8536ee0896650800994d166b6fe4c517c650ee05262fad18e42bbae57d38865e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Size

372KB
MD5

e130a98aff45ca1d5e5faae0dc6babb7
SHA1

9af2004dba73c082c9907c4e67a6629120a0a5e1
SHA256

8536ee0896650800994d166b6fe4c517c650ee05262fad18e42bbae57d38865e
SHA512

8766c9a0f10a14a1ab3d737bf832db872dc3a032d9ff94a5bfae3c1cee05146a3ed918cf2306c0ce4f8effba8bbf21450692341d9fd104bc6d8172652e95ede7
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGglkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ee-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015d02-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122ee-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d13-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ee-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122ee-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122ee-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}\stubpath = "C:\\Windows\\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe"	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D167265-CCCD-40bd-BA67-6898A04F68B8}	{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D167265-CCCD-40bd-BA67-6898A04F68B8}\stubpath = "C:\\Windows\\{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe"	{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}\stubpath = "C:\\Windows\\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe"	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}\stubpath = "C:\\Windows\\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe"	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62FE983-3C52-4850-AFC6-9746A9B00B86}\stubpath = "C:\\Windows\\{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe"	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14477338-1600-42e0-9714-0407ABEBA417}\stubpath = "C:\\Windows\\{14477338-1600-42e0-9714-0407ABEBA417}.exe"	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}\stubpath = "C:\\Windows\\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe"	{14477338-1600-42e0-9714-0407ABEBA417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}\stubpath = "C:\\Windows\\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe"	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186C8587-932B-4988-ACF8-D45DF87AC89F}	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}	{14477338-1600-42e0-9714-0407ABEBA417}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62FE983-3C52-4850-AFC6-9746A9B00B86}	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}\stubpath = "C:\\Windows\\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe"	{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}	{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14477338-1600-42e0-9714-0407ABEBA417}	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186C8587-932B-4988-ACF8-D45DF87AC89F}\stubpath = "C:\\Windows\\{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe"	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}	{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}\stubpath = "C:\\Windows\\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe"	{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe

Deletes itself 1 IoCs

pid	Process
1300	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe
2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
552	{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
2280	{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
2952	{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
1500	{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	{14477338-1600-42e0-9714-0407ABEBA417}.exe
File created	C:\Windows\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
File created	C:\Windows\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe	{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
File created	C:\Windows\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe	{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
File created	C:\Windows\{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe	{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
File created	C:\Windows\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
File created	C:\Windows\{14477338-1600-42e0-9714-0407ABEBA417}.exe	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
File created	C:\Windows\{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
File created	C:\Windows\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
File created	C:\Windows\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
File created	C:\Windows\{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
Token: SeIncBasePriorityPrivilege	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe
Token: SeIncBasePriorityPrivilege	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
Token: SeIncBasePriorityPrivilege	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
Token: SeIncBasePriorityPrivilege	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
Token: SeIncBasePriorityPrivilege	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
Token: SeIncBasePriorityPrivilege	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
Token: SeIncBasePriorityPrivilege	552	{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
Token: SeIncBasePriorityPrivilege	2280	{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
Token: SeIncBasePriorityPrivilege	2952	{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2096	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	28
PID 2180 wrote to memory of 2096	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	28
PID 2180 wrote to memory of 2096	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	28
PID 2180 wrote to memory of 2096	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	28
PID 2180 wrote to memory of 1300	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	29
PID 2180 wrote to memory of 1300	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	29
PID 2180 wrote to memory of 1300	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	29
PID 2180 wrote to memory of 1300	2180	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	29
PID 2096 wrote to memory of 2692	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	30
PID 2096 wrote to memory of 2692	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	30
PID 2096 wrote to memory of 2692	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	30
PID 2096 wrote to memory of 2692	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	30
PID 2096 wrote to memory of 2672	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	31
PID 2096 wrote to memory of 2672	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	31
PID 2096 wrote to memory of 2672	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	31
PID 2096 wrote to memory of 2672	2096	{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe	31
PID 2692 wrote to memory of 2832	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	32
PID 2692 wrote to memory of 2832	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	32
PID 2692 wrote to memory of 2832	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	32
PID 2692 wrote to memory of 2832	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	32
PID 2692 wrote to memory of 2300	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	33
PID 2692 wrote to memory of 2300	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	33
PID 2692 wrote to memory of 2300	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	33
PID 2692 wrote to memory of 2300	2692	{14477338-1600-42e0-9714-0407ABEBA417}.exe	33
PID 2832 wrote to memory of 2284	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	36
PID 2832 wrote to memory of 2284	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	36
PID 2832 wrote to memory of 2284	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	36
PID 2832 wrote to memory of 2284	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	36
PID 2832 wrote to memory of 1948	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	37
PID 2832 wrote to memory of 1948	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	37
PID 2832 wrote to memory of 1948	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	37
PID 2832 wrote to memory of 1948	2832	{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe	37
PID 2284 wrote to memory of 2904	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	38
PID 2284 wrote to memory of 2904	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	38
PID 2284 wrote to memory of 2904	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	38
PID 2284 wrote to memory of 2904	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	38
PID 2284 wrote to memory of 3036	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	39
PID 2284 wrote to memory of 3036	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	39
PID 2284 wrote to memory of 3036	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	39
PID 2284 wrote to memory of 3036	2284	{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe	39
PID 2904 wrote to memory of 316	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	40
PID 2904 wrote to memory of 316	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	40
PID 2904 wrote to memory of 316	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	40
PID 2904 wrote to memory of 316	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	40
PID 2904 wrote to memory of 1828	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	41
PID 2904 wrote to memory of 1828	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	41
PID 2904 wrote to memory of 1828	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	41
PID 2904 wrote to memory of 1828	2904	{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe	41
PID 316 wrote to memory of 2424	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	42
PID 316 wrote to memory of 2424	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	42
PID 316 wrote to memory of 2424	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	42
PID 316 wrote to memory of 2424	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	42
PID 316 wrote to memory of 1452	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	43
PID 316 wrote to memory of 1452	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	43
PID 316 wrote to memory of 1452	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	43
PID 316 wrote to memory of 1452	316	{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe	43
PID 2424 wrote to memory of 552	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	44
PID 2424 wrote to memory of 552	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	44
PID 2424 wrote to memory of 552	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	44
PID 2424 wrote to memory of 552	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	44
PID 2424 wrote to memory of 1204	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	45
PID 2424 wrote to memory of 1204	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	45
PID 2424 wrote to memory of 1204	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	45
PID 2424 wrote to memory of 1204	2424	{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
  C:\Windows\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\{14477338-1600-42e0-9714-0407ABEBA417}.exe
    C:\Windows\{14477338-1600-42e0-9714-0407ABEBA417}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
      C:\Windows\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
        
        C:\Windows\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
        
        C:\Windows\{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
        
        C:\Windows\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
        
        C:\Windows\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
        
        C:\Windows\{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
        
        C:\Windows\{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
        
        C:\Windows\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe
        
        C:\Windows\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DEE9~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D167~1.EXE > nul
        11⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{186C8~1.EXE > nul
        10⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C09C1~1.EXE > nul
        9⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF739~1.EXE > nul
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A62FE~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D76B1~1.EXE > nul
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBEA~1.EXE > nul
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14477~1.EXE > nul
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F317F~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14477338-1600-42e0-9714-0407ABEBA417}.exe

Filesize
372KB

MD5
2f1b1fd5a2eaf7080dfb073a6f5c9c00

SHA1
c1cff0f3edfd970e26c34446ab0974b435355cca

SHA256
130209755ad65cf5d82a4aa9c566df3da6478ddf5ca441505674108521fa8a4b

SHA512
bec1a99d24b4fd938dea49039384ddda9a2023fba02933fb448a9ef8ded0c7550a16547f5ca92c42d5b33c0b1a1ed73f3b7786cd04f725c364325598020f7338

Download Submit
C:\Windows\{186C8587-932B-4988-ACF8-D45DF87AC89F}.exe

Filesize
372KB

MD5
6575cef74c4b0c18e88d5015700c4444

SHA1
34c97b3fa5f19ac001446b6d90814b6b3e99e807

SHA256
e49ee51954e7d1f4dbdae62f7f4ffb209653da31ee65f6a9a3583604f44c9c5e

SHA512
3e1f2874d6e892cf6d7bccfd76177e120610badf01aeb078686c76243863f882197c107dab365be4a45cc5874f41f2fca0764f80ba8432e0a736e81aa82b46ec

Download Submit
C:\Windows\{3D167265-CCCD-40bd-BA67-6898A04F68B8}.exe

Filesize
372KB

MD5
4dafeed5ffe85072c452ce9ea1485eae

SHA1
cfea1c4c11b752596694d603f9aef9a27e1ebf03

SHA256
48716b247f0fcc02bd1678a1b0fab0ffe0d02ffefe85961a602a93b88b2a9728

SHA512
a169d57aec55d5ad80e7e6bc4fadc93e422ea434a099c25a8b53e507a818b25cc291135299ed7934d6f192f63cacee63fee0dc1f7599d482aa5f28f58574eaca

Download Submit
C:\Windows\{3DEE95A0-9329-43d2-9C77-A8AD5BC752A4}.exe

Filesize
372KB

MD5
b45eb32bd6d2590c50eb81d5177fe1e2

SHA1
385e39567719a019dbf9571414183b9a73fc7cb4

SHA256
843edb76340eab9244cb63f81aadb7b3285a60b1828bc49814de9c8e8a0339df

SHA512
8a06a8657ddd626c802f07e2af0c0f0b0ddb121e9cd2e3d176a4e87edae1a3c79613445227daee05c0d0ec95a9023d9584c481cdcffbbaf65ae1494b2cf9b761

Download Submit
C:\Windows\{7DBEACF5-3D2E-4592-B8F0-E1337926BBBE}.exe

Filesize
372KB

MD5
ec5f18940eafda43cdef317c264f2322

SHA1
34870bab2653f14389a21dd622fa326d52c5056f

SHA256
dd2b5504af62ff66fc9bf227f6e799c7e5f9faa23325db78674d82b53c2ebc19

SHA512
65ba4f3e043935a8506366a6cdc3f29f2f6d3e9c4c89808b6837ee88ae14a32bf152333f7c59cb5f865a04d6359868e20b011d7a50c9fbe81fea06cc26c6bb74

Download Submit
C:\Windows\{8F62FF09-736C-495f-B6E1-EB0BDAEA4E8F}.exe

Filesize
372KB

MD5
693f29196e2e6bac29ebb2d81da2a89b

SHA1
471c4668c54fe187cfeca52a4f9dbe8b706f8273

SHA256
b3a55aa5f40ce64cf4fd8cc588dd8a7e66be46711fa2505fc4b2e569a1fbd990

SHA512
d17f9c252f48099db5972fdb8cecf2fffb49ce64830ac90cf56a5d5eced5ec4b2c84d2e9de16c96232968dc5ad8fe445c05e7b4e4898658d5da998cd265530c3

Download Submit
C:\Windows\{A62FE983-3C52-4850-AFC6-9746A9B00B86}.exe

Filesize
372KB

MD5
06a0f1cb21d12dbc1472440a021b6ca4

SHA1
c43b73be9722ecc6d17621b26610cadec82d728e

SHA256
5fcd3c047f37889abd28d93e8e5149295cfc523b4a990dd8e07cc55fbfb0eb98

SHA512
326b60a6f88a1499745b03f0addefbdac813e15b7c5e9323f46c86c5f7af564ca54e236b7da6ca9de678f9decd54d364b956e0421871a273ceee7b480d2b4061

Download Submit
C:\Windows\{C09C1D3A-4CA4-4e79-BA5B-4F23C20F2FAD}.exe

Filesize
372KB

MD5
083d146fcf90cf63e21c3512bfa5199d

SHA1
3e0b6f3d54ee39eb374ca25f000bbc5e4b307b4d

SHA256
ae7c8ec40a366c9eda059ecffaf14a6cce4db8dcc12c16cefb6be1e47e17231f

SHA512
ea7c34dbd613985e2b371cd6db19f17ff2fc1c34063c4dbd45ef022e1d4548c651fd4c747f28a499b481b89effa736882affd57811d4ca6d73809d0d9b031c59

Download Submit
C:\Windows\{D76B1A60-F35F-45a8-8F8C-F22E9E6B50B4}.exe

Filesize
372KB

MD5
2b44d261f753aac81cceecf4dcb456a0

SHA1
81d62ce6bac8bfd59df5ff2b5917758466534cde

SHA256
1a3e16d2d896dfef7e381fe6c19dba5fdba932ae2b83e392c0c8d60ea74ad4c9

SHA512
a97cbddd65f001a89e6caa7406acbb383379487fcf878ed30d837770ae5f7103495a6b8137d422e06cc003a591b1068163fb5c138aa7ca325615fd35a387f45a

Download Submit
C:\Windows\{EF739D32-0A4B-4ca3-AA60-781F6F7AD22B}.exe

Filesize
372KB

MD5
12fa21d6181dd59cc93131a8a8bfd387

SHA1
548846024a90f5368a65f20ff20bc1bb9e01979f

SHA256
9dce9976f97efa41d343ae45ce86a028b8989ef4f461eda7c76bded8bdd81b52

SHA512
87b2e73b3851281a00584623f4724b0e3c2f27de935cda2cb101bc2a2e48a5fdbc1efadc383e3c35aeefd815822f6bbb92a61d22422109b7123669a1661ef137

Download Submit
C:\Windows\{F317FA8C-3AC0-43a7-BE6C-A3A0D3A2992B}.exe

Filesize
372KB

MD5
358ff9d5a5b97999157ed212740a07a8

SHA1
e7363899d8b1fc7b8538c45837c23c668f4d985f

SHA256
f534d653e5f33b7cbef728146c202a60a75dd37bc6837ca75a75b807d97d7459

SHA512
1eeeb1ceabf1674085d1e2d274673995bc26dd17b34a8fa9c0cdde4c1c8535e94a1bc7464f17cd76dbc6e87f55635c8953904fbc877c61ee0fd3ca030ef77417

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads