8e19cfd59bc2b47e7e584b6c4953f22db1c9e6e2114e50ad4ab358181ede7311

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
Size

408KB
MD5

9421dddd2256278f0e862c746326243f
SHA1

2238135bb88162c83486a0c7a34b864e7ab5fdbd
SHA256

8e19cfd59bc2b47e7e584b6c4953f22db1c9e6e2114e50ad4ab358181ede7311
SHA512

72aec33149a3df420c1176883be8417cb5d252e2981d6a73b4f77b01258194a33126b61881a0df306b2d012637ac831d3b2c5baa49f4a4f5da3af0a594b3f811
SSDEEP

3072:CEGh0ocl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001226f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016d61-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001226f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001226f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001226f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001226f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000001226f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}\stubpath = "C:\\Windows\\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe"	{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C808EC9F-7B35-414f-B49E-08AB759E39BC}	{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}\stubpath = "C:\\Windows\\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe"	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}\stubpath = "C:\\Windows\\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe"	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}\stubpath = "C:\\Windows\\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe"	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}\stubpath = "C:\\Windows\\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe"	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}\stubpath = "C:\\Windows\\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe"	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}\stubpath = "C:\\Windows\\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe"	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}\stubpath = "C:\\Windows\\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe"	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}	{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB19180-8DB6-4c21-9795-EF9B03562302}	{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C808EC9F-7B35-414f-B49E-08AB759E39BC}\stubpath = "C:\\Windows\\{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe"	{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}\stubpath = "C:\\Windows\\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe"	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB19180-8DB6-4c21-9795-EF9B03562302}\stubpath = "C:\\Windows\\{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe"	{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
2160	{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
860	{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
2956	{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
2872	{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
File created	C:\Windows\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
File created	C:\Windows\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
File created	C:\Windows\{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe	{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
File created	C:\Windows\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
File created	C:\Windows\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
File created	C:\Windows\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
File created	C:\Windows\{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe	{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
File created	C:\Windows\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
File created	C:\Windows\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
File created	C:\Windows\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe	{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
Token: SeIncBasePriorityPrivilege	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
Token: SeIncBasePriorityPrivilege	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
Token: SeIncBasePriorityPrivilege	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
Token: SeIncBasePriorityPrivilege	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
Token: SeIncBasePriorityPrivilege	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
Token: SeIncBasePriorityPrivilege	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
Token: SeIncBasePriorityPrivilege	2160	{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
Token: SeIncBasePriorityPrivilege	860	{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
Token: SeIncBasePriorityPrivilege	2956	{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1728	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	28
PID 2980 wrote to memory of 1728	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	28
PID 2980 wrote to memory of 1728	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	28
PID 2980 wrote to memory of 1728	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	28
PID 2980 wrote to memory of 2068	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	29
PID 2980 wrote to memory of 2068	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	29
PID 2980 wrote to memory of 2068	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	29
PID 2980 wrote to memory of 2068	2980	2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe	29
PID 1728 wrote to memory of 2736	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	30
PID 1728 wrote to memory of 2736	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	30
PID 1728 wrote to memory of 2736	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	30
PID 1728 wrote to memory of 2736	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	30
PID 1728 wrote to memory of 2776	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	31
PID 1728 wrote to memory of 2776	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	31
PID 1728 wrote to memory of 2776	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	31
PID 1728 wrote to memory of 2776	1728	{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe	31
PID 2736 wrote to memory of 1136	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	32
PID 2736 wrote to memory of 1136	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	32
PID 2736 wrote to memory of 1136	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	32
PID 2736 wrote to memory of 1136	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	32
PID 2736 wrote to memory of 2548	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	33
PID 2736 wrote to memory of 2548	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	33
PID 2736 wrote to memory of 2548	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	33
PID 2736 wrote to memory of 2548	2736	{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe	33
PID 1136 wrote to memory of 2944	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	36
PID 1136 wrote to memory of 2944	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	36
PID 1136 wrote to memory of 2944	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	36
PID 1136 wrote to memory of 2944	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	36
PID 1136 wrote to memory of 2968	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	37
PID 1136 wrote to memory of 2968	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	37
PID 1136 wrote to memory of 2968	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	37
PID 1136 wrote to memory of 2968	1136	{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe	37
PID 2944 wrote to memory of 1608	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	38
PID 2944 wrote to memory of 1608	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	38
PID 2944 wrote to memory of 1608	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	38
PID 2944 wrote to memory of 1608	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	38
PID 2944 wrote to memory of 1920	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	39
PID 2944 wrote to memory of 1920	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	39
PID 2944 wrote to memory of 1920	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	39
PID 2944 wrote to memory of 1920	2944	{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe	39
PID 1608 wrote to memory of 1940	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	40
PID 1608 wrote to memory of 1940	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	40
PID 1608 wrote to memory of 1940	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	40
PID 1608 wrote to memory of 1940	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	40
PID 1608 wrote to memory of 272	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	41
PID 1608 wrote to memory of 272	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	41
PID 1608 wrote to memory of 272	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	41
PID 1608 wrote to memory of 272	1608	{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe	41
PID 1940 wrote to memory of 812	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	42
PID 1940 wrote to memory of 812	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	42
PID 1940 wrote to memory of 812	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	42
PID 1940 wrote to memory of 812	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	42
PID 1940 wrote to memory of 1944	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	43
PID 1940 wrote to memory of 1944	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	43
PID 1940 wrote to memory of 1944	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	43
PID 1940 wrote to memory of 1944	1940	{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe	43
PID 812 wrote to memory of 2160	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	44
PID 812 wrote to memory of 2160	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	44
PID 812 wrote to memory of 2160	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	44
PID 812 wrote to memory of 2160	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	44
PID 812 wrote to memory of 320	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	45
PID 812 wrote to memory of 320	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	45
PID 812 wrote to memory of 320	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	45
PID 812 wrote to memory of 320	812	{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_9421dddd2256278f0e862c746326243f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
  C:\Windows\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
    C:\Windows\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
      C:\Windows\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
        
        C:\Windows\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
        
        C:\Windows\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
        
        C:\Windows\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
        
        C:\Windows\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
        
        C:\Windows\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
        
        C:\Windows\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
        
        C:\Windows\{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe
        
        C:\Windows\{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB19~1.EXE > nul
        12⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71ABA~1.EXE > nul
        11⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBE2~1.EXE > nul
        10⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55273~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A86D8~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB9D~1.EXE > nul
        7⤵
        
        PID:272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE58~1.EXE > nul
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B7C~1.EXE > nul
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D47EB~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50E5C~1.EXE > nul
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DB19180-8DB6-4c21-9795-EF9B03562302}.exe

Filesize
408KB

MD5
4b8edd054b689d1c6ac90897364b6e3a

SHA1
14e4aee884e0d5859aea79c8676a392b5bfbaef2

SHA256
3aa1dba7575933e6d6951711a5138a30829de05203c2055655a29b21d229b5a1

SHA512
29d7d0dba54927a2f3fc9b9ea78c7f5178f467624d76b7b113a2d14912e928b26ffcdd949685c7d58e6ff67dd0cd9e93fa56b4d0e5920acacd36d5b8e85189a4

Download Submit
C:\Windows\{3FE5819C-D7BA-444f-87B5-30A05BEFD03D}.exe

Filesize
408KB

MD5
2a97d812196b99d23ab41677e29ad536

SHA1
8e39f55269f195688a920b3d3af0381a6abf9635

SHA256
b36ceb46440251ab5aab19bf3e8086ce782e5988808b4e4cfeb6e64e9df91792

SHA512
f316df7f862aa49840cf25655f71c2f6b0ff24c4cc67ec0865e738ec10c642955165623368c7e98792a5b259ddc4addda61fb026c5dec2853e6b28d3bcaa9bb6

Download Submit
C:\Windows\{50E5CA3D-87CD-45c5-910D-25E2535A2D86}.exe

Filesize
408KB

MD5
39d5c7bde37334dbaf3d2c84ae4f0320

SHA1
47c66f9e2d1d693e9036b7a31a6297c30d51804f

SHA256
cac3e89c671e4259c304653da4100d201ef79e5be751977c4f03014b943cf856

SHA512
579ba15f8d0f35c4ff47fb2dead48a0ab212f5b902689536722f1a77ce9b6d737008c61210ca98214d28877e8c414a709eb780ce9fc53e23a366003fcae82c17

Download Submit
C:\Windows\{55273BF3-E36B-4873-9FB0-E0D7DC80372B}.exe

Filesize
408KB

MD5
654ed2e19cf71905693d054bd1905001

SHA1
a954942651af7707cdcbf966d288c4e47f3b063c

SHA256
2cbe861e2d955364d9762608fa8775f326bfebdedc802ea20f2c0faf015db45f

SHA512
e2a84d4108ba24f332eb67ad26edd9870ee46c5b96dc1df8ccb7955cfd857bb1a52327e6d58ba5cb9b17e0160457760ac93e4b947a13b37d3e4fa663cb1db9e9

Download Submit
C:\Windows\{71ABA086-C567-48eb-9EF3-56BABB2FDBB1}.exe

Filesize
408KB

MD5
32ee8eed1de12e737c92309a80d161df

SHA1
ef17c58da9190d253ce7597456a5c05f67d12ef3

SHA256
a5038c37c1b1bf62842cc3f1cc17eb36cfe535b025cf2bf5cb135cd392dfcfc2

SHA512
18fb16c51abdd4405d933f7d3abce343ca5f02b16382fc00d67eb89d26a4fe1afd892929c40ec6c2dc25fa81a972fc323d38e32295a5fb74bed98e8fc0ec39cc

Download Submit
C:\Windows\{91B7CB3C-FD75-48fb-850C-667C6CF1EEB4}.exe

Filesize
408KB

MD5
088e1714067297e42aaf133917b19f4c

SHA1
5c23a408ee74af0a00ad297ca234ff1d5b7ee027

SHA256
6cb38c20fb06fc620129fc0dacba8070ea5efbcd03c53482634e308c25bd25b7

SHA512
9435c01d517dd1f30259a0aec6c488d8af50f041ab7d65329ebe76a1f30ab15e2d58c21ad24d272f995e2c43cab4ea22eba72c890eaa070666ae038f0dd4ab3d

Download Submit
C:\Windows\{A86D82F8-20D6-44d7-A5A4-39439CC3A98F}.exe

Filesize
408KB

MD5
95d4aee711b9d681940e8dc91e34665c

SHA1
155f28fe35194a0ef21537a5662dad315829a594

SHA256
943e5fd1421c6fb78234d5f225d17c64f317b7f012764fd72e8cd3c9e8c5e8ca

SHA512
758257359d1af6acafd051c69c9902ff017454c7bb22e3c5b4c9b1e11a4396c52c07556daa376b641f93829f5cf23e293b7cd08b0b1f715afa18d82d7c1ae80b

Download Submit
C:\Windows\{BCBE2BA4-3F32-47d7-B6A1-F241F3A642A1}.exe

Filesize
408KB

MD5
b102f8a311740e7238fea42e1289ec0b

SHA1
9efc29477c7e5dbaf2f2271c766aa74edf8993b3

SHA256
18cbe877384a48a41aec8ef3aeb592b96f3333ce0f61e5c7c89d81df49ec1e70

SHA512
5c7b8d0b1badb64bcce96c76ae14357ee8e952a36a68ae784fc969e652a0f2b721e259e3a088ecf569a7bcf470be231e576bc89ee56e056ef3038d3878f8c853

Download Submit
C:\Windows\{C808EC9F-7B35-414f-B49E-08AB759E39BC}.exe

Filesize
408KB

MD5
c0d575d05a680a76fe0f74851dcdfa1d

SHA1
6e46199b690d94b2f06f7ad10f5c9f0256050d78

SHA256
e5af5ace33d3a4d45a481a9cbcc40e1b3d738f1d8dd54d63746a1a27b0279782

SHA512
d870c557c00c62eb14ac0bae485ab6784d1069cb1a467e62bdec1f434f304b0f89ac33ebeab531ad60036b226db281bdf5211159da812114948eccb26a131561

Download Submit
C:\Windows\{D47EBD59-F1B5-4874-842E-08F0BF2CF490}.exe

Filesize
408KB

MD5
b87427b2b572640d283854910259408e

SHA1
3c07086541e87807f989146b3b3a5a517fee721e

SHA256
f8eaff896667f4a85c2df40bedbe4ea85b88a98baf85f86634f837a0990f1e7a

SHA512
f97469c8e01d69fb84a56622189c6c044939a95dd8e8bf2afdc529cc4d13aee5c822d1d1ea2bb25a8795cea0dbe0bd7152e9cef38cfe9f42cf008c04013b7094

Download Submit
C:\Windows\{FDB9DE8F-C5C4-4742-A9C1-1C19871FCD06}.exe

Filesize
408KB

MD5
846016c8aa94933aedb4a7690b0fe8f9

SHA1
3f97d473f0b3078a91d96ebd3426a3414946b326

SHA256
aede0c83e5c66d9b631a2ace73043c5c28be4a025864f1f1959ba94e607424e3

SHA512
f1f393eafcda22469b1fec7c980d9acdb975012181ef1589f20366330c7df51127db3bcbc9300ea34e7f3208373b464cc43ec922307d0cca633bd0fb98ee0c74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads