eadc633d0be3cf7c9fbac3923d31603e071e0e10c2178ce1eb327135cde4e2ca

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Size

408KB
MD5

7b409cd90f9134447bbc426fbf21a3b1
SHA1

967f2aecfee3e18a9610c6b87694f823fb341456
SHA256

eadc633d0be3cf7c9fbac3923d31603e071e0e10c2178ce1eb327135cde4e2ca
SHA512

d216b325d8dfcbbee1f701fe1bae3fccad8cafc3dd8cda8f60b3bc13d60a9a61f0003bc9343dc8d2e3eb398c53576ca3ca730c832774f983598a31df79629d05
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001228a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000132f2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001228a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000013362-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001228a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001228a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001228a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F476774-8146-461d-8B98-82182735B684}\stubpath = "C:\\Windows\\{7F476774-8146-461d-8B98-82182735B684}.exe"	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D990A044-3876-420c-94D0-87F54E164403}\stubpath = "C:\\Windows\\{D990A044-3876-420c-94D0-87F54E164403}.exe"	{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C075DC-5C56-4a5e-B03C-757BC24A2954}	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C075DC-5C56-4a5e-B03C-757BC24A2954}\stubpath = "C:\\Windows\\{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe"	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}\stubpath = "C:\\Windows\\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe"	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECACE83-D6B8-49f2-A035-8750EB012856}	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECACE83-D6B8-49f2-A035-8750EB012856}\stubpath = "C:\\Windows\\{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe"	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}\stubpath = "C:\\Windows\\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe"	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF74358-9956-4255-89B2-9F399FF49FEE}\stubpath = "C:\\Windows\\{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe"	{7F476774-8146-461d-8B98-82182735B684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0808B603-D1E9-4bc0-946E-F962379CA0AC}\stubpath = "C:\\Windows\\{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe"	{D990A044-3876-420c-94D0-87F54E164403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF74358-9956-4255-89B2-9F399FF49FEE}	{7F476774-8146-461d-8B98-82182735B684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D990A044-3876-420c-94D0-87F54E164403}	{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F476774-8146-461d-8B98-82182735B684}	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0808B603-D1E9-4bc0-946E-F962379CA0AC}	{D990A044-3876-420c-94D0-87F54E164403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389A5660-35C4-4d19-800A-34929A93CFD0}	{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}\stubpath = "C:\\Windows\\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe"	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}\stubpath = "C:\\Windows\\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe"	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389A5660-35C4-4d19-800A-34929A93CFD0}\stubpath = "C:\\Windows\\{389A5660-35C4-4d19-800A-34929A93CFD0}.exe"	{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe

Executes dropped EXE 11 IoCs

pid	Process
2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
1572	{7F476774-8146-461d-8B98-82182735B684}.exe
2492	{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
2068	{D990A044-3876-420c-94D0-87F54E164403}.exe
2940	{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe
1028	{389A5660-35C4-4d19-800A-34929A93CFD0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
File created	C:\Windows\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
File created	C:\Windows\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
File created	C:\Windows\{D990A044-3876-420c-94D0-87F54E164403}.exe	{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
File created	C:\Windows\{389A5660-35C4-4d19-800A-34929A93CFD0}.exe	{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe
File created	C:\Windows\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
File created	C:\Windows\{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
File created	C:\Windows\{7F476774-8146-461d-8B98-82182735B684}.exe	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
File created	C:\Windows\{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe	{7F476774-8146-461d-8B98-82182735B684}.exe
File created	C:\Windows\{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe	{D990A044-3876-420c-94D0-87F54E164403}.exe
File created	C:\Windows\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
Token: SeIncBasePriorityPrivilege	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
Token: SeIncBasePriorityPrivilege	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
Token: SeIncBasePriorityPrivilege	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
Token: SeIncBasePriorityPrivilege	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
Token: SeIncBasePriorityPrivilege	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
Token: SeIncBasePriorityPrivilege	1572	{7F476774-8146-461d-8B98-82182735B684}.exe
Token: SeIncBasePriorityPrivilege	2492	{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
Token: SeIncBasePriorityPrivilege	2068	{D990A044-3876-420c-94D0-87F54E164403}.exe
Token: SeIncBasePriorityPrivilege	2940	{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2228	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	28
PID 2424 wrote to memory of 2228	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	28
PID 2424 wrote to memory of 2228	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	28
PID 2424 wrote to memory of 2228	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	28
PID 2424 wrote to memory of 2244	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	29
PID 2424 wrote to memory of 2244	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	29
PID 2424 wrote to memory of 2244	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	29
PID 2424 wrote to memory of 2244	2424	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	29
PID 2228 wrote to memory of 2672	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	30
PID 2228 wrote to memory of 2672	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	30
PID 2228 wrote to memory of 2672	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	30
PID 2228 wrote to memory of 2672	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	30
PID 2228 wrote to memory of 2644	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	31
PID 2228 wrote to memory of 2644	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	31
PID 2228 wrote to memory of 2644	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	31
PID 2228 wrote to memory of 2644	2228	{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe	31
PID 2672 wrote to memory of 2800	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	32
PID 2672 wrote to memory of 2800	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	32
PID 2672 wrote to memory of 2800	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	32
PID 2672 wrote to memory of 2800	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	32
PID 2672 wrote to memory of 2748	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	33
PID 2672 wrote to memory of 2748	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	33
PID 2672 wrote to memory of 2748	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	33
PID 2672 wrote to memory of 2748	2672	{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe	33
PID 2800 wrote to memory of 2340	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	36
PID 2800 wrote to memory of 2340	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	36
PID 2800 wrote to memory of 2340	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	36
PID 2800 wrote to memory of 2340	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	36
PID 2800 wrote to memory of 1840	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	37
PID 2800 wrote to memory of 1840	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	37
PID 2800 wrote to memory of 1840	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	37
PID 2800 wrote to memory of 1840	2800	{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe	37
PID 2340 wrote to memory of 2752	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	38
PID 2340 wrote to memory of 2752	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	38
PID 2340 wrote to memory of 2752	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	38
PID 2340 wrote to memory of 2752	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	38
PID 2340 wrote to memory of 2620	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	39
PID 2340 wrote to memory of 2620	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	39
PID 2340 wrote to memory of 2620	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	39
PID 2340 wrote to memory of 2620	2340	{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe	39
PID 2752 wrote to memory of 1524	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	40
PID 2752 wrote to memory of 1524	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	40
PID 2752 wrote to memory of 1524	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	40
PID 2752 wrote to memory of 1524	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	40
PID 2752 wrote to memory of 316	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	41
PID 2752 wrote to memory of 316	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	41
PID 2752 wrote to memory of 316	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	41
PID 2752 wrote to memory of 316	2752	{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe	41
PID 1524 wrote to memory of 1572	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	42
PID 1524 wrote to memory of 1572	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	42
PID 1524 wrote to memory of 1572	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	42
PID 1524 wrote to memory of 1572	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	42
PID 1524 wrote to memory of 1604	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	43
PID 1524 wrote to memory of 1604	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	43
PID 1524 wrote to memory of 1604	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	43
PID 1524 wrote to memory of 1604	1524	{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe	43
PID 1572 wrote to memory of 2492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	44
PID 1572 wrote to memory of 2492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	44
PID 1572 wrote to memory of 2492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	44
PID 1572 wrote to memory of 2492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	44
PID 1572 wrote to memory of 1492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	45
PID 1572 wrote to memory of 1492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	45
PID 1572 wrote to memory of 1492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	45
PID 1572 wrote to memory of 1492	1572	{7F476774-8146-461d-8B98-82182735B684}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
  C:\Windows\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
    C:\Windows\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
      C:\Windows\{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
        
        C:\Windows\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
        
        C:\Windows\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
        
        C:\Windows\{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{7F476774-8146-461d-8B98-82182735B684}.exe
        
        C:\Windows\{7F476774-8146-461d-8B98-82182735B684}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
        
        C:\Windows\{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{D990A044-3876-420c-94D0-87F54E164403}.exe
        
        C:\Windows\{D990A044-3876-420c-94D0-87F54E164403}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe
        
        C:\Windows\{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{389A5660-35C4-4d19-800A-34929A93CFD0}.exe
        
        C:\Windows\{389A5660-35C4-4d19-800A-34929A93CFD0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0808B~1.EXE > nul
        12⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D990A~1.EXE > nul
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF74~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F476~1.EXE > nul
        9⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ECAC~1.EXE > nul
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C613~1.EXE > nul
        7⤵
        
        PID:316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABA15~1.EXE > nul
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C07~1.EXE > nul
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F61D~1.EXE > nul
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF24~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0808B603-D1E9-4bc0-946E-F962379CA0AC}.exe

Filesize
408KB

MD5
c3f03c382378b8b864e0746cd08e1c88

SHA1
854a15a63055e8281e686f8d2c52be5d53a8ba06

SHA256
8f2acda824d4722b85f0b86701b40bd4280b3b6b449634a3939d6df8803f921f

SHA512
876e118b6d7e02734fb209d86405b026f36d96f9114828cc4178a26c10314398667772862f15332f8bb2ee68e47ad11f1d96777efe0eeab723a7350035dcba1c

Download Submit
C:\Windows\{389A5660-35C4-4d19-800A-34929A93CFD0}.exe

Filesize
408KB

MD5
9848ea91e733e1fe881e553ffcc4a282

SHA1
049426af534f67086786b4499d51f386e0ccb4aa

SHA256
7c72327f902c00753e08b92c06c56ab54362ece6eba3849a41cb92fb1a8e9a94

SHA512
515a850dfae1ff127361e4387a46db963344820860c3ff600af0ee529c5277c688c094d889e854f8948e6539f7a28ecf2a1234c1c8e9710cd5c2b5731ec854a9

Download Submit
C:\Windows\{5C613070-5854-4fbc-9B05-62FCB5BB82F7}.exe

Filesize
408KB

MD5
d8bf70c7f7612f28d397cdcfc207bc1c

SHA1
dee082e60bf387585db40618acc215cae265c772

SHA256
91d496956351dff1d484bcd3e722a90a8d7ab6eec27e976ac942d38fa6726fd6

SHA512
f11e40d57b92ab15219011842bb4b53ba9e4cd8932e5cb5713b187eb801b1ca8a98dfa32b6686d3d24718e3d582766f7ee3e440e94d7d47414af945c641f14f8

Download Submit
C:\Windows\{6ECACE83-D6B8-49f2-A035-8750EB012856}.exe

Filesize
408KB

MD5
19f7d94b404573bad0006fcae4427544

SHA1
c6034239221eb10f0f7fb464f0770d7f666d6786

SHA256
6ff36d69869172e1ba4c40d510353ed6c21b5b0230a8a896404c871a8ec30b5b

SHA512
922ffada249019d6b2f824c0c27ee944034387840440b15f674855a7f12c4cc9a29c3012e7fa22858c4035e69813aa3e6eb8e9b0fb23a17d83e00381356f332e

Download Submit
C:\Windows\{7F476774-8146-461d-8B98-82182735B684}.exe

Filesize
408KB

MD5
fcc38049eb91d0f9f2e13c1b7823f890

SHA1
1a5d216c48fef16110da7ba123e30d34cc00984d

SHA256
9443aba370187407d21ec84b9ce9f26938e653c24123261ffaaa96c79d0fce40

SHA512
f050a01b97c4a207b8ea5829fe7ebbd6cfbce797d58c19981f2a06c85a94bb117d23ff8f61e46b6c1ed1626d0d3c08d90e92278916492a71002205ea1e638c3f

Download Submit
C:\Windows\{7F61D5A2-B691-463c-BFA1-0F8AD48AEF7D}.exe

Filesize
408KB

MD5
b981b912385dd5cbaaaf551309daf986

SHA1
ed1679c5d9f5c3ab0513bc7a3e9176440a9a5640

SHA256
7dec228ffafdc01f6ded03610eb5a87933c3a9a17f5992855649930b668e890c

SHA512
a805a938c3b0c67967c6022a07777d291b73eb24bc4e9348988de1696702ee6545db50aa7dc2fa91a5ab3fdf135a5f6d0c6b6f6e8e3d6e9302da75b3e9b4942b

Download Submit
C:\Windows\{80C075DC-5C56-4a5e-B03C-757BC24A2954}.exe

Filesize
408KB

MD5
36e0cf702abec77f5a43c5bcc1891e5c

SHA1
82c0c9e15718c24c29d093b00367e74e025ddbdf

SHA256
5cf6540d6d5269f354193cde0ca02c4ec4379bf48bf0c290fd011ae995b04e59

SHA512
d23d07a8b8d48033e75e923f54c9ea4e55e8d8272e8ea1b7762150dfba45684ce96b1754e322d3d9c8d5a29ef6a1aed85e94a9ddf3bb519bd86638a6da5e31c5

Download Submit
C:\Windows\{8FF24E2E-B5B8-48ba-A17F-D4C36E1C5C26}.exe

Filesize
408KB

MD5
b3178c0e89ec23930684b0b1931e5f7d

SHA1
c2e506f6dfc65e2d91f1b13b281a9252c1602b1f

SHA256
b0cabcf60b903133d79f76e0734f4652076ec607b2f8e59e66b27aed81c1ac7d

SHA512
4518f7af996410847b87a46ab5820395cbfae24f8572ea4650f6c9271f95fcb9de6645e43781a114e1729c7a8025045c5d9fe793e8ae28873b5c2b94dca70729

Download Submit
C:\Windows\{ABA15D8F-A4F9-437c-8DBF-1849E81C155B}.exe

Filesize
408KB

MD5
c879588617ed530377a7281c7eede240

SHA1
4a694f4ffd38b06aec4fa03d65e4b33a1306ad59

SHA256
6b6c0add9fe156ef505597a665fc698af29c6d66da909fafab0c0c176334d43b

SHA512
8fe43495d6c4749fb5af3e798ca2d1906c0b2ca7580d6aa3d6018faf4cc634d2adba8a46e8c84f83cd7271747a3d5541ada03b1d411c9f8ca1b2853be6bdb839

Download Submit
C:\Windows\{AFF74358-9956-4255-89B2-9F399FF49FEE}.exe

Filesize
408KB

MD5
33997f9a3d6e4af7cf2f4f56e416b799

SHA1
96103130326afc74574e464ca5621645e5912a20

SHA256
39dd5d96cbf84e19c25040349a434b2c94fa8aeaaaf33667676a3d440249a142

SHA512
ac3a23728bee5e8ff66fa5a663c27a978ac1e239b73625d973b85e6931bb01e474d0fcf8285c9e74da1f3b029909b9fb01bc35af325471f24a732bdfa3b66b03

Download Submit
C:\Windows\{D990A044-3876-420c-94D0-87F54E164403}.exe

Filesize
408KB

MD5
42335fcee049ac59fb147c5336744243

SHA1
057c02e103e775d47e55e8d5664f8c1fd61a4926

SHA256
d8007453747a2277ac0e7315949e51339443bcda4811294c60db8d8a298db59e

SHA512
3e103f482e5ac6a761da00871cf462dbe82dc0510bdd1445e787a0d92c773dec187873ea0accf4350542f8b5f9b258ea3516b55c341c9d237b2c563f3045b744

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads