c417b8b6e2f024f0eca8d783db40f4bf047a8588fffbc6b14b9e9fe25323f3a8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
Size

372KB
MD5

ab5c455319a7da7b2fca86d60ea72383
SHA1

416cb0fdb98bd06a50103d4fbae4cac050c895af
SHA256

c417b8b6e2f024f0eca8d783db40f4bf047a8588fffbc6b14b9e9fe25323f3a8
SHA512

d39fb4e8e12a2d110ca5d6371d30a9e7fe3685abf11db67b7d44fdf950b92853b231a5ff97501117b19d5ad503872f329b9eb6f3dbdc73d4bcd6540370c2348f
SSDEEP

3072:CEGh0oZlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG3lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013113-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001342b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013113-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013928-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013113-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013113-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000013113-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}\stubpath = "C:\\Windows\\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe"	{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}\stubpath = "C:\\Windows\\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe"	{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80975A1C-4201-4550-8194-86EE712B9670}\stubpath = "C:\\Windows\\{80975A1C-4201-4550-8194-86EE712B9670}.exe"	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7800535-8403-4386-9DA7-044EE76F49AA}	{80975A1C-4201-4550-8194-86EE712B9670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}	{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E66A6B5E-C150-45fb-8132-E825FE10C24E}\stubpath = "C:\\Windows\\{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe"	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A9B6F9-5396-43bf-970B-B7DC399E4415}	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}\stubpath = "C:\\Windows\\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe"	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}	{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}	{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}\stubpath = "C:\\Windows\\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe"	{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80975A1C-4201-4550-8194-86EE712B9670}	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7800535-8403-4386-9DA7-044EE76F49AA}\stubpath = "C:\\Windows\\{E7800535-8403-4386-9DA7-044EE76F49AA}.exe"	{80975A1C-4201-4550-8194-86EE712B9670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}\stubpath = "C:\\Windows\\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe"	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E66A6B5E-C150-45fb-8132-E825FE10C24E}	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}\stubpath = "C:\\Windows\\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe"	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}\stubpath = "C:\\Windows\\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe"	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A9B6F9-5396-43bf-970B-B7DC399E4415}\stubpath = "C:\\Windows\\{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe"	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe
2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
2168	{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
2360	{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
2260	{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe
1724	{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
File created	C:\Windows\{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	{80975A1C-4201-4550-8194-86EE712B9670}.exe
File created	C:\Windows\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
File created	C:\Windows\{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
File created	C:\Windows\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
File created	C:\Windows\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe	{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
File created	C:\Windows\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe	{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
File created	C:\Windows\{80975A1C-4201-4550-8194-86EE712B9670}.exe	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
File created	C:\Windows\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
File created	C:\Windows\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
File created	C:\Windows\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe	{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
Token: SeIncBasePriorityPrivilege	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe
Token: SeIncBasePriorityPrivilege	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
Token: SeIncBasePriorityPrivilege	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
Token: SeIncBasePriorityPrivilege	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
Token: SeIncBasePriorityPrivilege	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
Token: SeIncBasePriorityPrivilege	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
Token: SeIncBasePriorityPrivilege	2168	{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
Token: SeIncBasePriorityPrivilege	2360	{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
Token: SeIncBasePriorityPrivilege	2260	{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3040	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	28
PID 2028 wrote to memory of 3040	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	28
PID 2028 wrote to memory of 3040	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	28
PID 2028 wrote to memory of 3040	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	28
PID 2028 wrote to memory of 2096	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	29
PID 2028 wrote to memory of 2096	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	29
PID 2028 wrote to memory of 2096	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	29
PID 2028 wrote to memory of 2096	2028	2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe	29
PID 3040 wrote to memory of 2676	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	30
PID 3040 wrote to memory of 2676	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	30
PID 3040 wrote to memory of 2676	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	30
PID 3040 wrote to memory of 2676	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	30
PID 3040 wrote to memory of 2872	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	31
PID 3040 wrote to memory of 2872	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	31
PID 3040 wrote to memory of 2872	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	31
PID 3040 wrote to memory of 2872	3040	{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe	31
PID 2676 wrote to memory of 2348	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	32
PID 2676 wrote to memory of 2348	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	32
PID 2676 wrote to memory of 2348	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	32
PID 2676 wrote to memory of 2348	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	32
PID 2676 wrote to memory of 2976	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	33
PID 2676 wrote to memory of 2976	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	33
PID 2676 wrote to memory of 2976	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	33
PID 2676 wrote to memory of 2976	2676	{80975A1C-4201-4550-8194-86EE712B9670}.exe	33
PID 2348 wrote to memory of 2700	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	36
PID 2348 wrote to memory of 2700	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	36
PID 2348 wrote to memory of 2700	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	36
PID 2348 wrote to memory of 2700	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	36
PID 2348 wrote to memory of 2160	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	37
PID 2348 wrote to memory of 2160	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	37
PID 2348 wrote to memory of 2160	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	37
PID 2348 wrote to memory of 2160	2348	{E7800535-8403-4386-9DA7-044EE76F49AA}.exe	37
PID 2700 wrote to memory of 2768	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	38
PID 2700 wrote to memory of 2768	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	38
PID 2700 wrote to memory of 2768	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	38
PID 2700 wrote to memory of 2768	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	38
PID 2700 wrote to memory of 2280	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	39
PID 2700 wrote to memory of 2280	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	39
PID 2700 wrote to memory of 2280	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	39
PID 2700 wrote to memory of 2280	2700	{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe	39
PID 2768 wrote to memory of 2844	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	40
PID 2768 wrote to memory of 2844	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	40
PID 2768 wrote to memory of 2844	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	40
PID 2768 wrote to memory of 2844	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	40
PID 2768 wrote to memory of 1404	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	41
PID 2768 wrote to memory of 1404	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	41
PID 2768 wrote to memory of 1404	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	41
PID 2768 wrote to memory of 1404	2768	{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe	41
PID 2844 wrote to memory of 2924	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	42
PID 2844 wrote to memory of 2924	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	42
PID 2844 wrote to memory of 2924	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	42
PID 2844 wrote to memory of 2924	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	42
PID 2844 wrote to memory of 2992	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	43
PID 2844 wrote to memory of 2992	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	43
PID 2844 wrote to memory of 2992	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	43
PID 2844 wrote to memory of 2992	2844	{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe	43
PID 2924 wrote to memory of 2168	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	44
PID 2924 wrote to memory of 2168	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	44
PID 2924 wrote to memory of 2168	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	44
PID 2924 wrote to memory of 2168	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	44
PID 2924 wrote to memory of 1612	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	45
PID 2924 wrote to memory of 1612	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	45
PID 2924 wrote to memory of 1612	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	45
PID 2924 wrote to memory of 1612	2924	{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_ab5c455319a7da7b2fca86d60ea72383_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
  C:\Windows\{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{80975A1C-4201-4550-8194-86EE712B9670}.exe
    C:\Windows\{80975A1C-4201-4550-8194-86EE712B9670}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
      C:\Windows\{E7800535-8403-4386-9DA7-044EE76F49AA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
        
        C:\Windows\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
        
        C:\Windows\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
        
        C:\Windows\{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
        
        C:\Windows\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
        
        C:\Windows\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
        
        C:\Windows\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe
        
        C:\Windows\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe
        
        C:\Windows\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54A2A~1.EXE > nul
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D1B0~1.EXE > nul
        11⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFCD2~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B04E~1.EXE > nul
        9⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A9B~1.EXE > nul
        8⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D28~1.EXE > nul
        7⤵
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12178~1.EXE > nul
        6⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7800~1.EXE > nul
        5⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80975~1.EXE > nul
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E66A6~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A9B6F9-5396-43bf-970B-B7DC399E4415}.exe

Filesize
372KB

MD5
bd24d192a9c9392b4c43a8cf38c98f59

SHA1
471019bf1f1420c1d4c72f67cddb9afafeb82b05

SHA256
5577d1bfff66dd9cea82032b2f93a511daf1098b4679246356b49dad9f7e2aaf

SHA512
b93df9aeb690a531322c61c66c261825d2cde64ec4d61ee3df84480289ee4bfb9d082134535c1ff1153c666613aa062bb21dea86d1e6fb66f7dd1bd7e102fa1d

Download Submit
C:\Windows\{12178E96-C944-40eb-9D3F-AE149B7AF7C3}.exe

Filesize
372KB

MD5
9d29e5d868ea113e436fbd0e4b604b01

SHA1
88785bc349eace3edfef9fb8e8fc9d737aac749e

SHA256
1ab009e8a31845cb21c51ae08b208ab73678b90757600be72bbb5f0ae23aca50

SHA512
6e0110f30ed2e2438dee3da6dd6e8d5224483fccf219b4da4d3d453153d7a4f83c41d3835116beb8a18a7331a2b15f9e4ba56e1e22d5e3490ceacd73c234e879

Download Submit
C:\Windows\{54A2A296-4DFB-48bb-A2E8-273F75737B6E}.exe

Filesize
372KB

MD5
8c37158088458e7ca14937b6cb3aa075

SHA1
7ef31904355a17f140bc9189d98d79385baa4626

SHA256
a5d8266650a737d618fd4b09dfc311efb331a8d218ebddcfc77d0470f4f9b3bd

SHA512
54554aba48ae6971cb199de3806d67ef158a5f9a48b7d573d40c02b241fe7c5f60f305d5aea37d4b225e1452e4d65b8f5b4f60b695edc4d4a49e4ed05d08559e

Download Submit
C:\Windows\{6B04E004-4CCA-464c-9E0A-F9FDC47CC12A}.exe

Filesize
372KB

MD5
d6b5be9826f5c8bf9052a8bb2cf1855e

SHA1
5f2bfc32934ee9be3b7f781da38a74fdce859a1f

SHA256
e55710ab2afe61d23d3f84774109c5e54224019db5e26cf04a846dd23caa9c7c

SHA512
6babf3a325b9c4e11a6ac2c6f944cb93acac2dc4a3578b035895be1e521a5add42b217e053f0e9544fde1ec3d7d856fe7ec2bbb7da6b640abef328aa0b198eba

Download Submit
C:\Windows\{6D1B0E0D-80F5-43b2-AF67-71A0C7128F56}.exe

Filesize
372KB

MD5
4870cabf54e8722721726984cfe3b9cc

SHA1
b40aebae68a6a979416d11972626d5fa4d274d81

SHA256
a138b784cb98941165de1218c7d70ef28587892d675a1930fe6f5f15e5840029

SHA512
742c322d958ab637845221c7df683e608fa8c5631cff1c6e5cb8dce6314c3d30a708e6c01bcbe6df543d2d2b83d62ec5be90917dbf86c04af5a44353829ac3d5

Download Submit
C:\Windows\{80975A1C-4201-4550-8194-86EE712B9670}.exe

Filesize
372KB

MD5
0e16d3ace52d47aba83ddbc665a939d3

SHA1
cf7dad1685f060c25b0c46a11748dad7bd424890

SHA256
e953a1b1d2539ed8ec0cbaf15b444776c6bbde8c3e8a1ba1930f71706d00be32

SHA512
c61bfe7cf2000250b96d108842ed39b9ea322c438012139bbb79088f3dc5314c300cfc4c710e573b8a4982e1331263bb9f51c4a4cec937402cfd03f525869c7a

Download Submit
C:\Windows\{B2D28194-E00F-4cb2-B8CB-4E008AE47908}.exe

Filesize
372KB

MD5
d35df9398379026602effd6b2c23e8cc

SHA1
c38c2b100a795d3787a6be9ba93b8d00da18ea51

SHA256
99d04336a6f6bb5fa78a3a55b1e3650d979eb0bcc451bf7addb82e374ff6d03b

SHA512
c5905958d765f1553be9a7a9194bdce77688f967416af81d2c02538bce5efdf43a69b934c5815250881f45e347c8abdc2ec427195778f271fb0d344a257f6837

Download Submit
C:\Windows\{D94C5501-C3B6-4e29-A6F1-657BDACF416F}.exe

Filesize
372KB

MD5
966d66d2a1c64997bfa618d4a6d7f57a

SHA1
ff3fa87bdbe98be79608d352d9428058e3a0a46a

SHA256
4c91fad1fc8d1b59b50b353cdc3a4f3db0f32d37554d2d5ea30cae44fab3665f

SHA512
60b40f3af10125eb95f89f22b045b417d21b670fc14b16ad89fd1b5be0091a57f370f8d2f456d47a7c5534052e3a2ef340a7a9f8b933adef4788762e5db91ebb

Download Submit
C:\Windows\{E66A6B5E-C150-45fb-8132-E825FE10C24E}.exe

Filesize
372KB

MD5
b45c90060f66d5e9c38d12d7a4119f0f

SHA1
943f2607589dcbbf36a231ae203400922adbd349

SHA256
5170bef551b268a28f6529dfb2b568527bc958432c913f3647a07d4100c0699d

SHA512
4d601875f15e1f07bbd95421adabb7b207a61be5e190d587f41bd37bf8e7fae69089564db9de182e3923fb26b15deb7de363d3074589c35c7ebd3bb696693442

Download Submit
C:\Windows\{E7800535-8403-4386-9DA7-044EE76F49AA}.exe

Filesize
372KB

MD5
a3f02a65f66fc4bf1698662de8305e0d

SHA1
f4b9bda562659566c1a2c6103dea7444a2f605ae

SHA256
93b963de6862d51786df50e3301a18fc2a1e12036c1fb6647644746b52b1c565

SHA512
cf00dcf8cf1543ef7889e8b8c1c66faab522b6d9ba614a347d04ff2f7e81755defca3587e4ebc00f161b36262307b7fb1b9617fe0aafdc425c6af53994be2281

Download Submit
C:\Windows\{FFCD2A85-CA2A-4baf-B8F1-B7C15B4FE474}.exe

Filesize
372KB

MD5
85b9b5532c0aef675306e7b7b521b955

SHA1
315d3c4ea80dff9fa978a5a181c8f819455266cd

SHA256
0ce97554dc0c342e10404dbfaf3d5d35436508c5e30072a7dbae64fe134dabeb

SHA512
f09dd962eb38527bdb83f730b15ea448bf516117667861bade85ef19133712849eec9d1141a399c3875748a312a27a6e30f82143e4d1d11ab8f7644090b3d466

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads