f2db4afc1aeddbe5d7c364df5bfedaeed038a4cf605de39eafb57bce5a10f69a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Size

180KB
MD5

4fe4e43b26805901cbc5c2379e901014
SHA1

196c3dd615d1206e001d93635415e4f57b6bdaa3
SHA256

f2db4afc1aeddbe5d7c364df5bfedaeed038a4cf605de39eafb57bce5a10f69a
SHA512

a0e079d44eef53a6da1c7cdf49a353291efd6c517a300c000e23bd9e8270a35a4e33d92a3f569022d21118d2522c83a7ffde6d68ede8a720b9dae3765bc65739
SSDEEP

3072:jEGh0o2lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001342e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000013adc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000013f2c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001342e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001342e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001342e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}\stubpath = "C:\\Windows\\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe"	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9755C5F9-864F-4387-8B11-1124E650DA16}\stubpath = "C:\\Windows\\{9755C5F9-864F-4387-8B11-1124E650DA16}.exe"	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D318B05-7823-4954-8091-FC706B173C7E}\stubpath = "C:\\Windows\\{1D318B05-7823-4954-8091-FC706B173C7E}.exe"	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47A986F-1059-4050-8A6B-1C76FE9305FF}	{1D318B05-7823-4954-8091-FC706B173C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47A986F-1059-4050-8A6B-1C76FE9305FF}\stubpath = "C:\\Windows\\{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe"	{1D318B05-7823-4954-8091-FC706B173C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}\stubpath = "C:\\Windows\\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe"	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9755C5F9-864F-4387-8B11-1124E650DA16}	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B809DBD3-06B4-4f97-8601-F50A65B7437A}\stubpath = "C:\\Windows\\{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe"	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{890CC31E-C556-4e79-8CD1-493BFC260AED}	{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF169CDC-9119-4139-A9BD-46858551E09A}\stubpath = "C:\\Windows\\{DF169CDC-9119-4139-A9BD-46858551E09A}.exe"	{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D318B05-7823-4954-8091-FC706B173C7E}	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B809DBD3-06B4-4f97-8601-F50A65B7437A}	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}\stubpath = "C:\\Windows\\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe"	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}\stubpath = "C:\\Windows\\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe"	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{890CC31E-C556-4e79-8CD1-493BFC260AED}\stubpath = "C:\\Windows\\{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe"	{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF169CDC-9119-4139-A9BD-46858551E09A}	{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}	{DF169CDC-9119-4139-A9BD-46858551E09A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}\stubpath = "C:\\Windows\\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe"	{DF169CDC-9119-4139-A9BD-46858551E09A}.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe
2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
2804	{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
908	{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
2404	{DF169CDC-9119-4139-A9BD-46858551E09A}.exe
708	{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1D318B05-7823-4954-8091-FC706B173C7E}.exe	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
File created	C:\Windows\{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	{1D318B05-7823-4954-8091-FC706B173C7E}.exe
File created	C:\Windows\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
File created	C:\Windows\{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
File created	C:\Windows\{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
File created	C:\Windows\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
File created	C:\Windows\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
File created	C:\Windows\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
File created	C:\Windows\{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe	{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
File created	C:\Windows\{DF169CDC-9119-4139-A9BD-46858551E09A}.exe	{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
File created	C:\Windows\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe	{DF169CDC-9119-4139-A9BD-46858551E09A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe
Token: SeIncBasePriorityPrivilege	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
Token: SeIncBasePriorityPrivilege	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
Token: SeIncBasePriorityPrivilege	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
Token: SeIncBasePriorityPrivilege	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
Token: SeIncBasePriorityPrivilege	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
Token: SeIncBasePriorityPrivilege	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
Token: SeIncBasePriorityPrivilege	2804	{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
Token: SeIncBasePriorityPrivilege	908	{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
Token: SeIncBasePriorityPrivilege	2404	{DF169CDC-9119-4139-A9BD-46858551E09A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2012	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	28
PID 2292 wrote to memory of 2012	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	28
PID 2292 wrote to memory of 2012	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	28
PID 2292 wrote to memory of 2012	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	28
PID 2292 wrote to memory of 2860	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	29
PID 2292 wrote to memory of 2860	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	29
PID 2292 wrote to memory of 2860	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	29
PID 2292 wrote to memory of 2860	2292	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	29
PID 2012 wrote to memory of 2680	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	30
PID 2012 wrote to memory of 2680	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	30
PID 2012 wrote to memory of 2680	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	30
PID 2012 wrote to memory of 2680	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	30
PID 2012 wrote to memory of 2612	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	31
PID 2012 wrote to memory of 2612	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	31
PID 2012 wrote to memory of 2612	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	31
PID 2012 wrote to memory of 2612	2012	{1D318B05-7823-4954-8091-FC706B173C7E}.exe	31
PID 2680 wrote to memory of 1728	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	32
PID 2680 wrote to memory of 1728	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	32
PID 2680 wrote to memory of 1728	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	32
PID 2680 wrote to memory of 1728	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	32
PID 2680 wrote to memory of 2948	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	33
PID 2680 wrote to memory of 2948	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	33
PID 2680 wrote to memory of 2948	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	33
PID 2680 wrote to memory of 2948	2680	{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe	33
PID 1728 wrote to memory of 2964	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	36
PID 1728 wrote to memory of 2964	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	36
PID 1728 wrote to memory of 2964	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	36
PID 1728 wrote to memory of 2964	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	36
PID 1728 wrote to memory of 2256	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	37
PID 1728 wrote to memory of 2256	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	37
PID 1728 wrote to memory of 2256	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	37
PID 1728 wrote to memory of 2256	1728	{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe	37
PID 2964 wrote to memory of 3048	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	38
PID 2964 wrote to memory of 3048	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	38
PID 2964 wrote to memory of 3048	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	38
PID 2964 wrote to memory of 3048	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	38
PID 2964 wrote to memory of 1744	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	39
PID 2964 wrote to memory of 1744	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	39
PID 2964 wrote to memory of 1744	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	39
PID 2964 wrote to memory of 1744	2964	{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe	39
PID 3048 wrote to memory of 2336	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	40
PID 3048 wrote to memory of 2336	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	40
PID 3048 wrote to memory of 2336	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	40
PID 3048 wrote to memory of 2336	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	40
PID 3048 wrote to memory of 2448	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	41
PID 3048 wrote to memory of 2448	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	41
PID 3048 wrote to memory of 2448	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	41
PID 3048 wrote to memory of 2448	3048	{9755C5F9-864F-4387-8B11-1124E650DA16}.exe	41
PID 2336 wrote to memory of 2712	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	42
PID 2336 wrote to memory of 2712	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	42
PID 2336 wrote to memory of 2712	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	42
PID 2336 wrote to memory of 2712	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	42
PID 2336 wrote to memory of 1568	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	43
PID 2336 wrote to memory of 1568	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	43
PID 2336 wrote to memory of 1568	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	43
PID 2336 wrote to memory of 1568	2336	{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe	43
PID 2712 wrote to memory of 2804	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	44
PID 2712 wrote to memory of 2804	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	44
PID 2712 wrote to memory of 2804	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	44
PID 2712 wrote to memory of 2804	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	44
PID 2712 wrote to memory of 1444	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	45
PID 2712 wrote to memory of 1444	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	45
PID 2712 wrote to memory of 1444	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	45
PID 2712 wrote to memory of 1444	2712	{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{1D318B05-7823-4954-8091-FC706B173C7E}.exe
  C:\Windows\{1D318B05-7823-4954-8091-FC706B173C7E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
    C:\Windows\{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
      C:\Windows\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
        
        C:\Windows\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
        
        C:\Windows\{9755C5F9-864F-4387-8B11-1124E650DA16}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
        
        C:\Windows\{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
        
        C:\Windows\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
        
        C:\Windows\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
        
        C:\Windows\{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\{DF169CDC-9119-4139-A9BD-46858551E09A}.exe
        
        C:\Windows\{DF169CDC-9119-4139-A9BD-46858551E09A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe
        
        C:\Windows\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe
        12⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF169~1.EXE > nul
        12⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{890CC~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E511~1.EXE > nul
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5569A~1.EXE > nul
        9⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B809D~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9755C~1.EXE > nul
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECA60~1.EXE > nul
        6⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36F88~1.EXE > nul
        5⤵
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A47A9~1.EXE > nul
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1D318~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D318B05-7823-4954-8091-FC706B173C7E}.exe

Filesize
180KB

MD5
46d6e23b57749ed0b35e6a41e9f7b1e6

SHA1
ba7c8e0a2144bf37a93efebff662e655df0fdaf5

SHA256
f06a8618e399281c28faa6140ba38a8dfba83fce4445f9cac5783510f3e7c104

SHA512
4ac19514228c7ee7f0d63de1b4e2017e433a01117aaead4f998595ddf21c9cbd722c3c678402c7a43dfef9a9929e63ee190c7e5bab3a0ad3d97a178ef6339b32

Download Submit
C:\Windows\{2E511AD3-3CFC-46e1-B3C2-39250AE271A1}.exe

Filesize
180KB

MD5
b605afbffa284310b5d0566b79e46b66

SHA1
3c7980d766c644a90ea457084af754a9577ee029

SHA256
05db405bdf4a845479378f624f7c52ec05766c7551de4130a73bef32239982c7

SHA512
f893b4abbf91f14af424590bc8ecefe9805622244880f29717746e0b34ebd3392d6c53eb36169755edd13decef793c6065103d2f1274ed058777c2af0d7543c6

Download Submit
C:\Windows\{36F88F7E-F9BB-481c-99F0-FBFAF9C60BDE}.exe

Filesize
180KB

MD5
bf58482f34b79d17e5514274f3813151

SHA1
c85ba718df888324f966ab15f8d3159baccbb1e0

SHA256
9f8bc09786e3c010fee511aec644d5464d5153386d97e54d0a579b366d557b5d

SHA512
9b1289f397cb5140f611c97a4d563711fa926657a90c350ca09aa6efa8eac4ab2dbf82b5a56ad4e977f1f41bc0c93f27b643be3dc7244569af14284b189dd87c

Download Submit
C:\Windows\{5569AC38-9D3F-4f0b-95AF-5613B270AF68}.exe

Filesize
180KB

MD5
18c196bf02c31301d201410c9252f533

SHA1
51bed4fed3950aba20a535164a1444bb332e6a6e

SHA256
c9b5713aa34aec312994987d40d8c934997b957279bff583e973c4aba456239b

SHA512
e1938677793f1d61045614ff0dd21e4e391435fba73def1a3bdd6de97b9dc4a090c24762b29c789eede8471bbc77bf44576dccfde9e10d1b2d562fe07b80d331

Download Submit
C:\Windows\{890CC31E-C556-4e79-8CD1-493BFC260AED}.exe

Filesize
180KB

MD5
526c45af20fe2186507d3ca9b2ee3f21

SHA1
8eae5ea2709332e33afe8e750db726dde2ce563b

SHA256
0973cf039375b0ea2ebd7d81ca7b2954f867bd9737ab93c41081cb3b1222680f

SHA512
0b4d16d251fa5e955cce58b4d22bceac82dc594c6f35e220d62296c4a18d664c0a331cee82108481825e9757aa930036ca8d2e9f0caf97a530ceb42120630fbd

Download Submit
C:\Windows\{9755C5F9-864F-4387-8B11-1124E650DA16}.exe

Filesize
180KB

MD5
bcdf1c9d4bb3baa36bc667d3fd13bc77

SHA1
70275f457989f0ac68e41c03d6f07b121a7bb2cc

SHA256
b9ac4dee9b1570acff2d401b916527b7ca7ee881233aae2e18f9afacc5534d2d

SHA512
bcce95350be8861b901ca3967ceaeaf40a03b6348dd40435e87beb909ed4f673fd63b78e859c905c11a67262d9b03073f74e3f3e0c7e2d086d95e4d7bcc8cd88

Download Submit
C:\Windows\{9EFBC2EA-42DC-47a0-8A20-62BF644D8E3F}.exe

Filesize
180KB

MD5
3eb0d2cfb2876604384295479b368675

SHA1
ca4ce399abf580e398dc0b00f952a64a4d8f3f52

SHA256
fa9d1ca2e7e5be2e856708d5998bfc17d7807c42ad6a82ebda2cda77ad6cadc1

SHA512
b4ce02f6179ac32c593423d7f658794ca5b9ddc6e06cb9945b73d4d9a65ab34a534b1bc915e7b368896e403107cebd24963492ae1fc08f823e116476083a9468

Download Submit
C:\Windows\{A47A986F-1059-4050-8A6B-1C76FE9305FF}.exe

Filesize
180KB

MD5
c856673aebbb5b776770c5503864734b

SHA1
921d417659d31d10f0fd6f2ae7c6ac2b2a229cbf

SHA256
6e18f264303008359667523f57377247138efed44a1890aa904a901d936192a8

SHA512
9f0c5e88f385276132dd10d51ca0794face5261d18c29458db9225a7f090db11a9e9e5f9a17d88e42624c190afe442958e1acb113fbff624580e6cec9bc3fd90

Download Submit
C:\Windows\{B809DBD3-06B4-4f97-8601-F50A65B7437A}.exe

Filesize
180KB

MD5
c082d198b6b7d1025482e59e2878d70a

SHA1
52e54a9980e1ac23d512f8b474bd681cd941ed02

SHA256
86945bdb9c231ff6554a22573a410d487cc4471e60287b61b76b628802b9a8b9

SHA512
7cfaf0e28a6b38331b90566ae24ec95f87be4c8755e153e47e5312e3f5936a424764f015f9f1db0dbcbb99409193f21f58054b6810da86f94d801daaf060836d

Download Submit
C:\Windows\{DF169CDC-9119-4139-A9BD-46858551E09A}.exe

Filesize
180KB

MD5
93d49a085837803ebdfe3e9a722f483f

SHA1
22ac23b34ab10adff1616ded4128514c4f0ce027

SHA256
b2977d6881fc47b0b1923177f6bfe9976a6103181e76376ad4e11f216e9d73fb

SHA512
1e168e8a2e4d54ad909e1ee18752922a298211d0fd8e290b45f3cb907236eca71ce0d30b0d534d41bc8e4e0bdb174cc32e3bbdcac963523a969e7163a1366084

Download Submit
C:\Windows\{ECA60504-8060-45bd-A8FF-E5EAC12805CD}.exe

Filesize
180KB

MD5
5837940874e58a282605e4b63b9f8737

SHA1
754716b78b304498f9cd54a1aa0ca54e67e56cd9

SHA256
71ea755b2a0a5a97c83e6cd0db2e6de1a31ea89a834ff9462b514e46e2a3f29b

SHA512
6c06424152850b0671afb9de677b8d95a9bc72fea057d4303d6a173e7b37a73504ffe44411f4642ac5cdecff97dfa0c1ab27e1d0cd40aa8958b731bcc8b0b87c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads