0c60086eb4

SHA256
32b9639e37e0cb94a1d5e61055a948d9bbb0c2acf79902b6769aec61886002a5

SHA512
bd16b1c9bb088d1034d7f861bb02d614095adf8432118e9255eab28e1d64c4e9aff40343b6d56b2bce791229b6edf839881ec092a82ad060d229060c8e3630b8

Download Submit
C:\Windows\{07CA3E15-9D50-46b7-A683-F0285C73B471}.exe

Filesize
216KB

MD5
040cf1e5395dbd825c6a2546b70df688

SHA1
78ac47d8e108d557b0ac0afb768320be9bee46c8

SHA256
fa0e290612b9f854a47923b23a3778c7ae5da09b1793c23fe949479c11c6874e

SHA512
e8e0b5bd9eb59f6314e4e13232f11ad1a13f63cd49c4f6c34530342993f4ae0c6eb34a9e94981e54c8a9ec883e57bb9deb9376b290894c03363895ef2c265cf1

Download Submit
C:\Windows\{0D036260-94E1-435e-84E2-134CAEBB8A59}.exe

Filesize
216KB

MD5
0e3dd625b2ed97c2148af212861af83a

SHA1
f134f2b27bbee7312a6fe17d94b5183122dda41f

SHA256
dcbb42ba4468e3a66e2c100aac84034fbbf9601c72717bf51a3cbc040ea867b4

SHA512
07a97e952b8705ed4104e09f4516df9f2fbcc43d7fe4f0610a8423eada4c8c5c36d97839521d1ad4955449421526a02195a3f4ecaec56eed4d242291a226c5ca

Download Submit
C:\Windows\{0DE6F90E-51C5-4afc-AE40-1E82BCC6C347}.exe

Filesize
216KB

MD5
79267d5112aa82bda85969a2830dfffb

SHA1
2ef25aff3597e1c5cf73a6310005619c8aafd02b

SHA256
1f9d76c6ea46cf2759ac9a00807da9593b6f8effff8b5aa49d70821ac8d7846d

SHA512
0375a7ecd7ed1eff2146c659c18b5b26c73a687ad480a7df58d0ded30d921aee8d906893b4f02b99617706ff8cb97536c96b52e803a41109c81819dc720e8d9c

Download Submit
C:\Windows\{10F0650B-0886-46cc-94D5-576ED6223DDA}.exe

Filesize
216KB

MD5
78022f8230ff7c1886b5c33f5e96ff2f

SHA1
c57f0acbb1575fd17d8e634f253516ddbc3b1269

SHA256
50d1c0c03cf62842a89961b14b0d5e40529f344256484e763486a3a6a223f2a1

SHA512
a658a2ab99feb470db545160ba45249aecd876e869666ddec93ee68178024117b2863a1040f94476c3af0141f5d87fdfd6827cfd0f6d1b66c06f15feef5eb6f6

Download Submit
C:\Windows\{68E591C2-9E64-4882-98D0-324313E81D0B}.exe

Filesize
216KB

MD5
6a940086cd2d644340e2bdc07e9bd166

SHA1
63f3eadaa3d6242e571d9169f7db0fde3f6cc810

SHA256
d788ac85dab1047777442336a0a54dc864110fab6b9fb1397b09b7223acbfc33

SHA512
7aaeea7e7293cff17f46f0ffeb8ab9ef8d3e254938bc4540339e0a5008d8f144c63944c04cd4a00c4b34eb4c68ed89e44a1c9fa08b083b3aa2bc252852260e62

Download Submit
C:\Windows\{6C629548-FEEF-43a8-9409-17E79734341A}.exe

Filesize
216KB

MD5
9afb65342cae6d54b3235fc31094106d

SHA1
5b6d5fe98937c4256501d976c305c8446f095377

SHA256
b2d4b6bb13236b49895f18d787ec4377ad5fd07dff2cce642fef12386e48ec0b

SHA512
416356b9a4d191080a35fb3066d79072049ab76f9796a1badd95bccd7bc35c11718906be745e42ba3f75681525f9abe3fd1b26a610b22729c0c53a8a937e89c7

Download Submit
C:\Windows\{6D245503-78AF-426b-A468-31F2A6440A52}.exe

Filesize
216KB

MD5
660a68e840de899a6d164a8580ea437e

SHA1
d63004317eae07f037f9029f17f307d91f226719

SHA256
7363113fc9464d0b2b29527fb4be9ee6f57eb9c55cc0c45e040abdb6367649c7

SHA512
84f4b4e455cb5b6ca096821d43a68cf91fa9b6489abbdb4f34878f7a2031524a2d7b199af11c07ecc583a07a7a2cb86052dbc40e3c8def011e65fe2bb97a5f82

Download Submit
C:\Windows\{C2DBD3DF-DD4A-46bd-AECF-06C9C7F571B3}.exe

Filesize
216KB

MD5
36d8135347514cdd403f44a9227d160d

SHA1
cf579cfef307a37fb279d2629e8a197b77134d5e

SHA256
63723c40f15c46cd278ce721dc4c64a62eb4d833a75309ace76189dfa2b42c20

SHA512
443911c02045f1cd5468c8e4510aa98f84ab73701ca0a29e154f271772ab1126a5338938b32774d759075253b2d158bad1c86690c814a4aab2db54d076242df3

Download Submit
C:\Windows\{E954C1AC-34F2-4dbd-BEAA-4CF2147682FD}.exe

Filesize
216KB

MD5
ce5f322d4e2d49bdae5b1b048a2c93bc

SHA1
4007f44641a7bd041e24b4c467c3f7a8d6beb615

SHA256
3fced6e306b3f2efa7d2c3f43eb6797c790992c406985649a60d862b7b7e5374

SHA512
c0034a579bb319ed467188a472c5793fd70746a965679b3b2940a8b3495ee355bde19bd03d437f8dbf0ae155dfdfbfcb7198239f4f705faf0cc8985f27f9233c

Download Submit
C:\Windows\{FD4688D8-EDAC-40d6-A4E8-C69C8C5EC103}.exe

Filesize
216KB

MD5
3bc6d3d7c65370413e305a983da80ab5

SHA1
bb05138cd1cfecd6cfb6051d306f716bf60f9054

SHA256
9e0195b12935f375815bbfc3100ea31d6ca59e0f3d3916faa739aaa18b4b65d4

SHA512
f066e63d97a10e5d6eaf771c4129f872cd2b90801568226926a6be70785078ff9f8bca94ffd3a310232dd1c45995fe4544285fc77b052164e919797d51d97578

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads