90cff14410b8b15d80e7738b57fadf494599004093bdd3371f4100834a9e480b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
Size

408KB
MD5

7af88ebe1a3e7be6437bd6bdec0e9bba
SHA1

5592f5d1b7a3329976a2720b8cfe5097029ee3cc
SHA256

90cff14410b8b15d80e7738b57fadf494599004093bdd3371f4100834a9e480b
SHA512

c030b2948cfe006e1a71380aced443d559e10adb9acabb744e1409105a7d656d8b65545f026516f370d0f967f17a9657ae0164ea1c3c99821103ee6f635c0f43
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGkldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022d20-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023262-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022e9f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022e9f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002326a-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e3d2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002326a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002326a-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000227ec-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023288-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}\stubpath = "C:\\Windows\\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe"	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0840C709-8357-4af4-96F1-1B1F4333AD5B}\stubpath = "C:\\Windows\\{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe"	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B478E27-44CF-4df0-892E-38D694C7CEE1}	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}\stubpath = "C:\\Windows\\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe"	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}\stubpath = "C:\\Windows\\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe"	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14A3245D-9284-4d90-AB5A-169F610C99C3}	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}\stubpath = "C:\\Windows\\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe"	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}\stubpath = "C:\\Windows\\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe"	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14A3245D-9284-4d90-AB5A-169F610C99C3}\stubpath = "C:\\Windows\\{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe"	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}\stubpath = "C:\\Windows\\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe"	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0840C709-8357-4af4-96F1-1B1F4333AD5B}	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}\stubpath = "C:\\Windows\\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe"	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B478E27-44CF-4df0-892E-38D694C7CEE1}\stubpath = "C:\\Windows\\{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe"	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}\stubpath = "C:\\Windows\\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe"	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe

Executes dropped EXE 11 IoCs

pid	Process
1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
1692	{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
File created	C:\Windows\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
File created	C:\Windows\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
File created	C:\Windows\{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
File created	C:\Windows\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
File created	C:\Windows\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
File created	C:\Windows\{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
File created	C:\Windows\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
File created	C:\Windows\{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
File created	C:\Windows\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
File created	C:\Windows\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
Token: SeIncBasePriorityPrivilege	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
Token: SeIncBasePriorityPrivilege	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
Token: SeIncBasePriorityPrivilege	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
Token: SeIncBasePriorityPrivilege	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
Token: SeIncBasePriorityPrivilege	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
Token: SeIncBasePriorityPrivilege	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
Token: SeIncBasePriorityPrivilege	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
Token: SeIncBasePriorityPrivilege	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
Token: SeIncBasePriorityPrivilege	2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1864	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	97
PID 4908 wrote to memory of 1864	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	97
PID 4908 wrote to memory of 1864	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	97
PID 4908 wrote to memory of 2232	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	98
PID 4908 wrote to memory of 2232	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	98
PID 4908 wrote to memory of 2232	4908	2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe	98
PID 1864 wrote to memory of 2352	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	109
PID 1864 wrote to memory of 2352	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	109
PID 1864 wrote to memory of 2352	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	109
PID 1864 wrote to memory of 708	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	110
PID 1864 wrote to memory of 708	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	110
PID 1864 wrote to memory of 708	1864	{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe	110
PID 2352 wrote to memory of 1996	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	111
PID 2352 wrote to memory of 1996	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	111
PID 2352 wrote to memory of 1996	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	111
PID 2352 wrote to memory of 1216	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	112
PID 2352 wrote to memory of 1216	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	112
PID 2352 wrote to memory of 1216	2352	{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe	112
PID 1996 wrote to memory of 4572	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	115
PID 1996 wrote to memory of 4572	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	115
PID 1996 wrote to memory of 4572	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	115
PID 1996 wrote to memory of 2388	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	116
PID 1996 wrote to memory of 2388	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	116
PID 1996 wrote to memory of 2388	1996	{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe	116
PID 4572 wrote to memory of 452	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	117
PID 4572 wrote to memory of 452	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	117
PID 4572 wrote to memory of 452	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	117
PID 4572 wrote to memory of 2400	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	118
PID 4572 wrote to memory of 2400	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	118
PID 4572 wrote to memory of 2400	4572	{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe	118
PID 452 wrote to memory of 4452	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	119
PID 452 wrote to memory of 4452	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	119
PID 452 wrote to memory of 4452	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	119
PID 452 wrote to memory of 1820	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	120
PID 452 wrote to memory of 1820	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	120
PID 452 wrote to memory of 1820	452	{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe	120
PID 4452 wrote to memory of 5056	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	122
PID 4452 wrote to memory of 5056	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	122
PID 4452 wrote to memory of 5056	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	122
PID 4452 wrote to memory of 3180	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	123
PID 4452 wrote to memory of 3180	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	123
PID 4452 wrote to memory of 3180	4452	{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe	123
PID 5056 wrote to memory of 1656	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	124
PID 5056 wrote to memory of 1656	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	124
PID 5056 wrote to memory of 1656	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	124
PID 5056 wrote to memory of 3880	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	125
PID 5056 wrote to memory of 3880	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	125
PID 5056 wrote to memory of 3880	5056	{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe	125
PID 1656 wrote to memory of 4196	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	126
PID 1656 wrote to memory of 4196	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	126
PID 1656 wrote to memory of 4196	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	126
PID 1656 wrote to memory of 3624	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	127
PID 1656 wrote to memory of 3624	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	127
PID 1656 wrote to memory of 3624	1656	{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe	127
PID 4196 wrote to memory of 2636	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	131
PID 4196 wrote to memory of 2636	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	131
PID 4196 wrote to memory of 2636	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	131
PID 4196 wrote to memory of 116	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	132
PID 4196 wrote to memory of 116	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	132
PID 4196 wrote to memory of 116	4196	{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe	132
PID 2636 wrote to memory of 1692	2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe	134
PID 2636 wrote to memory of 1692	2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe	134
PID 2636 wrote to memory of 1692	2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe	134
PID 2636 wrote to memory of 1032	2636	{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_7af88ebe1a3e7be6437bd6bdec0e9bba_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
  C:\Windows\{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
    C:\Windows\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
      C:\Windows\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
        
        C:\Windows\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
        
        C:\Windows\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
        
        C:\Windows\{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
        
        C:\Windows\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
        
        C:\Windows\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
        
        C:\Windows\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
        
        C:\Windows\{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe
        
        C:\Windows\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0840C~1.EXE > nul
        12⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00BB6~1.EXE > nul
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C937~1.EXE > nul
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BD3~1.EXE > nul
        9⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14A32~1.EXE > nul
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9EEB~1.EXE > nul
        7⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CD12~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBE69~1.EXE > nul
        5⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66E0B~1.EXE > nul
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B478~1.EXE > nul
    3⤵
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe

Filesize
384KB

MD5
5f7767201a4a9e6635341f51aedca219

SHA1
dca4f65c1c716ea191cb5ca7418f77387580ff9e

SHA256
f0c4a803dd00aa5f980d550c17826506e14a41f63b158f38a69e4aeead4b1eb9

SHA512
6554c58bd0f88fb0335e30a03da65a90c4ff363c67eb78e21ed41a9fc84e94329b8a58b46e18a0f7ad1b51a6237a0aac103b9038fb2293688eddcbe4d4192e4a

Download Submit
C:\Windows\{00BB671A-8FFE-48e8-A2DC-35DE75B744D4}.exe

Filesize
335KB

MD5
62d47928f09ce3eb8b7528b076c397f4

SHA1
85adc2dfe3e8361ff66155af317579be8cf3e39a

SHA256
a2a6498c4761b4708a1eab74195c75a983c565cf3f509961703881e93f54a982

SHA512
b1f14cc2bba2a86afa9c60a945ad62cceba11f0f969cf7242601d73de5a6ab8ceac61f7e4a81fe3a01ba13e84fd6ed581e611d4823d02bbb2b482a18e31793b4

Download Submit
C:\Windows\{0840C709-8357-4af4-96F1-1B1F4333AD5B}.exe

Filesize
408KB

MD5
66a9edd0408ec637d6bbb8bcc3c2f252

SHA1
6dc18045d89ff0ecc448434a61b7061ee5601309

SHA256
85b29020ed9553fbb59d499d413b60551b443d38d5138b1a6e41b0a4f98d428e

SHA512
0d15fa6580b6a52d0294ee2cbff5c8c801dacd73dda8a0dcb2ec1fb6f198b0d81d78a6421573f964a44839d5d22d2df633b7dcacfc435e2469cec35ad8fb20eb

Download Submit
C:\Windows\{0C937BEC-F721-45e6-9C0F-D194896CC5EB}.exe

Filesize
408KB

MD5
f12808ff3107147d1f5f6110415f3fd7

SHA1
f563412d400b8684083bb1b95b5e88263c618809

SHA256
7a8177b5da39d00ef613daadea815feadbfb028ecab68bb46beb764fe0715770

SHA512
cf70ed2335dfaa453995020b2f899db72a8459f4c7f23c5a4f81d9e9fa7e806eb2aad9561af42908d08b0c4fc0e789cd1fe148a70819c4111419e1821eecd811

Download Submit
C:\Windows\{14A3245D-9284-4d90-AB5A-169F610C99C3}.exe

Filesize
408KB

MD5
0b44d07ec67086b4faff196cf7e9e2a1

SHA1
7d08aa2c4920ef1195c771810a1b5782ad7d6a65

SHA256
41042a8be9de9496190c4220d5a7265817596057e86490eacd2e70afed941e85

SHA512
fb08d764a132dccec673b18d98c9e85407d8c7d632056ff4c3598d3a7e334933c0d5166a80d5fdb30f5b0743cd024f298f6fbb62ecf9bf022e0700a550920e6a

Download Submit
C:\Windows\{2CD12F4D-1D5B-4acd-89AA-15571A44DA1F}.exe

Filesize
408KB

MD5
dc16a8c0aaaacaa0e7f0c975b9e73076

SHA1
d97eba4e4b8f3701733678415bb19f7d949ce78d

SHA256
c955fb1f94fc2eae524ab1bc3e868bb0fb2bdfb994ddde12f375d55360f02cda

SHA512
b4192913b64e131acbc0c10fa2597ac5e7cadbae6531909c1d03b80f858e0b9163a3a93f1417c9f46f6a490cb8afd9eaef7b1990d5faf89578781bbfb522aa13

Download Submit
C:\Windows\{38FFFD0B-6EDF-4559-A802-C4177494EAD3}.exe

Filesize
408KB

MD5
e4415a61e258b86ffca655d8b5626f18

SHA1
11b6c1b1ec85c201e71f7748df1ae5fe0911bc2f

SHA256
2e4d574615a70f7a77fac36aff6e81e5d9062dc002b8ed41b50617efd28617f3

SHA512
443f590c4b7cce8a399fc4469c39b7f4f7cf97aaf1d33f44419e592a8d64bcf715904ed343b671dcfa7681c8cfc9b63fb64ed21af27b182eb7b3007dad358be7

Download Submit
C:\Windows\{66E0BC60-6B8E-4ce5-A50C-A2F580E4404A}.exe

Filesize
408KB

MD5
10ef8b26c56f23f1b8d916ce7b2a0063

SHA1
21342b55f50e66699a5d4132da19fc002d3ab3e0

SHA256
929f2916d381749b635414bf8439277fae57117d6f3e8ea78b7cd2d862ab1973

SHA512
f5c19ce88ad6a2361811360d8b1627e150c64005a9920741856db67ed4cdd3d3f15f7c0fc86e5c9a3a290546522bb568588b1c20ec862c83792df79c5404cc97

Download Submit
C:\Windows\{81BD3F8A-3D69-467a-B70C-17CA6A525DA1}.exe

Filesize
408KB

MD5
3da377d608d84559f446e4aa4766e0ac

SHA1
bc9e41ef6f250ce57085ef4c4d50e8967497b414

SHA256
327b00416891621f6e8ccf855c2d90a3abeb10259accfcf03dcaf71b829e5f17

SHA512
6302cae01cbfd7253150080985d9d91beec81f61524aacede360649f57fcf71f72f557e50ce2428ebb5770414592dfb1763e5ba8b2a2f785f7181f78100861b9

Download Submit
C:\Windows\{9B478E27-44CF-4df0-892E-38D694C7CEE1}.exe

Filesize
408KB

MD5
c3dddf86914f2df07e1c8dd0c1afc19d

SHA1
d50b3103e4e7722d317ab1a3de7ff4e70d951664

SHA256
b3ab09d666c4c2a98873ceb1cbfe37e60f4b2623aec288a5e2cc8c8633614e46

SHA512
85f4e37a628bb95e6db0069340ec6426ee277ba7ff10bc891c42f4ec8f5b079b72e7e78a35ffffd60389266fade3c00ff02aee5740a7a73f404a49f8fbb11dac

Download Submit
C:\Windows\{C9EEBD27-14DB-4597-87BC-F1425C8B5618}.exe

Filesize
408KB

MD5
b746bdaa8138e60cb270462c45d3d205

SHA1
647a2dce7b72c4ff420e63f22454ce32bf99268b

SHA256
4d107ee378fe779593b1f93d46f5333710b9e399f63aa3ff295a2707c3b816c6

SHA512
c838d15d0166637f63386f4a6b089fc0a40b02d52040cb5a6599ba0849e6e399846b6443bc9dfdcfc53f6ec8911f1d94147b3d611ad1c5e8633857177dd256d4

Download Submit
C:\Windows\{CBE69FC7-03AF-4a5e-9C8A-7940F2DDF149}.exe

Filesize
408KB

MD5
8ee549ff44680b1f69f229f39cbb1345

SHA1
b022fd26da7a9fe46ea3c550171df91dde5fd196

SHA256
b833948cc32a0911ae194f0c2095e7a41e641b2b1f7dc45f971ff3bea93922f3

SHA512
0116faca9f3a2cd249bb24c81cadd789cb2fa2253e4617cb9a5a36ff1d7a03e503bc5ceeb3c98d0f168417625339306509a17c07bc6c6fc011f842ccd9082884

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads