b12da6c471f9329549cd8028c28d640612851f53a2c4d32933ca83f51f4f9af5

Analysis

max time kernel
163s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
Size

204KB
MD5

6adeb49cc9028284eda20e999a3f3ee3
SHA1

637286c68a0e0e6431451901b6a6ec657e1c4d66
SHA256

b12da6c471f9329549cd8028c28d640612851f53a2c4d32933ca83f51f4f9af5
SHA512

dab9406a1533b02c58c1ec2ec710320393c698048d2c9eb416c54cc9c599fb732589752e71d5592c199b437b34f711e83b3b61840f51a68b732fa839d0db044a
SSDEEP

1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000700000002335d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002336c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002336d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016851-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002336d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002337a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023382-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023472-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023382-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002348c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e2cf-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}\stubpath = "C:\\Windows\\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe"	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DB29665-4AE4-4661-A475-5DCA73EF782E}\stubpath = "C:\\Windows\\{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe"	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51896278-2306-4b83-88D7-921ABA6324BB}	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}\stubpath = "C:\\Windows\\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe"	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10F7C68-0F96-4818-8E9F-9A89C7850519}	{51896278-2306-4b83-88D7-921ABA6324BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417A21D1-E110-4d5c-8C40-463F3000D2AB}	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417A21D1-E110-4d5c-8C40-463F3000D2AB}\stubpath = "C:\\Windows\\{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe"	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}	{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}\stubpath = "C:\\Windows\\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe"	{49239989-1D64-4280-B13D-0D1597C9575C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF91042-660C-463c-89C7-DE20500E4B52}\stubpath = "C:\\Windows\\{4BF91042-660C-463c-89C7-DE20500E4B52}.exe"	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DB29665-4AE4-4661-A475-5DCA73EF782E}	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF91042-660C-463c-89C7-DE20500E4B52}	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}\stubpath = "C:\\Windows\\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe"	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51896278-2306-4b83-88D7-921ABA6324BB}\stubpath = "C:\\Windows\\{51896278-2306-4b83-88D7-921ABA6324BB}.exe"	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10F7C68-0F96-4818-8E9F-9A89C7850519}\stubpath = "C:\\Windows\\{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe"	{51896278-2306-4b83-88D7-921ABA6324BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49239989-1D64-4280-B13D-0D1597C9575C}	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49239989-1D64-4280-B13D-0D1597C9575C}\stubpath = "C:\\Windows\\{49239989-1D64-4280-B13D-0D1597C9575C}.exe"	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}	{49239989-1D64-4280-B13D-0D1597C9575C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}\stubpath = "C:\\Windows\\{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe"	{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}\stubpath = "C:\\Windows\\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe"	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe

Executes dropped EXE 11 IoCs

pid	Process
3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe
2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe
3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
1536	{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe
3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
4472	{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	{49239989-1D64-4280-B13D-0D1597C9575C}.exe
File created	C:\Windows\{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
File created	C:\Windows\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
File created	C:\Windows\{51896278-2306-4b83-88D7-921ABA6324BB}.exe	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
File created	C:\Windows\{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
File created	C:\Windows\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe
File created	C:\Windows\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
File created	C:\Windows\{49239989-1D64-4280-B13D-0D1597C9575C}.exe	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
File created	C:\Windows\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
File created	C:\Windows\{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	{51896278-2306-4b83-88D7-921ABA6324BB}.exe
File created	C:\Windows\{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe
Token: SeIncBasePriorityPrivilege	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
Token: SeIncBasePriorityPrivilege	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
Token: SeIncBasePriorityPrivilege	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
Token: SeIncBasePriorityPrivilege	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
Token: SeIncBasePriorityPrivilege	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
Token: SeIncBasePriorityPrivilege	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe
Token: SeIncBasePriorityPrivilege	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
Token: SeIncBasePriorityPrivilege	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe
Token: SeIncBasePriorityPrivilege	3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3824	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	101
PID 8 wrote to memory of 3824	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	101
PID 8 wrote to memory of 3824	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	101
PID 8 wrote to memory of 676	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	102
PID 8 wrote to memory of 676	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	102
PID 8 wrote to memory of 676	8	2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe	102
PID 3824 wrote to memory of 2748	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	106
PID 3824 wrote to memory of 2748	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	106
PID 3824 wrote to memory of 2748	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	106
PID 3824 wrote to memory of 1536	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	107
PID 3824 wrote to memory of 1536	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	107
PID 3824 wrote to memory of 1536	3824	{49239989-1D64-4280-B13D-0D1597C9575C}.exe	107
PID 2748 wrote to memory of 3516	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	110
PID 2748 wrote to memory of 3516	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	110
PID 2748 wrote to memory of 3516	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	110
PID 2748 wrote to memory of 1920	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	111
PID 2748 wrote to memory of 1920	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	111
PID 2748 wrote to memory of 1920	2748	{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe	111
PID 3516 wrote to memory of 4400	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	113
PID 3516 wrote to memory of 4400	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	113
PID 3516 wrote to memory of 4400	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	113
PID 3516 wrote to memory of 1480	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	114
PID 3516 wrote to memory of 1480	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	114
PID 3516 wrote to memory of 1480	3516	{4BF91042-660C-463c-89C7-DE20500E4B52}.exe	114
PID 4400 wrote to memory of 896	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	117
PID 4400 wrote to memory of 896	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	117
PID 4400 wrote to memory of 896	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	117
PID 4400 wrote to memory of 3560	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	118
PID 4400 wrote to memory of 3560	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	118
PID 4400 wrote to memory of 3560	4400	{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe	118
PID 896 wrote to memory of 4148	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	119
PID 896 wrote to memory of 4148	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	119
PID 896 wrote to memory of 4148	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	119
PID 896 wrote to memory of 3388	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	120
PID 896 wrote to memory of 3388	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	120
PID 896 wrote to memory of 3388	896	{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe	120
PID 4148 wrote to memory of 1696	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	122
PID 4148 wrote to memory of 1696	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	122
PID 4148 wrote to memory of 1696	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	122
PID 4148 wrote to memory of 4216	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	123
PID 4148 wrote to memory of 4216	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	123
PID 4148 wrote to memory of 4216	4148	{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe	123
PID 1696 wrote to memory of 3664	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	124
PID 1696 wrote to memory of 3664	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	124
PID 1696 wrote to memory of 3664	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	124
PID 1696 wrote to memory of 2708	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	125
PID 1696 wrote to memory of 2708	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	125
PID 1696 wrote to memory of 2708	1696	{51896278-2306-4b83-88D7-921ABA6324BB}.exe	125
PID 3664 wrote to memory of 1536	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	126
PID 3664 wrote to memory of 1536	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	126
PID 3664 wrote to memory of 1536	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	126
PID 3664 wrote to memory of 4508	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	127
PID 3664 wrote to memory of 4508	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	127
PID 3664 wrote to memory of 4508	3664	{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe	127
PID 4984 wrote to memory of 3828	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	134
PID 4984 wrote to memory of 3828	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	134
PID 4984 wrote to memory of 3828	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	134
PID 4984 wrote to memory of 740	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	135
PID 4984 wrote to memory of 740	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	135
PID 4984 wrote to memory of 740	4984	{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe	135
PID 3828 wrote to memory of 4472	3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe	141
PID 3828 wrote to memory of 4472	3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe	141
PID 3828 wrote to memory of 4472	3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe	141
PID 3828 wrote to memory of 1656	3828	{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe	142

C:\Users\Admin\AppData\Local\Temp\2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\{49239989-1D64-4280-B13D-0D1597C9575C}.exe
  C:\Windows\{49239989-1D64-4280-B13D-0D1597C9575C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
    C:\Windows\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
      C:\Windows\{4BF91042-660C-463c-89C7-DE20500E4B52}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
        
        C:\Windows\{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
        
        C:\Windows\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
        
        C:\Windows\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{51896278-2306-4b83-88D7-921ABA6324BB}.exe
        
        C:\Windows\{51896278-2306-4b83-88D7-921ABA6324BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
        
        C:\Windows\{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe
        
        C:\Windows\{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe
        
        C:\Windows\{A338A45E-8BA6-4f8b-81AB-3C13871C3FAA}.exe
        11⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
        
        C:\Windows\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe
        
        C:\Windows\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17ABF~1.EXE > nul
        13⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A338A~1.EXE > nul
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{417A2~1.EXE > nul
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10F7~1.EXE > nul
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51896~1.EXE > nul
        9⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AA43~1.EXE > nul
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B52~1.EXE > nul
        7⤵
        
        PID:3388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DB29~1.EXE > nul
        6⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BF91~1.EXE > nul
        5⤵
        
        PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6BACC~1.EXE > nul
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49239~1.EXE > nul
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17ABFEC5-4667-41e8-AEE2-E3E9AC609ADA}.exe

Filesize
204KB

MD5
92c381a5d93571842cb4c43fb2a8316a

SHA1
819b773f369d5af8f28fc131139b8e31952ce6ae

SHA256
3dda9b6f16a998efb9ad3c6c690670822d608e74d5d0939278440c31e6d297f5

SHA512
48f515985314a3bbe043c163bbc0eceb335b85886ec6404cad29dbde9ab5f95e33ce492f225cd8dcc1f5e20919c66ddc69bb41528e730f074b86621f3cb5365c

Download Submit
C:\Windows\{2AA4326B-2C09-406c-96E1-A4BA3371EBAF}.exe

Filesize
204KB

MD5
71823aa3558a98c251b799acb6d205e3

SHA1
376119cd92befec3af157b25cbecb60d8aef5796

SHA256
2c0b5a202a7ec8e32fa3ec7b7fcd67ff718b2d2cb37183ba31f7720860c32e73

SHA512
6c1ba4a57d13c54297b3d20f095d09e558d5c2d8f8b3ee21fbe71f36ae9f063985fe22fee0bda55db59088bfe69204aa062c6dbc18f50f1cb0c60785b07158da

Download Submit
C:\Windows\{417A21D1-E110-4d5c-8C40-463F3000D2AB}.exe

Filesize
204KB

MD5
add3a0a3c2f15eae6dfdd197128b0d63

SHA1
11d5dc436b11a472995629ee729cfee21b18e5ed

SHA256
2bdf655003d16c0dfa17b093183f6df5cbd732539b174a0f4e51712a531336c0

SHA512
76637dbef5f583b5d336b3e3490e944bd8b1b5564bbc4a42cb868a4cb0e161f0adac02e43a3fab8fa0fb9ca88e03d97b53e93c2eb0c2194fa2cfd1ee6b32f456

Download Submit
C:\Windows\{49239989-1D64-4280-B13D-0D1597C9575C}.exe

Filesize
204KB

MD5
c530f951a6664dea928bd36c54e89938

SHA1
00da6fedb58049bd5fe6ca2ac8170e020738e8bc

SHA256
b4add6ee2bacc0e4158c22dd9ccc42d1818c13810c30d0d1464bd8a6e0d16be1

SHA512
af7c820580279dd9565d328b208f1a6f3d1d6328a5a8241e1d7aea92df085058ef89bbb17af0fb2d583bb21f5c93403727ef005d394d1cacc9b00c02ce11297d

Download Submit
C:\Windows\{4BF91042-660C-463c-89C7-DE20500E4B52}.exe

Filesize
204KB

MD5
1a13a9b30667f4060904e4241170b69f

SHA1
bfb3b3bc336eba8a47091cc319732b495b6330f8

SHA256
d12e3db77506a68af2339379244a8cb697ec86c923e0b250edb79be29c4190da

SHA512
11596db1ae37daa66dcc324d738750f97acce3341e80bbea9eb83594e5a78c19bda14050dca385bed7bb48376a0d9459c46a77cdb37ca803300b327b7227f1cb

Download Submit
C:\Windows\{51896278-2306-4b83-88D7-921ABA6324BB}.exe

Filesize
204KB

MD5
9f9e351af23167f981f12e2d33bf8af9

SHA1
54cfd6f7c9df4fc4dc68700761a74030fb71ce6e

SHA256
216eac0e6c21c12a4a801a644ba810a5ac23d8083652aeda173513046734f3ca

SHA512
39054e2317c3c5488db4f13a40d45de936c37f678692bf3172095e3d03f55828c83abf5002820106127b759940e0e688a08b2a6e8fa2f6ab1d10746f4e30bf09

Download Submit
C:\Windows\{67B525DB-844C-4725-B36F-D7A0C1AEA69B}.exe

Filesize
204KB

MD5
f048ffc505ead067d21ff0501f6bfd8b

SHA1
acf363d0fe9f23ab9fa778035049b31f38a138d6

SHA256
55e1b0be466f7d708f632a91b2c14a8b4285ffe273d53af51831542ce744e729

SHA512
029a56f28664a9acc24be7c48648111ac60069c224b90cc0fbf56c75125c2265476c235c2f196f3697821d962e2fb70801229ba1f8ffff27d9845d1eba9f7846

Download Submit
C:\Windows\{6BACC35B-8D4A-44eb-8CF2-A0F8751C8DB1}.exe

Filesize
204KB

MD5
64316888a38e21ce8a732f96c1b22613

SHA1
7f77a2e6b2e0359d6206c63a761290c2064cf28c

SHA256
d1896890b206881f535d16f931b3d959193215bd476e00b1fa9619a51610ebc0

SHA512
1131a2a06694105b7dd8e0a1b8b0a320e9c643f18cefade7da29e7ce13b6d683cb78baec4e816b00df073a370eea452473a3463f397b98890641e77ab4c1543d

Download Submit
C:\Windows\{8DB29665-4AE4-4661-A475-5DCA73EF782E}.exe

Filesize
204KB

MD5
4d71fe7d09d1f1d4c5826010fa1082be

SHA1
951b1e2d14080a99eeaf1fab893076c5ccbd26d3

SHA256
88336dd3b41f5f3b8b76b98c683b8888ed7de93d33f14000a2648334926ddf28

SHA512
0751ff13fd7a42ea3747b5611966343ba3a7a8cfb39b1169b9271c6f21188c84f92ebfc32ba6572b035586e05ac013b3b5172b3462e2886a6b3d8bae7fd6f108

Download Submit
C:\Windows\{932EE4E2-4BEB-4d49-8962-02B68DF5606B}.exe

Filesize
204KB

MD5
418e4fa0a8e6e1401b370625b377f386

SHA1
3efcbd3973e2271ddc3c54c6d81b1272214c14d4

SHA256
9ce39f8d3a194ca684464c09e76a1111df33630109a798ed0ce7026b69643228

SHA512
53cd55431888a81c2dfe4e1a6ba28d9a53f969b0dcf769f305defa70d56664860bb739949f9821e0fd8cbf661b0798d21d61080587dc41a6d33683f1fc2886e1

Download Submit
C:\Windows\{E10F7C68-0F96-4818-8E9F-9A89C7850519}.exe

Filesize
204KB

MD5
4f17fc350360c62cbc6de32a1278be60

SHA1
acc3ae357143ae00ceefd79961ad293346d9bc2f

SHA256
08acecfbf3068f6496195ab4379f6cf6c59bc3c3a242931a4d38e4e78c11b0da

SHA512
e9bbb0ff4d0c496b573593e807d18a1d95439961dcdbfd001518ef7e416d16bfaf14d40f14a87ef0509cb1df5eed276d1501d37f8233bbe92c339e07b64a0ec3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads