5926befca425ced9ad340e06890c166e94cd8a9fc4eb31f0ea41b625de82fad8

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
Size

180KB
MD5

9303bbb35302138037fe3c40ba282432
SHA1

b5417324ff36b672c45d769ba23285c0b9eb33fe
SHA256

5926befca425ced9ad340e06890c166e94cd8a9fc4eb31f0ea41b625de82fad8
SHA512

e92aaca7581da58697054d35c960da6d90c977538ffde45dce2a812b9d844f16bbc7ea3aa71006ae34e4906c4f10c57c59909b21d19b33814150e74cf5540ca5
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002327a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002328a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000227ea-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002328a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000227ea-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002328a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000227ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002328a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d06-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022d06-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}	{753AB797-D8CD-4b79-8785-54204B765919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97001635-D8F5-4a30-9D15-271B450CD799}\stubpath = "C:\\Windows\\{97001635-D8F5-4a30-9D15-271B450CD799}.exe"	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}\stubpath = "C:\\Windows\\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe"	{97001635-D8F5-4a30-9D15-271B450CD799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6293F766-0B0A-4110-A918-2DC507D1483E}	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED09D89C-003C-4210-81BE-3665AE2C126E}\stubpath = "C:\\Windows\\{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe"	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}\stubpath = "C:\\Windows\\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe"	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97001635-D8F5-4a30-9D15-271B450CD799}	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6293F766-0B0A-4110-A918-2DC507D1483E}\stubpath = "C:\\Windows\\{6293F766-0B0A-4110-A918-2DC507D1483E}.exe"	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED09D89C-003C-4210-81BE-3665AE2C126E}	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}\stubpath = "C:\\Windows\\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe"	{753AB797-D8CD-4b79-8785-54204B765919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D639C826-E2EC-4654-8ECD-1FB2305E0840}\stubpath = "C:\\Windows\\{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe"	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}	{97001635-D8F5-4a30-9D15-271B450CD799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}\stubpath = "C:\\Windows\\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe"	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}\stubpath = "C:\\Windows\\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe"	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}\stubpath = "C:\\Windows\\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe"	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{753AB797-D8CD-4b79-8785-54204B765919}	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{753AB797-D8CD-4b79-8785-54204B765919}\stubpath = "C:\\Windows\\{753AB797-D8CD-4b79-8785-54204B765919}.exe"	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D639C826-E2EC-4654-8ECD-1FB2305E0840}	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe

Executes dropped EXE 11 IoCs

pid	Process
2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe
3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe
640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe
2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
2792	{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97001635-D8F5-4a30-9D15-271B450CD799}.exe	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
File created	C:\Windows\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	{97001635-D8F5-4a30-9D15-271B450CD799}.exe
File created	C:\Windows\{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
File created	C:\Windows\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	{753AB797-D8CD-4b79-8785-54204B765919}.exe
File created	C:\Windows\{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
File created	C:\Windows\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
File created	C:\Windows\{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
File created	C:\Windows\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
File created	C:\Windows\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
File created	C:\Windows\{753AB797-D8CD-4b79-8785-54204B765919}.exe	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
File created	C:\Windows\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe
Token: SeIncBasePriorityPrivilege	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
Token: SeIncBasePriorityPrivilege	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
Token: SeIncBasePriorityPrivilege	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
Token: SeIncBasePriorityPrivilege	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
Token: SeIncBasePriorityPrivilege	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
Token: SeIncBasePriorityPrivilege	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe
Token: SeIncBasePriorityPrivilege	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
Token: SeIncBasePriorityPrivilege	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe
Token: SeIncBasePriorityPrivilege	2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2460	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	105
PID 3184 wrote to memory of 2460	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	105
PID 3184 wrote to memory of 2460	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	105
PID 3184 wrote to memory of 2960	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	106
PID 3184 wrote to memory of 2960	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	106
PID 3184 wrote to memory of 2960	3184	2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe	106
PID 2460 wrote to memory of 3804	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	110
PID 2460 wrote to memory of 3804	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	110
PID 2460 wrote to memory of 3804	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	110
PID 2460 wrote to memory of 4000	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	111
PID 2460 wrote to memory of 4000	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	111
PID 2460 wrote to memory of 4000	2460	{97001635-D8F5-4a30-9D15-271B450CD799}.exe	111
PID 3804 wrote to memory of 4952	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	113
PID 3804 wrote to memory of 4952	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	113
PID 3804 wrote to memory of 4952	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	113
PID 3804 wrote to memory of 2520	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	114
PID 3804 wrote to memory of 2520	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	114
PID 3804 wrote to memory of 2520	3804	{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe	114
PID 4952 wrote to memory of 2528	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	116
PID 4952 wrote to memory of 2528	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	116
PID 4952 wrote to memory of 2528	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	116
PID 4952 wrote to memory of 5040	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	117
PID 4952 wrote to memory of 5040	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	117
PID 4952 wrote to memory of 5040	4952	{6293F766-0B0A-4110-A918-2DC507D1483E}.exe	117
PID 2528 wrote to memory of 4836	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	118
PID 2528 wrote to memory of 4836	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	118
PID 2528 wrote to memory of 4836	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	118
PID 2528 wrote to memory of 2440	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	119
PID 2528 wrote to memory of 2440	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	119
PID 2528 wrote to memory of 2440	2528	{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe	119
PID 4836 wrote to memory of 4736	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	121
PID 4836 wrote to memory of 4736	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	121
PID 4836 wrote to memory of 4736	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	121
PID 4836 wrote to memory of 3804	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	122
PID 4836 wrote to memory of 3804	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	122
PID 4836 wrote to memory of 3804	4836	{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe	122
PID 4736 wrote to memory of 1448	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	123
PID 4736 wrote to memory of 1448	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	123
PID 4736 wrote to memory of 1448	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	123
PID 4736 wrote to memory of 3872	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	124
PID 4736 wrote to memory of 3872	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	124
PID 4736 wrote to memory of 3872	4736	{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe	124
PID 1448 wrote to memory of 640	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	125
PID 1448 wrote to memory of 640	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	125
PID 1448 wrote to memory of 640	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	125
PID 1448 wrote to memory of 4572	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	126
PID 1448 wrote to memory of 4572	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	126
PID 1448 wrote to memory of 4572	1448	{753AB797-D8CD-4b79-8785-54204B765919}.exe	126
PID 640 wrote to memory of 4964	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	135
PID 640 wrote to memory of 4964	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	135
PID 640 wrote to memory of 4964	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	135
PID 640 wrote to memory of 1532	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	136
PID 640 wrote to memory of 1532	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	136
PID 640 wrote to memory of 1532	640	{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe	136
PID 4964 wrote to memory of 2420	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	137
PID 4964 wrote to memory of 2420	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	137
PID 4964 wrote to memory of 2420	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	137
PID 4964 wrote to memory of 1648	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	138
PID 4964 wrote to memory of 1648	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	138
PID 4964 wrote to memory of 1648	4964	{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe	138
PID 2420 wrote to memory of 2792	2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe	139
PID 2420 wrote to memory of 2792	2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe	139
PID 2420 wrote to memory of 2792	2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe	139
PID 2420 wrote to memory of 2292	2420	{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe	140

C:\Users\Admin\AppData\Local\Temp\2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_9303bbb35302138037fe3c40ba282432_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\{97001635-D8F5-4a30-9D15-271B450CD799}.exe
  C:\Windows\{97001635-D8F5-4a30-9D15-271B450CD799}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
    C:\Windows\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
      C:\Windows\{6293F766-0B0A-4110-A918-2DC507D1483E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
        
        C:\Windows\{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
        
        C:\Windows\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
        
        C:\Windows\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{753AB797-D8CD-4b79-8785-54204B765919}.exe
        
        C:\Windows\{753AB797-D8CD-4b79-8785-54204B765919}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
        
        C:\Windows\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe
        
        C:\Windows\{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
        
        C:\Windows\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe
        
        C:\Windows\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe
        12⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5FC2~1.EXE > nul
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D639C~1.EXE > nul
        11⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA676~1.EXE > nul
        10⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{753AB~1.EXE > nul
        9⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{481AD~1.EXE > nul
        8⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0507~1.EXE > nul
        7⤵
        
        PID:3804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED09D~1.EXE > nul
        6⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6293F~1.EXE > nul
        5⤵
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54E17~1.EXE > nul
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97001~1.EXE > nul
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{481ADEB6-FE20-4fa4-848F-5D40CBC8DE27}.exe

Filesize
180KB

MD5
fcbf8b8ecdee0eb2de9b7262d4660bbc

SHA1
55de652ab022c7534a6c42106bbee5369e655519

SHA256
85181f87a1f6a9f0699f7ac78a6c2e543c516d2e9ec0afd52857274e8747b171

SHA512
a291521e2b40e03b1acfd033cdc24aa7958fe1ddc45200a725fdae56a3b704d11dd3214205788c741b641f165074b2f260fa61e76b66cf352c68f66e62f1e574

Download Submit
C:\Windows\{54E173C9-5849-4a0b-8F1E-CF3917B72D84}.exe

Filesize
180KB

MD5
158153320f05032e35d1fa4d4655a2d0

SHA1
2f3150206a4ad8ee701e2a36071ca29608315788

SHA256
d0a337039b2e61fe2e409430e76d61f139c182a565cf0624c450bafe0f9d6937

SHA512
b018fc0fb1bddc197605a701633ed07a1c077635a79308d1f00bd7bbaf2e9c0ec68d57c24dc3edc6156a8e3625d592185a030c35ea08a4dbcada99bd4762f2b4

Download Submit
C:\Windows\{6293F766-0B0A-4110-A918-2DC507D1483E}.exe

Filesize
180KB

MD5
0b28f6feba2dbae18c469ba4fd090dc6

SHA1
1549ccbb49803693b94983bb3c3d707a792a06f0

SHA256
ee3296b8b7b0ba2fe116b3bf608ee248e847b70b6c854b7a91ba5226fc5acec6

SHA512
4ed38ee96f23c83d48e0879b55ccd71b8e534488c3a668a4d4726102be7ee7807b77d53f8f8d38dc0768f2cffee3a78b7b44b095edefcefcae8698e943a6c94c

Download Submit
C:\Windows\{753AB797-D8CD-4b79-8785-54204B765919}.exe

Filesize
180KB

MD5
a09685d6e7ed493813379cf05149e966

SHA1
072280fe39bf7d0c81afd1cc23d89d277fe3d75d

SHA256
23a8e7e7f73118f3f0ce079bec2169849e48e19fbd00a3bb92a80fe3c90b8a0f

SHA512
8f3dd9f492c160bb0636bcf6ff27adf2ad0fb1e19134b5f1e65ee5d6f2d4a820eb076bab175a2a88465127e70201a5139b363c627ca0d9873ba5823f5d89c7ee

Download Submit
C:\Windows\{97001635-D8F5-4a30-9D15-271B450CD799}.exe

Filesize
180KB

MD5
8148dab246667d8ecd7e1e9b78ea8d2b

SHA1
3b3554fce33a236ae4c057f09e9f6fb751660966

SHA256
6f883e48636c5715efbbbbcb55ed117aec3d01a0d0385814499f1c0a5843dac3

SHA512
d0bfa5afce3462c3572e376c1bca4749c0ab6dd85ab4a74a35738c52565d67658a7ee57cb67155c14cf56da7ea256803e0ce6ae37811f1b09ee944d9e62b6416

Download Submit
C:\Windows\{B0507D17-8C87-4c7c-98AA-EF85AD49EED3}.exe

Filesize
180KB

MD5
2e5ab4a0a9cfa37c9f5585ffef6b6960

SHA1
498fb61e2aceffd724a1ef2e7b5b12756c7e5a73

SHA256
072cb7857008a9ea74d50438decb98093b3efa95bbf3c8258d6b0ac5e8e68b78

SHA512
aa9e04bac6762155a530a11d4164fa6d1caa8dd5b635c043295cab4ae5ccb5d5c41defcf71b893a38a766981c8c69c7109fd48628116e4c99e72eec6876b44ef

Download Submit
C:\Windows\{CA17DD5B-6974-4919-A0B2-D7AC0A595489}.exe

Filesize
180KB

MD5
2252ba6904c4134edef1331840472c89

SHA1
1a1033e0c7fb6922e90355b8681074200ff1edc5

SHA256
050a230f5e8eab3b91b7568082c18cee47d7998d0c54040b76b1784d103ba35d

SHA512
5f334a3c048aa9d0741e2054719c4fd2390e21a4865f10e40f6bab7c049f6328bb47c11066fcbf6a7a2d52e9ba4994b68605dc243814a85373ec0a1a0bbf42ff

Download Submit
C:\Windows\{D639C826-E2EC-4654-8ECD-1FB2305E0840}.exe

Filesize
180KB

MD5
e7bf26ede5f6e86b634f1c2f7c6dea98

SHA1
c182e7fb2af4f4828d56ba2d13daf424794d5ea8

SHA256
6d03faf649522abba3c1210ee70f3027fc3a9774061bb7eb223774e04fb8d5e0

SHA512
5d6705fb61e744e7384c8635e47316eb1b41689f1428d510cec5d5d3e85afd170a16e9337386d4aeb4554d4e272703e8b6a32f2fade56ce350c76ebe077baa16

Download Submit
C:\Windows\{DA676F52-DFBC-4ead-9A65-08CAB2602B1A}.exe

Filesize
180KB

MD5
b8e50599a387a7465fb24c10f8c7c50c

SHA1
5a35bacab7f61df2994a56c54d06e9e2cb897c37

SHA256
6ed0d3a6072ff0a40d11843c19875aa86e033a702cc4195dcb1f83f665b6a80f

SHA512
9faa8ae9eb17b10cd736c4855e53216296788ffcb54da72ec7752c8913a5b66cdbc457628a0b9ae8c3dd40f623710a0c3ea1d300ffb41713e77ddc63b05af882

Download Submit
C:\Windows\{E5FC2CE1-87E2-4d88-9654-F3E8C9E1B8D8}.exe

Filesize
180KB

MD5
2a38fd0af100ed8b89529ffb6542a730

SHA1
56dea44a84a817a9064d7a82c219cb386e254c62

SHA256
6926af24c54ab596eeda0b9d055f94fc1168439389dcb6ad4b1f437849de861a

SHA512
ffab5156439d90e102ead9a4829cbea883206062ffde1ccafbceed5ed70f859f89ed8f4fed5f1985396b05d5602780780c141925f7f47dbdcee7bb8c7d5edb52

Download Submit
C:\Windows\{ED09D89C-003C-4210-81BE-3665AE2C126E}.exe

Filesize
180KB

MD5
10c271861c88339dcf06261305fc8d75

SHA1
473c99a5a585253c6dc0a9825ddc303ca512a417

SHA256
060ba5971f6bcf3fc734c8066fcc13d04dafce6becf46b0b5589aa23c1b83181

SHA512
81f4be88731ea43c40e9d70a4f96251ac849e26f135b691cac726c6c3ad1cfe53e5bc49e74c110ae8ec1ebe6031bfdab78aa22c4ff17027b1ab51540e839f38f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads