06d6dbd9f51e44492d0e84fc1d1261282776b2f48edd64cd400b0dbac8946357

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Size

180KB
MD5

53f508ec285ad8189f209fbf347bc9c6
SHA1

4005dd86fba247d163098b792da1dde9a37a91c3
SHA256

06d6dbd9f51e44492d0e84fc1d1261282776b2f48edd64cd400b0dbac8946357
SHA512

ae26e1af1b71247d6aa94a998da77c0a868957bc792809dd0ad3b26d40401fcd3500f03069c01130b83ed699de9a451cd1fa135cf2735b3b3bcb42587a91be8f
SSDEEP

3072:jEGh0oVlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGjl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022ea1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000227e7-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002326a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000227e7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002326a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000227e7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002326a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d06-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022d06-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}\stubpath = "C:\\Windows\\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe"	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7F6D0B-D580-4280-907B-DC963C3EF158}	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7F6D0B-D580-4280-907B-DC963C3EF158}\stubpath = "C:\\Windows\\{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe"	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D815CB-8EF2-43da-B572-82E5EC954468}\stubpath = "C:\\Windows\\{13D815CB-8EF2-43da-B572-82E5EC954468}.exe"	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1766576E-0900-43cc-80BF-8ED2EC60739E}\stubpath = "C:\\Windows\\{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe"	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}\stubpath = "C:\\Windows\\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe"	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}\stubpath = "C:\\Windows\\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe"	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36EF3596-2834-4a38-89AA-19657FE9ED3D}	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D815CB-8EF2-43da-B572-82E5EC954468}	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}\stubpath = "C:\\Windows\\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe"	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}\stubpath = "C:\\Windows\\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe"	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}\stubpath = "C:\\Windows\\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe"	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1766576E-0900-43cc-80BF-8ED2EC60739E}	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36EF3596-2834-4a38-89AA-19657FE9ED3D}\stubpath = "C:\\Windows\\{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe"	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}\stubpath = "C:\\Windows\\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe"	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe

Executes dropped EXE 11 IoCs

pid	Process
1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe
1176	{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
File created	C:\Windows\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
File created	C:\Windows\{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
File created	C:\Windows\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
File created	C:\Windows\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
File created	C:\Windows\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
File created	C:\Windows\{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
File created	C:\Windows\{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
File created	C:\Windows\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
File created	C:\Windows\{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
File created	C:\Windows\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
Token: SeIncBasePriorityPrivilege	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
Token: SeIncBasePriorityPrivilege	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
Token: SeIncBasePriorityPrivilege	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
Token: SeIncBasePriorityPrivilege	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
Token: SeIncBasePriorityPrivilege	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
Token: SeIncBasePriorityPrivilege	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
Token: SeIncBasePriorityPrivilege	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
Token: SeIncBasePriorityPrivilege	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
Token: SeIncBasePriorityPrivilege	3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 1552	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	105
PID 3616 wrote to memory of 1552	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	105
PID 3616 wrote to memory of 1552	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	105
PID 3616 wrote to memory of 5008	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	106
PID 3616 wrote to memory of 5008	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	106
PID 3616 wrote to memory of 5008	3616	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	106
PID 1552 wrote to memory of 1588	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	110
PID 1552 wrote to memory of 1588	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	110
PID 1552 wrote to memory of 1588	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	110
PID 1552 wrote to memory of 700	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	111
PID 1552 wrote to memory of 700	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	111
PID 1552 wrote to memory of 700	1552	{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe	111
PID 1588 wrote to memory of 4316	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	113
PID 1588 wrote to memory of 4316	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	113
PID 1588 wrote to memory of 4316	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	113
PID 1588 wrote to memory of 5032	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	114
PID 1588 wrote to memory of 5032	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	114
PID 1588 wrote to memory of 5032	1588	{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe	114
PID 4316 wrote to memory of 4996	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	116
PID 4316 wrote to memory of 4996	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	116
PID 4316 wrote to memory of 4996	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	116
PID 4316 wrote to memory of 1016	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	117
PID 4316 wrote to memory of 1016	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	117
PID 4316 wrote to memory of 1016	4316	{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe	117
PID 4996 wrote to memory of 4736	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	118
PID 4996 wrote to memory of 4736	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	118
PID 4996 wrote to memory of 4736	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	118
PID 4996 wrote to memory of 984	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	119
PID 4996 wrote to memory of 984	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	119
PID 4996 wrote to memory of 984	4996	{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe	119
PID 4736 wrote to memory of 2112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	121
PID 4736 wrote to memory of 2112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	121
PID 4736 wrote to memory of 2112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	121
PID 4736 wrote to memory of 3112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	122
PID 4736 wrote to memory of 3112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	122
PID 4736 wrote to memory of 3112	4736	{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe	122
PID 2112 wrote to memory of 2444	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	123
PID 2112 wrote to memory of 2444	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	123
PID 2112 wrote to memory of 2444	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	123
PID 2112 wrote to memory of 796	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	124
PID 2112 wrote to memory of 796	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	124
PID 2112 wrote to memory of 796	2112	{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe	124
PID 2444 wrote to memory of 2100	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	125
PID 2444 wrote to memory of 2100	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	125
PID 2444 wrote to memory of 2100	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	125
PID 2444 wrote to memory of 4804	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	126
PID 2444 wrote to memory of 4804	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	126
PID 2444 wrote to memory of 4804	2444	{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe	126
PID 2100 wrote to memory of 2452	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	135
PID 2100 wrote to memory of 2452	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	135
PID 2100 wrote to memory of 2452	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	135
PID 2100 wrote to memory of 2428	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	136
PID 2100 wrote to memory of 2428	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	136
PID 2100 wrote to memory of 2428	2100	{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe	136
PID 2452 wrote to memory of 3980	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	137
PID 2452 wrote to memory of 3980	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	137
PID 2452 wrote to memory of 3980	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	137
PID 2452 wrote to memory of 2444	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	138
PID 2452 wrote to memory of 2444	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	138
PID 2452 wrote to memory of 2444	2452	{13D815CB-8EF2-43da-B572-82E5EC954468}.exe	138
PID 3980 wrote to memory of 1176	3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe	139
PID 3980 wrote to memory of 1176	3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe	139
PID 3980 wrote to memory of 1176	3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe	139
PID 3980 wrote to memory of 3344	3980	{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe	140

C:\Users\Admin\AppData\Local\Temp\2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
  C:\Windows\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
    C:\Windows\{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
      C:\Windows\{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
        
        C:\Windows\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Windows\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
        
        C:\Windows\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
        
        C:\Windows\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
        
        C:\Windows\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
        
        C:\Windows\{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
        
        C:\Windows\{13D815CB-8EF2-43da-B572-82E5EC954468}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe
        
        C:\Windows\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe
        
        C:\Windows\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe
        12⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B58AC~1.EXE > nul
        12⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D81~1.EXE > nul
        11⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E7F6~1.EXE > nul
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B7F~1.EXE > nul
        9⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2C0~1.EXE > nul
        8⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD5F~1.EXE > nul
        7⤵
        
        PID:3112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20617~1.EXE > nul
        6⤵
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36EF3~1.EXE > nul
        5⤵
        
        PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17665~1.EXE > nul
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2DEA~1.EXE > nul
    3⤵
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CB5BFE1-5DD1-4a8c-9C60-B34F96E6B081}.exe

Filesize
180KB

MD5
82d80dfe713cf15e8c4282c3c4f8cf6d

SHA1
65dd25773e0661218669a5af54c142bfe486d92e

SHA256
a84a9dc49ad085169930a119dc546f134be87ad47bc2820c88a088dfefdde9da

SHA512
db269296c9af971567ba689a6af723563323d30edec84ba92531d748804e64e5907e03af66424d4c92f53b8d65955edd77b96ef7dd4266fbb80c3635120d3024

Download Submit
C:\Windows\{13D815CB-8EF2-43da-B572-82E5EC954468}.exe

Filesize
180KB

MD5
cde47227c9a74b3b688b5c74fd40b51f

SHA1
bf380ffb1de179b976a612aeb672886903b86701

SHA256
439e09ae63d41c02886bf75e991c003fb5f27b22a2e05d612ddef4fe610a8f77

SHA512
c01f1ca3336dd5f8b8342433d6c032d79419132161e5ebdff0d79e5bafd3fbcb823e28ede1064b012bdd4ae3b1fc11a690af6bf18af0522c6c90fc6010e1acc0

Download Submit
C:\Windows\{1766576E-0900-43cc-80BF-8ED2EC60739E}.exe

Filesize
180KB

MD5
26ac38a6e993568a775ccee9638f890f

SHA1
b1c4b75ad68148612095d1ad50bdf646e46def56

SHA256
ad70901869dc0829e7f66e0bc81247ee6a6f0b04e125582f8ed97398d1debc58

SHA512
2ad98b635fb3921fa3c07c8db2f537a2067ed56507b1c85d5db1a106b576979a60ab13657619d948e2c011868ff44101e2b26f9eeffee5fc75904cd2cda2abc1

Download Submit
C:\Windows\{20617E47-CFFE-4b53-8398-1051B3FF4ACA}.exe

Filesize
180KB

MD5
a81d4193d87c53e8c40bf9b8757a20b4

SHA1
65cafbac8c6d9bf555252601e968d000af321952

SHA256
e71e25c1401c23f26762883c419552cc17633c31fa5491704bd0a8963037dce2

SHA512
bbd6b86faaeba22172887919c22988344d325447b11c2285ce29588aeb0f351f4f3218338cdb3ad44d54db4608e1788b80d64f4a34848377fa308f474eceaa17

Download Submit
C:\Windows\{36EF3596-2834-4a38-89AA-19657FE9ED3D}.exe

Filesize
180KB

MD5
2af84ad34a7bb167c2e2f853498606a7

SHA1
49a9a8162be06ccc61135099f1b87a7e1b2bcdcc

SHA256
cb6fb293b7c749f1c7e4a27dd5da663b3890e96833901f3377a0ce4216297653

SHA512
55170cca1eed58d3c75fb6b4872fa4f59d0046937024bfd8989136ee76f61cdbe5530dc96b27f3394be06675e8f6edf4a007174e1b3e4f93e9a48b0aec02d610

Download Submit
C:\Windows\{4E7F6D0B-D580-4280-907B-DC963C3EF158}.exe

Filesize
180KB

MD5
80c9a306b453dfc44d57003f0271a370

SHA1
82fb0740b967cad5dec34b58f4e1a0d513c4b2c2

SHA256
7712b7a89f43930b7a5bb0c47f1fa06a4ff7c3fabd4ebead9a5d04522657bde4

SHA512
37d9ed292060252e81ae67b9e7e4a8e80152df293a390e1cd39321eccad3b9e9ef83f74ab4108fbfe9aadc78f149456b379628ad8abec5944ac804a933673890

Download Submit
C:\Windows\{8F2C07E5-6330-4f8d-A572-A75DFC1EA2D8}.exe

Filesize
180KB

MD5
f0abb530362656dc1169b3e6a57b6d55

SHA1
5c8080fc0cf10bd7ea54995fdbd268c0507fbd77

SHA256
aefb54b11dc8ef32d4424648d3d15fa03904b4d0c412493c9156f0c6ca89ad24

SHA512
cf29bd0061747b980b09d257b2780ad7fa03be5ffa5b840d7badddc6f756b0e559b8f5cbb5d45e75f2e26feda609ce120304b6b49f362603210e289773e34517

Download Submit
C:\Windows\{B58ACEAC-A92F-43f3-9C95-59B574FFD57F}.exe

Filesize
180KB

MD5
6263c4447811c66cef892da4c9995062

SHA1
6d5dbf8095e9b02435cab5ce4a1294b99ac3b6a9

SHA256
65cf25fc85cb4554ef2f387f3882c07673dbd58d8c087157532ec574eab3e262

SHA512
05dccabe631e20f8262dd54efe58bf80cb1e297948dc6555cf6c816143fbf21dcc61c36accdc554fb73f4316dfb4e13e297edcc7b8dde79a5926a0cb38e748df

Download Submit
C:\Windows\{D6B7FA41-6C4C-4740-8C69-E7E7595EEF41}.exe

Filesize
180KB

MD5
a6cc1d85b800a64eed95a06810cefc08

SHA1
8602a15c5cf1807e6df08ee567ce4842c98dde01

SHA256
2d69ccaf267e660c0a3c6c3bad4d67fb6c8cf973df23a8aa5777c2fdbb42ccc9

SHA512
53402a63068e80133df73fcac36a0c59bd6a1f0b077d3810c2087a305a5eb9aa9e7aba5e367414a02889a855e4f33810e853e2b9935b6391ab3a7a411d9ee487

Download Submit
C:\Windows\{DCD5FB7C-BC52-446c-BD0C-65B28070A5FF}.exe

Filesize
180KB

MD5
a8d36d24d48167181bd93b3e2cdd97f9

SHA1
56c4651b0b80404cada8dfacec9fcd4efaf6ae39

SHA256
1d197a1a1ce17f155ad462f9fb183ac71e2f424b9e3bff6af2115cc615f25d0b

SHA512
95542299fd7cc5caddb0b7ed59c409c8c85d621a83abce45d0ae2ba951d6ea0f41c8b211c80e4c25a0526fbe089282688eb2d4820ff632159996f8a92551db6a

Download Submit
C:\Windows\{F2DEAC0A-CCAF-481f-866A-1054C80135DF}.exe

Filesize
180KB

MD5
66a5bd650733afcb0ad920f05aa4557d

SHA1
09c87a0b856a63728286830bba3deba5f3274084

SHA256
fbea6dedb52e9297e8e48fa0508b84dc385f4beba920d4e62a77974dffba5241

SHA512
e8642e144b58a71f5c8e8ab23323c2085412328e892952638fa01d6b23b485be617bda705dca10cc697bf31dadb7ba57251825714cb23cd6278cfd25cccfaebc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads