e6e8b0013d7b66eacd35d7109f2a8e3995d2f997e146cc74c61caf20cf786b69

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 11:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
Size

197KB
MD5

f7c3e257e8e48db55343e45138efc040
SHA1

5fab6b1030ad05a60de6a6c8ce17c271b9c03501
SHA256

e6e8b0013d7b66eacd35d7109f2a8e3995d2f997e146cc74c61caf20cf786b69
SHA512

e6815af141168bfc869a0f24aa93bac22855b192bca6d64436defb836ffdd6d2914fcd8518efd14ac5091c67cd3f3a93ecca351614f7c4429c41c809e82605c4
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGJlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x002a000000014258-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00290000000142d0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000f6e4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a0000000142d0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000f6e4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b0000000142d0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6e4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c0000000142d0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6e4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d0000000142d0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6e4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}	{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}\stubpath = "C:\\Windows\\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe"	{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}	{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1841F423-93FB-4298-B190-326A02ADA5B0}\stubpath = "C:\\Windows\\{1841F423-93FB-4298-B190-326A02ADA5B0}.exe"	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}\stubpath = "C:\\Windows\\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe"	{691F6777-7F94-40c0-A168-35810ECE3952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1432B741-CAB1-4542-A509-7EA7D5994758}	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}\stubpath = "C:\\Windows\\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe"	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}\stubpath = "C:\\Windows\\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe"	{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}\stubpath = "C:\\Windows\\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe"	{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1841F423-93FB-4298-B190-326A02ADA5B0}	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}\stubpath = "C:\\Windows\\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe"	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}\stubpath = "C:\\Windows\\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe"	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{691F6777-7F94-40c0-A168-35810ECE3952}	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{691F6777-7F94-40c0-A168-35810ECE3952}\stubpath = "C:\\Windows\\{691F6777-7F94-40c0-A168-35810ECE3952}.exe"	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}	{691F6777-7F94-40c0-A168-35810ECE3952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}	{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}\stubpath = "C:\\Windows\\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe"	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1432B741-CAB1-4542-A509-7EA7D5994758}\stubpath = "C:\\Windows\\{1432B741-CAB1-4542-A509-7EA7D5994758}.exe"	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe
2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
2728	{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
1508	{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
2900	{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
2908	{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe	{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
File created	C:\Windows\{691F6777-7F94-40c0-A168-35810ECE3952}.exe	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
File created	C:\Windows\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
File created	C:\Windows\{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
File created	C:\Windows\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
File created	C:\Windows\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe	{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
File created	C:\Windows\{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
File created	C:\Windows\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	{691F6777-7F94-40c0-A168-35810ECE3952}.exe
File created	C:\Windows\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
File created	C:\Windows\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
File created	C:\Windows\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe	{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
Token: SeIncBasePriorityPrivilege	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe
Token: SeIncBasePriorityPrivilege	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
Token: SeIncBasePriorityPrivilege	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
Token: SeIncBasePriorityPrivilege	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
Token: SeIncBasePriorityPrivilege	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
Token: SeIncBasePriorityPrivilege	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
Token: SeIncBasePriorityPrivilege	2728	{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
Token: SeIncBasePriorityPrivilege	1508	{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
Token: SeIncBasePriorityPrivilege	2900	{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3020	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	28
PID 2064 wrote to memory of 3020	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	28
PID 2064 wrote to memory of 3020	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	28
PID 2064 wrote to memory of 3020	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	28
PID 2064 wrote to memory of 2140	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	29
PID 2064 wrote to memory of 2140	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	29
PID 2064 wrote to memory of 2140	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	29
PID 2064 wrote to memory of 2140	2064	2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe	29
PID 3020 wrote to memory of 2564	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	30
PID 3020 wrote to memory of 2564	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	30
PID 3020 wrote to memory of 2564	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	30
PID 3020 wrote to memory of 2564	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	30
PID 3020 wrote to memory of 2664	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	31
PID 3020 wrote to memory of 2664	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	31
PID 3020 wrote to memory of 2664	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	31
PID 3020 wrote to memory of 2664	3020	{1841F423-93FB-4298-B190-326A02ADA5B0}.exe	31
PID 2564 wrote to memory of 2452	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	34
PID 2564 wrote to memory of 2452	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	34
PID 2564 wrote to memory of 2452	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	34
PID 2564 wrote to memory of 2452	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	34
PID 2564 wrote to memory of 2396	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	35
PID 2564 wrote to memory of 2396	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	35
PID 2564 wrote to memory of 2396	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	35
PID 2564 wrote to memory of 2396	2564	{691F6777-7F94-40c0-A168-35810ECE3952}.exe	35
PID 2452 wrote to memory of 648	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	36
PID 2452 wrote to memory of 648	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	36
PID 2452 wrote to memory of 648	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	36
PID 2452 wrote to memory of 648	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	36
PID 2452 wrote to memory of 2400	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	37
PID 2452 wrote to memory of 2400	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	37
PID 2452 wrote to memory of 2400	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	37
PID 2452 wrote to memory of 2400	2452	{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe	37
PID 648 wrote to memory of 1640	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	38
PID 648 wrote to memory of 1640	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	38
PID 648 wrote to memory of 1640	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	38
PID 648 wrote to memory of 1640	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	38
PID 648 wrote to memory of 2776	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	39
PID 648 wrote to memory of 2776	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	39
PID 648 wrote to memory of 2776	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	39
PID 648 wrote to memory of 2776	648	{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe	39
PID 1640 wrote to memory of 2844	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	40
PID 1640 wrote to memory of 2844	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	40
PID 1640 wrote to memory of 2844	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	40
PID 1640 wrote to memory of 2844	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	40
PID 1640 wrote to memory of 2712	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	41
PID 1640 wrote to memory of 2712	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	41
PID 1640 wrote to memory of 2712	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	41
PID 1640 wrote to memory of 2712	1640	{1432B741-CAB1-4542-A509-7EA7D5994758}.exe	41
PID 2844 wrote to memory of 1552	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	42
PID 2844 wrote to memory of 1552	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	42
PID 2844 wrote to memory of 1552	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	42
PID 2844 wrote to memory of 1552	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	42
PID 2844 wrote to memory of 840	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	43
PID 2844 wrote to memory of 840	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	43
PID 2844 wrote to memory of 840	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	43
PID 2844 wrote to memory of 840	2844	{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe	43
PID 1552 wrote to memory of 2728	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	44
PID 1552 wrote to memory of 2728	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	44
PID 1552 wrote to memory of 2728	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	44
PID 1552 wrote to memory of 2728	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	44
PID 1552 wrote to memory of 2720	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	45
PID 1552 wrote to memory of 2720	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	45
PID 1552 wrote to memory of 2720	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	45
PID 1552 wrote to memory of 2720	1552	{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7c3e257e8e48db55343e45138efc040_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
  C:\Windows\{1841F423-93FB-4298-B190-326A02ADA5B0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{691F6777-7F94-40c0-A168-35810ECE3952}.exe
    C:\Windows\{691F6777-7F94-40c0-A168-35810ECE3952}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
      C:\Windows\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
        
        C:\Windows\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
        
        C:\Windows\{1432B741-CAB1-4542-A509-7EA7D5994758}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
        
        C:\Windows\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
        
        C:\Windows\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
        
        C:\Windows\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
        
        C:\Windows\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
        
        C:\Windows\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe
        
        C:\Windows\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B7C~1.EXE > nul
        12⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8EBB~1.EXE > nul
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{655A8~1.EXE > nul
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AEF3~1.EXE > nul
        9⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76A58~1.EXE > nul
        8⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1432B~1.EXE > nul
        7⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E38A0~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF5B~1.EXE > nul
        5⤵
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{691F6~1.EXE > nul
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1841F~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1432B741-CAB1-4542-A509-7EA7D5994758}.exe

Filesize
197KB

MD5
480c129aa87935ba21313c221faafef9

SHA1
21b8efb528601b7f4b5f51ec84f5f72e0f85ba91

SHA256
fd19f4be0576756b1ecbdf53cd0b119ae2254f05eb29959a4a266bd3b33382c7

SHA512
0ffc3f2f9619b14bb26472b94cd63716e5c3e3dc076517e7ff8b2df8b51903fd04378874163b03e8cb02465f16e569b7f8d29ed176803679a1834396146e3a58

Download Submit
C:\Windows\{1841F423-93FB-4298-B190-326A02ADA5B0}.exe

Filesize
197KB

MD5
da703da0c639ca3c7a81c821a1f209f1

SHA1
cf5b6a3be87dbe8feb8950ca7ba4faac03029818

SHA256
c8865524cc17a04554aaa7609688366160f9ffc699409e2133cc631e8179dc9a

SHA512
ede70a8828ea7056211f7cea001c5edf44782166825da0d3eba37b0de4dee7d775113c75f44508f2a10af98b43213e4a2add140e26e99019d57dd60304e7cd6f

Download Submit
C:\Windows\{23B7C10F-EE12-4d55-AE9D-FD6C1AB899E0}.exe

Filesize
197KB

MD5
cf325dcc85cd9bc661fd2105d8eee6f0

SHA1
3c8f36b8f7de6019bd59e6a0801bb76c11e4f501

SHA256
95afc54f033e786f07bed6e2303ddfc4d95b88a40abdcf29ed0cea2106756c59

SHA512
7ad2ed870d97769420580b2f8351acedfcc95e94fe3d42296e4744dd90223a4f10a895a3523885492642ad5ecdc0c3b8208a879cfc814f022775d64ae51d3cc7

Download Submit
C:\Windows\{3AEF3AB8-1943-449b-9E0D-9A8A879E0B78}.exe

Filesize
197KB

MD5
cc8bb0093ec5a5f6559bbd2c81be4c72

SHA1
e826f2c5b85792ddf1fa454dce78fa4034732444

SHA256
4d3546dacf202c6127ece66b90c7b1f328c042663aaad972d042b05b2c69854a

SHA512
f9c079b8b22666d40b6e9bce1b57cf6ceab5956a3907fedcc582be3fd416bfec9888843d5efa812de2081bcf3f7867b39bf969552af7b50e0b7cee7a31a69688

Download Submit
C:\Windows\{655A82FE-7BFD-4ab1-B2B9-D7FB5DA02528}.exe

Filesize
197KB

MD5
4ee85450fa1a6b80e729395d31b81253

SHA1
535f26641077dbfb82d82b7cffdb72142b9d99f6

SHA256
0fcd15bf936e4fc5a17f7751654eb0c28355e3d9baf46dc0e73e575c4bb253a0

SHA512
98da8adec854a36286974991fbd3ef7f53196360ee7607b96d6f2f416297e038c620ef7d4fd2c5d35c56450411b33a66f0198eff94f6c882a1c52ea7a0d5ce7d

Download Submit
C:\Windows\{691F6777-7F94-40c0-A168-35810ECE3952}.exe

Filesize
197KB

MD5
4b151828aa68767986a7a181f47e11d6

SHA1
e2ee888a79aca048eb037d5f24264753db34b39e

SHA256
2face2dc2436325c7e21729de5cb26cbe1cae931de6937d9259731624b30ad65

SHA512
0926cec32c1d09e949fe699fb9085454b9e45907972e14d7349c6bbb8323089b58f748d377a8b750395060bce86f76a8a987304e384d0b26eb8cd725d1b17dce

Download Submit
C:\Windows\{76A58E07-62CB-472f-93FF-71E21A9D2CB9}.exe

Filesize
197KB

MD5
951474c1a89f0f4d3cf217f31d10e1bd

SHA1
99aad7321e4fdb62753624ae70700088536aa290

SHA256
5da9eeaecacb522874db7b73e84b3c9730cfafd7d90e4bcc125ef0cc27a63c63

SHA512
6600877bc1081b4a818e76e5e617d0154c88dce145a1019ac38bac54f28376a5ab5012ec169f59adcc1f36fa8bb3841c963afd152bb2905780ea48d27a228b9a

Download Submit
C:\Windows\{9397418A-18E0-4ac3-915E-A3C2D05A21AD}.exe

Filesize
197KB

MD5
ddd7a1a3dd1785daa444e45163ee960f

SHA1
ba2b72ca325a3eb73a2505ad56e0bdd089337da2

SHA256
2a65937dba4f937c8e219d5e0508ed9a394ab9bd1e9282d6bb8fc3f0df26c8c3

SHA512
8d985193a673b8b93c429b21e5e89bd83f9e83cf27991e18cfcb2736f165ab8a9d362fd5dd02a1fb0c4c54370e0eeae904f7ae38ba0a6f808b7ba05b80e4e5db

Download Submit
C:\Windows\{D8EBBE73-7757-4ddd-94AA-6AF04509035A}.exe

Filesize
197KB

MD5
9f97ec53599fffd7283c86d432390b1d

SHA1
47beacaac4facd3b8d34af58b2a5cb1484e99bb8

SHA256
2e189383b5cc6ce93e0b79299518a19aa087781c94ff9619dce1f44a4e5e282f

SHA512
629b3b0e16dd50bd295bd4def44b9f350f5932fc2924c39728a6e84f9d59bc1abb0069cb2b3c50ef338c7fc26bef8615ac9c2690fda1a20082aa368ef2790447

Download Submit
C:\Windows\{DBF5BBA5-1FE4-457a-97CE-5E179CB1E4DA}.exe

Filesize
197KB

MD5
1ae1399d77015e52c93d0177f8b6d612

SHA1
8250ad5fa24362bf735486ba87a4ad20301f7e52

SHA256
39bef639ed1f3c89f9a33f328b89763e22f06940799448d79a7094341b4ae7c3

SHA512
f2df98475ef39aa1a4e12d8da52864e8b1341ec0ca22351b641e922f19a0a3ea34c835bfc61a3a35b936b84bd39c4e46810b093b3867daca1122e769cfe9f04e

Download Submit
C:\Windows\{E38A0821-9D58-488e-86BB-2C4EB72F9C54}.exe

Filesize
197KB

MD5
8910fc0aff0d29009226fc5926500dc5

SHA1
cfd1ff9d583017c6280549ca97de2e4847b81d6d

SHA256
201bca76f8d72807a5dc891676c4c6e7bbcf63f8ee238e98bd7455d66aecc176

SHA512
05f6b5d2526b163f783acf48f36d3ab9501d90ea0e27f9d0d6bb018d6e66ef3854a7f991643e2864830d4cb2e6c785ba02177acb3529c982b8110e7ae9f9e7dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads