ecfccf545f574733c04f788aa57049e668a467009883e0372fd9b2f26dd5ab44

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Size

408KB
MD5

f2677c40a21645d311ddcd32d5597dce
SHA1

6c754ddf9e76a67de96448b07840f426458ac15a
SHA256

ecfccf545f574733c04f788aa57049e668a467009883e0372fd9b2f26dd5ab44
SHA512

3720922d92546212163f9df8ac0f836583b352bd0a196dd5e30b21269ca81c831af1541103ad52476225da4c6b2a5893f9653ee6c798c0b1cabfaaa1c9291b16
SSDEEP

3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b309-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015cb5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b309-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001b000000015d71-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b309-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b309-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000b309-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7309B6F2-F161-489c-8800-06C5821D4A01}	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7309B6F2-F161-489c-8800-06C5821D4A01}\stubpath = "C:\\Windows\\{7309B6F2-F161-489c-8800-06C5821D4A01}.exe"	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35131103-B7BB-4a0e-B831-0397F0B428BA}	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}\stubpath = "C:\\Windows\\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe"	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}\stubpath = "C:\\Windows\\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe"	{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}\stubpath = "C:\\Windows\\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe"	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}\stubpath = "C:\\Windows\\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe"	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FE8C05C-68A8-40d9-92B6-D56282767057}	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}\stubpath = "C:\\Windows\\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe"	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}	{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}	{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}\stubpath = "C:\\Windows\\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe"	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FE8C05C-68A8-40d9-92B6-D56282767057}\stubpath = "C:\\Windows\\{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe"	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35131103-B7BB-4a0e-B831-0397F0B428BA}\stubpath = "C:\\Windows\\{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe"	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}\stubpath = "C:\\Windows\\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe"	{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}	{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}\stubpath = "C:\\Windows\\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe"	{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe

Deletes itself 1 IoCs

pid	Process
2432	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
1412	{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
2144	{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
1604	{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe
1500	{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
File created	C:\Windows\{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
File created	C:\Windows\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
File created	C:\Windows\{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
File created	C:\Windows\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe	{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
File created	C:\Windows\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe	{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
File created	C:\Windows\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
File created	C:\Windows\{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
File created	C:\Windows\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
File created	C:\Windows\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
File created	C:\Windows\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe	{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
Token: SeIncBasePriorityPrivilege	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
Token: SeIncBasePriorityPrivilege	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
Token: SeIncBasePriorityPrivilege	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
Token: SeIncBasePriorityPrivilege	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
Token: SeIncBasePriorityPrivilege	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
Token: SeIncBasePriorityPrivilege	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
Token: SeIncBasePriorityPrivilege	1412	{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
Token: SeIncBasePriorityPrivilege	2144	{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
Token: SeIncBasePriorityPrivilege	1604	{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2984	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	28
PID 3056 wrote to memory of 2432	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	29
PID 3056 wrote to memory of 2432	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	29
PID 3056 wrote to memory of 2432	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	29
PID 3056 wrote to memory of 2432	3056	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	29
PID 2984 wrote to memory of 3004	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	30
PID 2984 wrote to memory of 3004	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	30
PID 2984 wrote to memory of 3004	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	30
PID 2984 wrote to memory of 3004	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	30
PID 2984 wrote to memory of 2696	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	31
PID 2984 wrote to memory of 2696	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	31
PID 2984 wrote to memory of 2696	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	31
PID 2984 wrote to memory of 2696	2984	{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe	31
PID 3004 wrote to memory of 2108	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	32
PID 3004 wrote to memory of 2108	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	32
PID 3004 wrote to memory of 2108	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	32
PID 3004 wrote to memory of 2108	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	32
PID 3004 wrote to memory of 2672	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	33
PID 3004 wrote to memory of 2672	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	33
PID 3004 wrote to memory of 2672	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	33
PID 3004 wrote to memory of 2672	3004	{7309B6F2-F161-489c-8800-06C5821D4A01}.exe	33
PID 2108 wrote to memory of 2448	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	36
PID 2108 wrote to memory of 2448	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	36
PID 2108 wrote to memory of 2448	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	36
PID 2108 wrote to memory of 2448	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	36
PID 2108 wrote to memory of 1612	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	37
PID 2108 wrote to memory of 1612	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	37
PID 2108 wrote to memory of 1612	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	37
PID 2108 wrote to memory of 1612	2108	{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe	37
PID 2448 wrote to memory of 2096	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	38
PID 2448 wrote to memory of 2096	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	38
PID 2448 wrote to memory of 2096	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	38
PID 2448 wrote to memory of 2096	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	38
PID 2448 wrote to memory of 2148	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	39
PID 2448 wrote to memory of 2148	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	39
PID 2448 wrote to memory of 2148	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	39
PID 2448 wrote to memory of 2148	2448	{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe	39
PID 2096 wrote to memory of 1952	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	40
PID 2096 wrote to memory of 1952	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	40
PID 2096 wrote to memory of 1952	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	40
PID 2096 wrote to memory of 1952	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	40
PID 2096 wrote to memory of 1872	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	41
PID 2096 wrote to memory of 1872	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	41
PID 2096 wrote to memory of 1872	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	41
PID 2096 wrote to memory of 1872	2096	{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe	41
PID 1952 wrote to memory of 948	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	42
PID 1952 wrote to memory of 948	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	42
PID 1952 wrote to memory of 948	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	42
PID 1952 wrote to memory of 948	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	42
PID 1952 wrote to memory of 2772	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	43
PID 1952 wrote to memory of 2772	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	43
PID 1952 wrote to memory of 2772	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	43
PID 1952 wrote to memory of 2772	1952	{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe	43
PID 948 wrote to memory of 1412	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	44
PID 948 wrote to memory of 1412	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	44
PID 948 wrote to memory of 1412	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	44
PID 948 wrote to memory of 1412	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	44
PID 948 wrote to memory of 960	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	45
PID 948 wrote to memory of 960	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	45
PID 948 wrote to memory of 960	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	45
PID 948 wrote to memory of 960	948	{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
  C:\Windows\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
    C:\Windows\{7309B6F2-F161-489c-8800-06C5821D4A01}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
      C:\Windows\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
        
        C:\Windows\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
        
        C:\Windows\{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
        
        C:\Windows\{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
        
        C:\Windows\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
        
        C:\Windows\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
        
        C:\Windows\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe
        
        C:\Windows\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe
        
        C:\Windows\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A62EC~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F03C~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0C3A~1.EXE > nul
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA8AC~1.EXE > nul
        9⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35131~1.EXE > nul
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE8C~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CA6~1.EXE > nul
        6⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A820~1.EXE > nul
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7309B~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B65A~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F03CE08-B422-4d75-9BB2-C6A2FC592DA0}.exe

Filesize
408KB

MD5
3e4e9d5f74146710feecd561192e092d

SHA1
3c503d1a555b522ac527e8fd501cc34bba72dad1

SHA256
6edd721c3d884e652554199d8d2ce3dec75444aec860ca840565535dce75c100

SHA512
1dca14c3b067c88bc04242ade6eb63fa798038226bc0fbf27ff209734d3f9f6566916995acc7cbd065e4806d6229edc0325ce61e63578634f9c63a2e1bf4db9f

Download Submit
C:\Windows\{1FE8C05C-68A8-40d9-92B6-D56282767057}.exe

Filesize
408KB

MD5
e872e32af7e7a70773abdc052648bf8b

SHA1
3ca9c7a2141722fecb8527135176276469fd9879

SHA256
52b680bfd7bdb3495ffb27b85f73a1279f0136a1ef51661f7bb90ee5b4a86ca7

SHA512
84399c571f231870053d81c8e10e92165b292c9b7a9a9e04ccce6bb7e695878ec11223fec5ebaac15a64907cebd00927ea5c6e89c8ea42df3e45ab97380e0598

Download Submit
C:\Windows\{35131103-B7BB-4a0e-B831-0397F0B428BA}.exe

Filesize
408KB

MD5
49076eb520034f001e60dfaa290b1c81

SHA1
f1a39f2f83d32428e390474ed8153e82074ed954

SHA256
cddd212c312c1fe08eddf5ae41f8379b3b2d11d62561ba2de46cc59b1541d661

SHA512
296da064d5f137e34b39e190b0c23a3c8c951a23b0b7cc500813180e6fe4f60f1fc81a013233294ef8e624fbd38182c307a2bbf5658b243bad8224e0149459dd

Download Submit
C:\Windows\{3B65A6D6-7280-457a-8ED4-B7292A83A6E1}.exe

Filesize
408KB

MD5
1af368fbbd7ebd690bca4c7d0e081b11

SHA1
f2ff7382da66e983d3f74b4791b53a36439f27aa

SHA256
32b0486b6c59afc7b3be8c6c4e4ba166aa112958a30c8838e92621712be85974

SHA512
94458a9c97743f4e2936c5247174d51c5f4763d3ef41c1ebbc3fb8055d91efdae41f1413dfb473edec9eabdda1eb957dba4974c60aeced2a00f23bee9cc52ee9

Download Submit
C:\Windows\{6A8200B6-912A-4013-9A5D-9951D93ED1B2}.exe

Filesize
408KB

MD5
19ff88fc301b89d0d4b29c8cf3efc155

SHA1
7f6befc5bd0a601952765bc718c9539fcbe98fa7

SHA256
990e551330072c94d208d42c15a570aa2d176bcec2e0f7d778c2ed0284a36b52

SHA512
10ad8b51117d8ab87b0617cf79f7c68a34133fc2f1b2ef8b4ac693fac8fbf96da62127b00ba22ecede053761827275cbe16557fb776194482e19ad120a8349cf

Download Submit
C:\Windows\{7309B6F2-F161-489c-8800-06C5821D4A01}.exe

Filesize
408KB

MD5
fe1b48014f0d523dea60da1786cf2c2b

SHA1
c6716cf43f31e792ed018c36894bf77b059156da

SHA256
b6ec0493ebcb1f387d0a033524bef45edee022eb01cbe306c2388846ccff1240

SHA512
9b5a20bc4666c4c23525314f52384c7f1931d3925e012f7a81b8c4315de7a0b31d6bef77001c05177a98c08467177fde4452e20a69403450f2657435437e347f

Download Submit
C:\Windows\{A0C3AD49-6AF5-4bd4-BC84-663D76FE2CFB}.exe

Filesize
408KB

MD5
82cf2bb36c29062a9ef47d855fa1f37a

SHA1
bb809c616557f09ef61553e77b9ffa4241e1eada

SHA256
9bbb30186940111ecc6c691469d362f87b1a7fd61ec100054511ee4cfb427288

SHA512
7df9955cd65d677c05485cb0ab74bbcf88b8e7c7d8bef85e0054bbc7877d09db97d98c54865ca02d2f23b4605c0534a2437482eb360942b8840cc2255af15ad1

Download Submit
C:\Windows\{A62EC1AD-2C8C-4105-B667-F0F9CF12BCDC}.exe

Filesize
408KB

MD5
fa78e763432d569cc642d9134a0bc521

SHA1
04b579e08dc056bce400b6a83380e5f464af7f45

SHA256
21556fe081a52dc9f04f660b3f5ea868e96895da393bcce4f46863b97a486ad1

SHA512
9c754158fb6ac4697c5440ed468cb9b7544c346022bb17973851c3ea2d20a0685c4486e6ae4bb75150c585872480172363c6dfddc9ac28ed7c26e973bba81e68

Download Submit
C:\Windows\{B9CA62A5-6581-4049-A0EA-989A5CA2DE2B}.exe

Filesize
408KB

MD5
3c871175e1d81e3f972b3317d61e8d7a

SHA1
59187e033360fb4dd353bddc9985a393414a22b5

SHA256
67a37dd5aca76a8d7434752c05203935a256c5370c4581fc889ed49f63301474

SHA512
efad5ea4229b973dfa53bc27a7b972627c7745dff9908c80c548b391157892059aba7be9c80208b492a41ab17e4ca51f84a19a073824b1e99968813a8713a853

Download Submit
C:\Windows\{FA8AC161-2535-4f3b-B4CA-4AB89C24F96B}.exe

Filesize
408KB

MD5
4a2b5957695b71e8a77e5ccd5328c297

SHA1
17c7e948be76486c968b0e598171f7a0d0a20100

SHA256
19cc05a51d030e11c7bd94ffdddc8da4f7b67000f7d4a4ec6521532d75349ba0

SHA512
746a20fb4d5582ec68fd162036793f062739488a87462da82ce1dfcfe0c746ed63151e66f2254dbd74d2c0f7f6bb115d5159306a2eec5859570cec173479827b

Download Submit
C:\Windows\{FF19E008-10F2-4301-AEA1-4A40DC7317FE}.exe

Filesize
408KB

MD5
7df591019b5226dc5194ea9adf9a743f

SHA1
bbe5a4e578997a7417fad7d9571e0c5e100b783c

SHA256
96df55a00d64a73a56f97576019183220680a7ef39e4570d05ecf104725544b5

SHA512
e8d6ce8c993f7a6aa18068bbbfcd4ee94796e48ec26c26d949ca65cc3b2efdbd3b8fa13b9db0fad725ceea6d63d799bbdba48f1dc29a1849b553ebb8498cc1eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads