f435e83ba5ff1e7a2e6123a63d2f0a3d6c1085cc52ce5726aa14155db3c2f74d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
Size

408KB
MD5

98f2ce5acc537440bfbfdfd87b65382c
SHA1

0496ae4319dd68ad57b1fb4abb649abff512ed9d
SHA256

f435e83ba5ff1e7a2e6123a63d2f0a3d6c1085cc52ce5726aa14155db3c2f74d
SHA512

dd6d1e9eb282870d8c262ff5bc49e02f966f4a20aea0aede4c2646b1d0a35c6822e0946b2f0785299f4df407179dfc06d64477d1f15c621b57201a890ab8fc89
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGFldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023271-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023275-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023284-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000227ea-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023284-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000227ea-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023284-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000227ea-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023284-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d06-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}\stubpath = "C:\\Windows\\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe"	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08109544-16E6-45a1-81EF-6334E0C9E619}	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08109544-16E6-45a1-81EF-6334E0C9E619}\stubpath = "C:\\Windows\\{08109544-16E6-45a1-81EF-6334E0C9E619}.exe"	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}\stubpath = "C:\\Windows\\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe"	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A417468E-E144-4fb8-824E-FEC5ACB782EC}\stubpath = "C:\\Windows\\{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe"	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E363B50A-3019-4bad-BDB1-CCA052496D16}	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A709B7-1C59-46e2-BF4B-0C4276471E78}	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5A93E3-DC42-40d7-A856-34007917C134}\stubpath = "C:\\Windows\\{1F5A93E3-DC42-40d7-A856-34007917C134}.exe"	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3400D62C-6856-467e-B83F-C9B5D545029B}\stubpath = "C:\\Windows\\{3400D62C-6856-467e-B83F-C9B5D545029B}.exe"	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A417468E-E144-4fb8-824E-FEC5ACB782EC}	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5A93E3-DC42-40d7-A856-34007917C134}	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}\stubpath = "C:\\Windows\\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe"	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}\stubpath = "C:\\Windows\\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe"	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E363B50A-3019-4bad-BDB1-CCA052496D16}\stubpath = "C:\\Windows\\{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe"	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8AD614-2597-4054-9268-0BB20DD5E416}	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8AD614-2597-4054-9268-0BB20DD5E416}\stubpath = "C:\\Windows\\{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe"	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A709B7-1C59-46e2-BF4B-0C4276471E78}\stubpath = "C:\\Windows\\{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe"	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3400D62C-6856-467e-B83F-C9B5D545029B}	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe

Executes dropped EXE 11 IoCs

pid	Process
732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe
4516	{3400D62C-6856-467e-B83F-C9B5D545029B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
File created	C:\Windows\{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
File created	C:\Windows\{1F5A93E3-DC42-40d7-A856-34007917C134}.exe	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
File created	C:\Windows\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
File created	C:\Windows\{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
File created	C:\Windows\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
File created	C:\Windows\{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
File created	C:\Windows\{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
File created	C:\Windows\{3400D62C-6856-467e-B83F-C9B5D545029B}.exe	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe
File created	C:\Windows\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
File created	C:\Windows\{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
Token: SeIncBasePriorityPrivilege	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
Token: SeIncBasePriorityPrivilege	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
Token: SeIncBasePriorityPrivilege	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
Token: SeIncBasePriorityPrivilege	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
Token: SeIncBasePriorityPrivilege	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
Token: SeIncBasePriorityPrivilege	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
Token: SeIncBasePriorityPrivilege	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
Token: SeIncBasePriorityPrivilege	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
Token: SeIncBasePriorityPrivilege	1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 732	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	98
PID 4460 wrote to memory of 732	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	98
PID 4460 wrote to memory of 732	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	98
PID 4460 wrote to memory of 2428	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	99
PID 4460 wrote to memory of 2428	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	99
PID 4460 wrote to memory of 2428	4460	2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe	99
PID 732 wrote to memory of 3696	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	105
PID 732 wrote to memory of 3696	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	105
PID 732 wrote to memory of 3696	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	105
PID 732 wrote to memory of 4884	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	106
PID 732 wrote to memory of 4884	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	106
PID 732 wrote to memory of 4884	732	{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe	106
PID 3696 wrote to memory of 556	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	110
PID 3696 wrote to memory of 556	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	110
PID 3696 wrote to memory of 556	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	110
PID 3696 wrote to memory of 5044	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	111
PID 3696 wrote to memory of 5044	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	111
PID 3696 wrote to memory of 5044	3696	{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe	111
PID 556 wrote to memory of 4240	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	114
PID 556 wrote to memory of 4240	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	114
PID 556 wrote to memory of 4240	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	114
PID 556 wrote to memory of 1084	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	115
PID 556 wrote to memory of 1084	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	115
PID 556 wrote to memory of 1084	556	{08109544-16E6-45a1-81EF-6334E0C9E619}.exe	115
PID 4240 wrote to memory of 1616	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	116
PID 4240 wrote to memory of 1616	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	116
PID 4240 wrote to memory of 1616	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	116
PID 4240 wrote to memory of 1680	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	117
PID 4240 wrote to memory of 1680	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	117
PID 4240 wrote to memory of 1680	4240	{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe	117
PID 1616 wrote to memory of 4108	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	118
PID 1616 wrote to memory of 4108	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	118
PID 1616 wrote to memory of 4108	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	118
PID 1616 wrote to memory of 2196	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	119
PID 1616 wrote to memory of 2196	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	119
PID 1616 wrote to memory of 2196	1616	{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe	119
PID 4108 wrote to memory of 1612	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	121
PID 4108 wrote to memory of 1612	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	121
PID 4108 wrote to memory of 1612	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	121
PID 4108 wrote to memory of 1456	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	122
PID 4108 wrote to memory of 1456	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	122
PID 4108 wrote to memory of 1456	4108	{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe	122
PID 1612 wrote to memory of 540	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	123
PID 1612 wrote to memory of 540	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	123
PID 1612 wrote to memory of 540	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	123
PID 1612 wrote to memory of 2184	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	124
PID 1612 wrote to memory of 2184	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	124
PID 1612 wrote to memory of 2184	1612	{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe	124
PID 540 wrote to memory of 2544	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	125
PID 540 wrote to memory of 2544	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	125
PID 540 wrote to memory of 2544	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	125
PID 540 wrote to memory of 2152	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	126
PID 540 wrote to memory of 2152	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	126
PID 540 wrote to memory of 2152	540	{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe	126
PID 2544 wrote to memory of 1160	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	135
PID 2544 wrote to memory of 1160	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	135
PID 2544 wrote to memory of 1160	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	135
PID 2544 wrote to memory of 2916	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	136
PID 2544 wrote to memory of 2916	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	136
PID 2544 wrote to memory of 2916	2544	{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe	136
PID 1160 wrote to memory of 4516	1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe	137
PID 1160 wrote to memory of 4516	1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe	137
PID 1160 wrote to memory of 4516	1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe	137
PID 1160 wrote to memory of 2964	1160	{1F5A93E3-DC42-40d7-A856-34007917C134}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_98f2ce5acc537440bfbfdfd87b65382c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
  C:\Windows\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
    C:\Windows\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
      C:\Windows\{08109544-16E6-45a1-81EF-6334E0C9E619}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
        
        C:\Windows\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
        
        C:\Windows\{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
        
        C:\Windows\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
        
        C:\Windows\{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
        
        C:\Windows\{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
        
        C:\Windows\{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{1F5A93E3-DC42-40d7-A856-34007917C134}.exe
        
        C:\Windows\{1F5A93E3-DC42-40d7-A856-34007917C134}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\{3400D62C-6856-467e-B83F-C9B5D545029B}.exe
        
        C:\Windows\{3400D62C-6856-467e-B83F-C9B5D545029B}.exe
        12⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5A9~1.EXE > nul
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63A70~1.EXE > nul
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D8AD~1.EXE > nul
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E363B~1.EXE > nul
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC15~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4174~1.EXE > nul
        7⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F6D~1.EXE > nul
        6⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08109~1.EXE > nul
        5⤵
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D4BFE~1.EXE > nul
      4⤵
      PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB714~1.EXE > nul
    3⤵
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08109544-16E6-45a1-81EF-6334E0C9E619}.exe

Filesize
408KB

MD5
dddd70f942ae9418eef88eb0ad97a823

SHA1
4fbc933be66f69dcd236b7caa392c751e0ad1731

SHA256
cb421f2c01e90df11d9add4f783f29fa3cf69fa55d116a1809ab9577403b6b73

SHA512
39578ef2ff2bf185d7c2b4c1ad6961039361963911172588ded1a3c1da4352b8efb6569981132d5bcf60668eb8bc4311ac2f07d17c1b726d0183acff565b59e5

Download Submit
C:\Windows\{1EC1560C-E1CF-473d-ABFC-1B31588C26BE}.exe

Filesize
408KB

MD5
dcdf641b49f2b7afa9e2c3483436a0f4

SHA1
840752c13b0e7e2037fb238291d52c96be1cf453

SHA256
616ecec4106426b1a4d40a0f44f3f0245ce5ac8a3f7312d59e1d9c1e5ab3330e

SHA512
6b64d14f02ad9635fa5401d69bc034420fc0d7e378f73b934df0e048559db8012be2ab421e0e1fcba64d1764436eb66253d023a3f31824f5bfcf20116ff197ee

Download Submit
C:\Windows\{1F5A93E3-DC42-40d7-A856-34007917C134}.exe

Filesize
408KB

MD5
cb16afee3aa9be95753ba0c60efc6cae

SHA1
252bd270af3a55f83c93942bb99cf91513dff8a6

SHA256
bbb9a2734b11a8f82dd8f6ace5b7191c664b7c600e5a38f3bacb5a41eb440c80

SHA512
96297f66b499b204dd2932398ff0a5f131a03441570d3736c47850b7cda77a4e324271839f9cc0845cbf85cd3e4430575e32812d08f5cd1c0f9333e9b80c1bfa

Download Submit
C:\Windows\{3400D62C-6856-467e-B83F-C9B5D545029B}.exe

Filesize
408KB

MD5
305dec202aad54a443a7b4e58a1ae81f

SHA1
e58421220a37b722af85f30050f2a4381d8b8322

SHA256
e46f10942036081e799becd8a87ffb33e31cbe83df35d5cacb0985ca48891d77

SHA512
9db4831fffb9a10af5683d07643e2b226317c5af9e60e157dbc27d97a78271562e607150f752e1c4afd8f5a2247596839f934ed032b2deb7d3bbdceb309787b1

Download Submit
C:\Windows\{63A709B7-1C59-46e2-BF4B-0C4276471E78}.exe

Filesize
408KB

MD5
04e926fadf240cebb54f39efdfa26315

SHA1
fc9bc25a498eca33dc732a3987ff88993ddb1fca

SHA256
bc8fa0ce0c32699d245b8fdf6454f65511e67e939c6b99d06cf06da5d19bf6fb

SHA512
6b235cc92d829d7a12dae1a28499b936daae48b2f6d09e57f7970761f9143aef8e9b489a47b2e0a9d07de2f6931c75b5942c5b17888962bf3f976ccc6f58e36c

Download Submit
C:\Windows\{7D8AD614-2597-4054-9268-0BB20DD5E416}.exe

Filesize
408KB

MD5
6075493cd9daa8619e596c82a0cfdcf6

SHA1
78ee5468c4f341005c8b647c466ac6da34b807ff

SHA256
b624f6c337337103971f51b897e024d1bc5fba77bf8e0b49609bee21fb234102

SHA512
ba995c6ccfe41e21ab3d67154d0ddd4cddc57d63800e7440686b9eab7ffd8b14da309f36543381ffd71592395edf4015af74e9b89db922074a81016b8e90c1cf

Download Submit
C:\Windows\{A417468E-E144-4fb8-824E-FEC5ACB782EC}.exe

Filesize
408KB

MD5
e809162ccbb49d32a52910813d710d32

SHA1
f91382fc91e5fa307181baebc9586afde515a1b7

SHA256
685ed317d77c551edbf6292d1780746b94b1d5e197ad1b1026c94f5fa1fccf79

SHA512
4857794ba350c4dbb22077622ba8e8346f9e4caf44047745e7a491c8992456721779a556d570c756d11489a032879a4f8c31abf5817137950bb2cb315d960a51

Download Submit
C:\Windows\{BB71468B-D2DA-4a87-AAC8-D6DF4DA063E5}.exe

Filesize
408KB

MD5
278b5cc15a21e1b00e0e04093cbf2183

SHA1
a9ae0b15d6881252225b3bcbd932aa24f55b1500

SHA256
accc2f5f2a760044c82f5df3f3a8db98180f39ae7680bcb216b2caf7b7b8c87f

SHA512
618c0e196eeba088b418575b2f575278687dd1ec53fa9bd520fc7f67c07ea544b2d8cf0281a4040fef7e079baf6e637791cde7052f021745777f1bd3e4979de2

Download Submit
C:\Windows\{D4BFE84F-F2F2-4805-A2BC-206B7AF34D6D}.exe

Filesize
408KB

MD5
f769ff8d8726db38a0c3dc4a96202de2

SHA1
fb35ef7d2e8b4e89fcdc3a31fd112e54640f06f4

SHA256
1c6bf8a67546a961d6ad84f920a320dc021c3f54fa0f5bb4f8e4a7a14aeb4b0c

SHA512
f04993c085c95c3776f41268585e646297e6a81bfff935ef7927a7afe28b94d79b856dee1343b25a63ed435c390b3c0e0ac56d8e5d7175f7b49b5b51fe84bac8

Download Submit
C:\Windows\{E1F6DD92-EEF2-4d79-B040-1C76ECC3885D}.exe

Filesize
408KB

MD5
3713b759be1510a71d1fdec8ae832ac8

SHA1
ebceab22843946d9f2e5d9a8e3323679419eba6a

SHA256
0a23c2a68874341c6cc7fe77c0e4eb2d78cf946dd85315f160b3a5ac91dac1ea

SHA512
c9012785707d2f22531c1dfda06a0d7fc61dda855b5c12ca1f1339d178128a5021ea4726629ccf5b2577bbd333d609e577b2dcdbc3ed6c40bc9bccffbe869ef0

Download Submit
C:\Windows\{E363B50A-3019-4bad-BDB1-CCA052496D16}.exe

Filesize
408KB

MD5
e70904f830c6955a7883dc686628eb9e

SHA1
9a0bcf9b3bb9d0a6b3cb8939266425d96cec8d77

SHA256
c07cbef045b36eb1929791d171e582877bad387fda050086004e4436d7d415b5

SHA512
514e81d445b1b38d3b9c44972037e41854a4514c149e4cb4c5fb7bf86a3bbb05793a73937e2a19919b467cbda36309d6a483a3b27ccf46e90feb64de0946acad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads