ecfccf545f574733c04f788aa57049e668a467009883e0372fd9b2f26dd5ab44

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Size

408KB
MD5

f2677c40a21645d311ddcd32d5597dce
SHA1

6c754ddf9e76a67de96448b07840f426458ac15a
SHA256

ecfccf545f574733c04f788aa57049e668a467009883e0372fd9b2f26dd5ab44
SHA512

3720922d92546212163f9df8ac0f836583b352bd0a196dd5e30b21269ca81c831af1541103ad52476225da4c6b2a5893f9653ee6c798c0b1cabfaaa1c9291b16
SSDEEP

3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023403-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023404-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023408-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002340b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023411-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023411-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023411-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023411-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA80C769-6225-44a8-9208-D0197C9515F7}	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}	{68AA015B-B415-42ef-991D-CD5897080253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C84BC25-41FF-4950-BF4D-7D64008947B1}\stubpath = "C:\\Windows\\{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe"	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28AE1FE9-3D88-416d-9AE1-66806428DA17}\stubpath = "C:\\Windows\\{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe"	{1495859F-488D-4cce-9766-4FDD87C80382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}\stubpath = "C:\\Windows\\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe"	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}\stubpath = "C:\\Windows\\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe"	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68AA015B-B415-42ef-991D-CD5897080253}	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}\stubpath = "C:\\Windows\\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe"	{68AA015B-B415-42ef-991D-CD5897080253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAC15E58-9849-450f-93A5-15D4960EEB06}\stubpath = "C:\\Windows\\{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe"	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1495859F-488D-4cce-9766-4FDD87C80382}\stubpath = "C:\\Windows\\{1495859F-488D-4cce-9766-4FDD87C80382}.exe"	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}	{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28AE1FE9-3D88-416d-9AE1-66806428DA17}	{1495859F-488D-4cce-9766-4FDD87C80382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}\stubpath = "C:\\Windows\\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe"	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C84BC25-41FF-4950-BF4D-7D64008947B1}	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA80C769-6225-44a8-9208-D0197C9515F7}\stubpath = "C:\\Windows\\{CA80C769-6225-44a8-9208-D0197C9515F7}.exe"	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68AA015B-B415-42ef-991D-CD5897080253}\stubpath = "C:\\Windows\\{68AA015B-B415-42ef-991D-CD5897080253}.exe"	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}\stubpath = "C:\\Windows\\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe"	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAC15E58-9849-450f-93A5-15D4960EEB06}	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}\stubpath = "C:\\Windows\\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe"	{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1495859F-488D-4cce-9766-4FDD87C80382}	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe

Executes dropped EXE 12 IoCs

pid	Process
644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe
3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe
2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
3564	{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe
656	{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	{1495859F-488D-4cce-9766-4FDD87C80382}.exe
File created	C:\Windows\{68AA015B-B415-42ef-991D-CD5897080253}.exe	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
File created	C:\Windows\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	{68AA015B-B415-42ef-991D-CD5897080253}.exe
File created	C:\Windows\{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
File created	C:\Windows\{1495859F-488D-4cce-9766-4FDD87C80382}.exe	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
File created	C:\Windows\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
File created	C:\Windows\{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
File created	C:\Windows\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
File created	C:\Windows\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
File created	C:\Windows\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
File created	C:\Windows\{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
File created	C:\Windows\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe	{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
Token: SeIncBasePriorityPrivilege	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe
Token: SeIncBasePriorityPrivilege	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
Token: SeIncBasePriorityPrivilege	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
Token: SeIncBasePriorityPrivilege	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
Token: SeIncBasePriorityPrivilege	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
Token: SeIncBasePriorityPrivilege	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
Token: SeIncBasePriorityPrivilege	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe
Token: SeIncBasePriorityPrivilege	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
Token: SeIncBasePriorityPrivilege	3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
Token: SeIncBasePriorityPrivilege	3564	{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 644	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	81
PID 1100 wrote to memory of 644	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	81
PID 1100 wrote to memory of 644	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	81
PID 1100 wrote to memory of 4776	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	82
PID 1100 wrote to memory of 4776	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	82
PID 1100 wrote to memory of 4776	1100	2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe	82
PID 644 wrote to memory of 4168	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	83
PID 644 wrote to memory of 4168	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	83
PID 644 wrote to memory of 4168	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	83
PID 644 wrote to memory of 1388	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	84
PID 644 wrote to memory of 1388	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	84
PID 644 wrote to memory of 1388	644	{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe	84
PID 4168 wrote to memory of 3576	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	87
PID 4168 wrote to memory of 3576	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	87
PID 4168 wrote to memory of 3576	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	87
PID 4168 wrote to memory of 3692	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	88
PID 4168 wrote to memory of 3692	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	88
PID 4168 wrote to memory of 3692	4168	{1495859F-488D-4cce-9766-4FDD87C80382}.exe	88
PID 3576 wrote to memory of 3728	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	93
PID 3576 wrote to memory of 3728	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	93
PID 3576 wrote to memory of 3728	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	93
PID 3576 wrote to memory of 4580	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	94
PID 3576 wrote to memory of 4580	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	94
PID 3576 wrote to memory of 4580	3576	{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe	94
PID 3728 wrote to memory of 3388	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	96
PID 3728 wrote to memory of 3388	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	96
PID 3728 wrote to memory of 3388	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	96
PID 3728 wrote to memory of 2176	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	97
PID 3728 wrote to memory of 2176	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	97
PID 3728 wrote to memory of 2176	3728	{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe	97
PID 3388 wrote to memory of 3248	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	98
PID 3388 wrote to memory of 3248	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	98
PID 3388 wrote to memory of 3248	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	98
PID 3388 wrote to memory of 3932	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	99
PID 3388 wrote to memory of 3932	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	99
PID 3388 wrote to memory of 3932	3388	{CA80C769-6225-44a8-9208-D0197C9515F7}.exe	99
PID 3248 wrote to memory of 2832	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	100
PID 3248 wrote to memory of 2832	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	100
PID 3248 wrote to memory of 2832	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	100
PID 3248 wrote to memory of 3908	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	101
PID 3248 wrote to memory of 3908	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	101
PID 3248 wrote to memory of 3908	3248	{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe	101
PID 2832 wrote to memory of 4216	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	102
PID 2832 wrote to memory of 4216	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	102
PID 2832 wrote to memory of 4216	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	102
PID 2832 wrote to memory of 3632	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	103
PID 2832 wrote to memory of 3632	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	103
PID 2832 wrote to memory of 3632	2832	{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe	103
PID 4216 wrote to memory of 2996	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	104
PID 4216 wrote to memory of 2996	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	104
PID 4216 wrote to memory of 2996	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	104
PID 4216 wrote to memory of 5016	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	105
PID 4216 wrote to memory of 5016	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	105
PID 4216 wrote to memory of 5016	4216	{68AA015B-B415-42ef-991D-CD5897080253}.exe	105
PID 2996 wrote to memory of 3720	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	106
PID 2996 wrote to memory of 3720	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	106
PID 2996 wrote to memory of 3720	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	106
PID 2996 wrote to memory of 3224	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	107
PID 2996 wrote to memory of 3224	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	107
PID 2996 wrote to memory of 3224	2996	{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe	107
PID 3720 wrote to memory of 3564	3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe	108
PID 3720 wrote to memory of 3564	3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe	108
PID 3720 wrote to memory of 3564	3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe	108
PID 3720 wrote to memory of 3840	3720	{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_f2677c40a21645d311ddcd32d5597dce_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
  C:\Windows\{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\{1495859F-488D-4cce-9766-4FDD87C80382}.exe
    C:\Windows\{1495859F-488D-4cce-9766-4FDD87C80382}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
      C:\Windows\{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
        
        C:\Windows\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
        
        C:\Windows\{CA80C769-6225-44a8-9208-D0197C9515F7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
        
        C:\Windows\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
        
        C:\Windows\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{68AA015B-B415-42ef-991D-CD5897080253}.exe
        
        C:\Windows\{68AA015B-B415-42ef-991D-CD5897080253}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
        
        C:\Windows\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
        
        C:\Windows\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe
        
        C:\Windows\{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe
        
        C:\Windows\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe
        13⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAC15~1.EXE > nul
        13⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B93F~1.EXE > nul
        12⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7147F~1.EXE > nul
        11⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68AA0~1.EXE > nul
        10⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8528~1.EXE > nul
        9⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CFD8~1.EXE > nul
        8⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA80C~1.EXE > nul
        7⤵
        
        PID:3932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA33~1.EXE > nul
        6⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28AE1~1.EXE > nul
        5⤵
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14958~1.EXE > nul
      4⤵
      PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2C84B~1.EXE > nul
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1495859F-488D-4cce-9766-4FDD87C80382}.exe

Filesize
408KB

MD5
952b731529970d04943a2d072e5878ea

SHA1
f0fcc8be2d3b445cf021cb5e0abab6e8d5c5edf4

SHA256
37fe4f987ce3ae21863c6e096eb6cc60da40b596694ec16a5118ec45a0b74c6c

SHA512
64f62f72a7fe1becd25524e954295340baf2506bb28e20c449bec380531f31d67fdd8caf5a4d37a866544f28f1f1e928ba60d7e470c663efb5a4da7e1961576c

Download Submit
C:\Windows\{28AE1FE9-3D88-416d-9AE1-66806428DA17}.exe

Filesize
408KB

MD5
8988dd6486adc126f9cafecb0c2fda89

SHA1
b91ed01db2894d7ac06f407af63444fef9efd455

SHA256
e9f1361dd2dfc935cc422422b6c475ba057ba5e3ad754c31289220dbe65e0641

SHA512
68f63613a01e13b2080d973ccb53a81c3c268c0254d368a0eb69deb18a663593e0e2d1c355dfb0f6adf4b58a34ccfea94fa55fdf6e4ff1fbbbe29a4f26a1c06b

Download Submit
C:\Windows\{2C84BC25-41FF-4950-BF4D-7D64008947B1}.exe

Filesize
408KB

MD5
70581c12744b9c736d5c879252c0989d

SHA1
99ee2b7ac211992b7e4ac92ecdaf55133288323c

SHA256
41644b9451a2537f4ddd986aa857930346d36fdd0820adfea02adb7d7ae5138b

SHA512
09f3012203b998f1d5852abacfbe8f59630dfe285fe93dd7f5d2c6688cdba63d054f4f4246b37d5af5e14c378855553c4f7a34f1b1848d58fa7bfe8be6482133

Download Submit
C:\Windows\{2CFD8529-B552-4d1a-A139-2BDA761DDF43}.exe

Filesize
408KB

MD5
da15c16d9b065a3a72a32c903e6edfe3

SHA1
e6a65b2f7074315b5b05551c99fe411c95a37151

SHA256
26e67f274e9ebfc308e8b7a537a150c6529d8446885455fb92f27c81e75cb125

SHA512
376f4ad08f2d637f2605c02dfa6b00803c468456f4e7cc56ec8cebf5ff5d4b1a5b1f0957fca8b4d45db084f2a99d6edb0126e2bab72557ce2186bceeb6eb5fa1

Download Submit
C:\Windows\{4B93FF54-D54A-4dfa-B633-ADCF49035E2B}.exe

Filesize
408KB

MD5
aae620d928a8f18ce6a07e40909f14ef

SHA1
65a02a1113661575e505d88a87b0e97221342bb6

SHA256
f97592a17d3e79315df4a81e781ee3471a657a9f0fdd0d8e73906ffb9f4e4ea0

SHA512
f8b158e3a85836c62e19cbce0d8f3fee624b0c46e99356f57b3514dffc98a2c7d7d4e41636b2d32aa03eb9dc3cb9401c14d4f7982e3b35867bec891186ec05ef

Download Submit
C:\Windows\{68AA015B-B415-42ef-991D-CD5897080253}.exe

Filesize
408KB

MD5
cb3c481d3e192bc6f1fbff3ac450cfd4

SHA1
d1d82435ea70bf828cd87746341ce8f2faaf0844

SHA256
08b321abeb1a782bd6af2cda8ae630f4837c7a6d4ebca58ab402545c2be2500b

SHA512
f160c945152be5c3c008ccdd78e8356d879de8b33fcdfb6b372a28d69620b31c1248f30b53a9046d0302c25b18805a22ebeca014130e51386107cce33c8a8468

Download Submit
C:\Windows\{7147F541-2E1B-4b21-BD67-DFDD8C22A863}.exe

Filesize
408KB

MD5
aceb5e937b1603bd707e38a008b6f06f

SHA1
85429477d335dc5547bcb6d0a81b0f3c16ca1de9

SHA256
ef9511742b1b86a389225f8309778bd4022a13c152195cae14d8970d5f9430d6

SHA512
ad42cb2528c0334e10e02e880ccad0c843f93d436f765851bb3d5207579b76ac017f6ae57052ffaedf237543a67a22b3f428d79e17ceeeea944296c70ffe8653

Download Submit
C:\Windows\{7AA33118-1A0B-4e57-981F-2C63FFDEBB27}.exe

Filesize
408KB

MD5
68ee0fcea4f85628614924b813e290b3

SHA1
4e46ab8f3349f2e4c55b67a7a4ae92258b77645d

SHA256
b6decacba4531b3a9fa784ee301eab98ab27f5fd981ba2469e7bab912b2cd338

SHA512
781ca088945876c8bf8689f20992d177617274bc9518e5225b1490a7136e31733a1048bd4772a25ddd49461c5c5bb105c7fc147dc3574b90042a0ff9dd52c01d

Download Submit
C:\Windows\{BDA4C265-9E45-424b-B1DA-0D98FE0AD0F5}.exe

Filesize
408KB

MD5
558f7433ae960dbdf55014d9c8fb513e

SHA1
04c7f3d08d3be1c48081ab57986ce9b9cf260e63

SHA256
770ce03203fbe26d9875f221d899326ec01e9c7a4c314e8cf28824b278524684

SHA512
1f009cd1f35b2d80997fc0ef535ec3b97fb23a0fbca892908576ff133d4c918cec714fd086b4e80a301c9cfd2b45b6018702facf65daef4f2ac56d504637e506

Download Submit
C:\Windows\{CA80C769-6225-44a8-9208-D0197C9515F7}.exe

Filesize
408KB

MD5
66bac3359101f584679fd43edb700e33

SHA1
f4c4ab5962232ace6327cfcffbee2d5a2e533620

SHA256
32e0001bdfebffc7ea34df1bfc8203c3a74d6e1f75d17c061bd6e1a5ed5216f7

SHA512
58d5d63fc23db6ceaf6a7fdbf277612d408747559a612f67c2d7d23183d5a1edc6b641a55db7804ebec5330cf0d2dbb9e8310850344dec2b17195119e4f21297

Download Submit
C:\Windows\{DAC15E58-9849-450f-93A5-15D4960EEB06}.exe

Filesize
408KB

MD5
ad7513254bc5319cb975f89659da27c3

SHA1
d041b2e42b43dee06829fb929044319cb6b1ef02

SHA256
3f12d783100c4d7c22527b9de968e4f8b5212e986bf84bd8cf1e8bd53ea77767

SHA512
dcf6cfa7fe8d1d71d16594903eb11ecf7f963cd6e56fda4846c3f2159515e9546565227654b7e9d3886c0c24f732a6ab119beffe5f16b0ff0ac89a43a4000348

Download Submit
C:\Windows\{F8528DC9-77CE-4335-B669-5CE9E237E1D3}.exe

Filesize
408KB

MD5
a5fc14d6c9b8c2e27b8d4da9038ee23e

SHA1
5a02368738d5122f0f49c2c2dfec5be9ffa78278

SHA256
22ba4cf9b540e6e481245c4f0b60925f37cc590e8836e8a9f9779daf2ecddab5

SHA512
9d35b6e828e3bcb75bf56ae0b62822934d102c57d6ac73e4c3752bfc1c991df336ef4e057e0c7677d8f58b3b8b0589ffebe40fb77ae5c41a35e4502e5887d703

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads