bada1b6fb7568ce281f1f6771b35c0cc61112799ec1eeed957ea045ed3466a80

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
Size

344KB
MD5

bfc5db6135d6f88d0294430ac99e3f60
SHA1

72d22a1136fc4eb1301dbd2b6535a8e4c2151267
SHA256

bada1b6fb7568ce281f1f6771b35c0cc61112799ec1eeed957ea045ed3466a80
SHA512

495eb980bdf2eded812fc0e5376ee5c8d3e778686ccd160a5800b3af2cb81e1b949cf26a4daf2e7628caf0ae2e3d79660d49a4b0078939da19edabc7b4ba7ee9
SSDEEP

3072:mEGh0omlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000900000002324f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022e9f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002325d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022e9f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002325d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022e9f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002325d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d0c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022dae-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022dae-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}\stubpath = "C:\\Windows\\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe"	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}\stubpath = "C:\\Windows\\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe"	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085DB853-097D-427f-8ED3-256AD199D688}	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996C652B-9A5B-49f3-BA49-AC6F600666B0}\stubpath = "C:\\Windows\\{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe"	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ADF94B4-1794-4930-94BA-53BE94037039}	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ADF94B4-1794-4930-94BA-53BE94037039}\stubpath = "C:\\Windows\\{4ADF94B4-1794-4930-94BA-53BE94037039}.exe"	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}\stubpath = "C:\\Windows\\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe"	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDD0B6A-F221-4e12-B25E-564A5D116584}	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDD0B6A-F221-4e12-B25E-564A5D116584}\stubpath = "C:\\Windows\\{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe"	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}\stubpath = "C:\\Windows\\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe"	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E437FB-2A3F-46a5-A611-20F589A44EE2}\stubpath = "C:\\Windows\\{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe"	{085DB853-097D-427f-8ED3-256AD199D688}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967BF1C2-1F83-4d0a-9297-CA52348575CC}\stubpath = "C:\\Windows\\{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe"	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967BF1C2-1F83-4d0a-9297-CA52348575CC}	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}\stubpath = "C:\\Windows\\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe"	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085DB853-097D-427f-8ED3-256AD199D688}\stubpath = "C:\\Windows\\{085DB853-097D-427f-8ED3-256AD199D688}.exe"	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E437FB-2A3F-46a5-A611-20F589A44EE2}	{085DB853-097D-427f-8ED3-256AD199D688}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996C652B-9A5B-49f3-BA49-AC6F600666B0}	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe

Executes dropped EXE 11 IoCs

pid	Process
1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe
3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
4596	{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
File created	C:\Windows\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
File created	C:\Windows\{085DB853-097D-427f-8ED3-256AD199D688}.exe	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
File created	C:\Windows\{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	{085DB853-097D-427f-8ED3-256AD199D688}.exe
File created	C:\Windows\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
File created	C:\Windows\{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
File created	C:\Windows\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
File created	C:\Windows\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
File created	C:\Windows\{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
File created	C:\Windows\{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
File created	C:\Windows\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe
Token: SeIncBasePriorityPrivilege	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
Token: SeIncBasePriorityPrivilege	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
Token: SeIncBasePriorityPrivilege	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
Token: SeIncBasePriorityPrivilege	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
Token: SeIncBasePriorityPrivilege	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
Token: SeIncBasePriorityPrivilege	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
Token: SeIncBasePriorityPrivilege	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
Token: SeIncBasePriorityPrivilege	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
Token: SeIncBasePriorityPrivilege	3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	106
PID 1848 wrote to memory of 1092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	106
PID 1848 wrote to memory of 1092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	106
PID 1848 wrote to memory of 3092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	107
PID 1848 wrote to memory of 3092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	107
PID 1848 wrote to memory of 3092	1848	2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe	107
PID 1092 wrote to memory of 3580	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	111
PID 1092 wrote to memory of 3580	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	111
PID 1092 wrote to memory of 3580	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	111
PID 1092 wrote to memory of 1204	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	112
PID 1092 wrote to memory of 1204	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	112
PID 1092 wrote to memory of 1204	1092	{085DB853-097D-427f-8ED3-256AD199D688}.exe	112
PID 3580 wrote to memory of 2988	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	114
PID 3580 wrote to memory of 2988	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	114
PID 3580 wrote to memory of 2988	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	114
PID 3580 wrote to memory of 4600	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	115
PID 3580 wrote to memory of 4600	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	115
PID 3580 wrote to memory of 4600	3580	{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe	115
PID 2988 wrote to memory of 1092	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	117
PID 2988 wrote to memory of 1092	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	117
PID 2988 wrote to memory of 1092	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	117
PID 2988 wrote to memory of 3336	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	118
PID 2988 wrote to memory of 3336	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	118
PID 2988 wrote to memory of 3336	2988	{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe	118
PID 1092 wrote to memory of 4648	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	119
PID 1092 wrote to memory of 4648	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	119
PID 1092 wrote to memory of 4648	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	119
PID 1092 wrote to memory of 4344	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	120
PID 1092 wrote to memory of 4344	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	120
PID 1092 wrote to memory of 4344	1092	{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe	120
PID 4648 wrote to memory of 1744	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	122
PID 4648 wrote to memory of 1744	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	122
PID 4648 wrote to memory of 1744	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	122
PID 4648 wrote to memory of 3916	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	123
PID 4648 wrote to memory of 3916	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	123
PID 4648 wrote to memory of 3916	4648	{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe	123
PID 1744 wrote to memory of 3336	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	124
PID 1744 wrote to memory of 3336	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	124
PID 1744 wrote to memory of 3336	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	124
PID 1744 wrote to memory of 1204	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	125
PID 1744 wrote to memory of 1204	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	125
PID 1744 wrote to memory of 1204	1744	{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe	125
PID 3336 wrote to memory of 1628	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	126
PID 3336 wrote to memory of 1628	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	126
PID 3336 wrote to memory of 1628	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	126
PID 3336 wrote to memory of 3316	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	127
PID 3336 wrote to memory of 3316	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	127
PID 3336 wrote to memory of 3316	3336	{4ADF94B4-1794-4930-94BA-53BE94037039}.exe	127
PID 1628 wrote to memory of 2872	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	136
PID 1628 wrote to memory of 2872	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	136
PID 1628 wrote to memory of 2872	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	136
PID 1628 wrote to memory of 528	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	137
PID 1628 wrote to memory of 528	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	137
PID 1628 wrote to memory of 528	1628	{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe	137
PID 2872 wrote to memory of 3956	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	138
PID 2872 wrote to memory of 3956	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	138
PID 2872 wrote to memory of 3956	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	138
PID 2872 wrote to memory of 4308	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	139
PID 2872 wrote to memory of 4308	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	139
PID 2872 wrote to memory of 4308	2872	{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe	139
PID 3956 wrote to memory of 4596	3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe	140
PID 3956 wrote to memory of 4596	3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe	140
PID 3956 wrote to memory of 4596	3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe	140
PID 3956 wrote to memory of 2484	3956	{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe	141

C:\Users\Admin\AppData\Local\Temp\2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_bfc5db6135d6f88d0294430ac99e3f60_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\{085DB853-097D-427f-8ED3-256AD199D688}.exe
  C:\Windows\{085DB853-097D-427f-8ED3-256AD199D688}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
    C:\Windows\{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
      C:\Windows\{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
        
        C:\Windows\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
        
        C:\Windows\{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
        
        C:\Windows\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
        
        C:\Windows\{4ADF94B4-1794-4930-94BA-53BE94037039}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
        
        C:\Windows\{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
        
        C:\Windows\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
        
        C:\Windows\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe
        
        C:\Windows\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe
        12⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A7F2~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6BF~1.EXE > nul
        11⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{967BF~1.EXE > nul
        10⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADF9~1.EXE > nul
        9⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF1B6~1.EXE > nul
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{996C6~1.EXE > nul
        7⤵
        
        PID:3916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEA0~1.EXE > nul
        6⤵
        
        PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDD0~1.EXE > nul
        5⤵
        
        PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{40E43~1.EXE > nul
      4⤵
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{085DB~1.EXE > nul
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{085DB853-097D-427f-8ED3-256AD199D688}.exe

Filesize
344KB

MD5
dd97ac07bdbe1c38af3bf22760350367

SHA1
d7010ac5c7ceed33fd2c50b1a934ec6b895e96c4

SHA256
d1b71623c35d6ad97c5c20b3694cfffe1294ccddf8de6ce449cd73c220192755

SHA512
ee0e5324dfdcf1f6981df8d35e8dd16869feb6ed6caa6e7eb43d46c71d7d39b6748014ce6825088fcc39c2eae2a7d4cbb2724ec8a3587a08cfcdf5e639c536d2

Download Submit
C:\Windows\{40E437FB-2A3F-46a5-A611-20F589A44EE2}.exe

Filesize
344KB

MD5
a45b37d1fdc1dc18169e7037f61ab231

SHA1
ac72f214813935198f284f92d00645d1948efc61

SHA256
567bdfcde318d4bc56239c5dd94627b2e7874e6530efc13a0aa69259631938c7

SHA512
11ed200270d5058fa4d57834930fadd6d6fc03efdd4a699cfdec5d069e672d9f408d3ccfb6b28d36ec19b484e82d5be7fae4c64e5413e4260049f0c161e98ca0

Download Submit
C:\Windows\{4A7F2E41-2C54-4e84-B306-4B12D57659E6}.exe

Filesize
344KB

MD5
c63939131d845cd1e9a34071205f2c21

SHA1
9716f38e321ee59516d810384e23f594572b06ec

SHA256
99fef9178cea116646c4fb88fa786f53e54dae9e6cf8697c241f958ac6931457

SHA512
7f041100d3752379a3d956a7732055bfc50442a376daf14877fb72e5c990f87aaf4465f3e45ebf251d9e0abccb858b63b1ea67db1bb08b61e4520788fee3b6a4

Download Submit
C:\Windows\{4ADF94B4-1794-4930-94BA-53BE94037039}.exe

Filesize
344KB

MD5
2b6cf313d6314fbe375085f1d3ee3697

SHA1
8256501dba778af25efe9e1e67f3076181e9bd62

SHA256
cbc67ed65e795d6a4b7fd499b8bd928eb86af5307fc5aa8e6ac2c162a3e461de

SHA512
82c56714a5c62504cf71bab81713c0d6df990400d0a2644f6f8230eaa4b3ec6fa6f99882590799e033b6ea8070fd0088a5f94d23c122111fb38113a5d72357a4

Download Submit
C:\Windows\{7E6BFECA-76EE-4a9b-91C0-C95BB40D19B8}.exe

Filesize
344KB

MD5
9da5decd96c2fbb037b60c1bd070bba9

SHA1
c9cf781535ec0f1f7e59c87f2b3a04535e3b58cc

SHA256
f564b16fe51541c822d7553f7e9dd27998a8f6f64481f582ea0e94da9e26828c

SHA512
dcfd62263fab38874346a5ce8a6b9a51220635b4e8e6aebe887b3ebb159b66536be33f85355b3594d895c263106c58529de59c0cb6fd7e9a8ed78921c9ed00ab

Download Submit
C:\Windows\{967BF1C2-1F83-4d0a-9297-CA52348575CC}.exe

Filesize
344KB

MD5
ed1011ea6986da72194b50143bc5a8bf

SHA1
e277482eaf7a660ab96bdb75cdaa6e401890d840

SHA256
e496dd9db62e9f049ce8a18b567c0bb8cf7bc359ace49356c25c9fc605fb1d3d

SHA512
472d613405998c6853dcd1d5db5af7ec63d977114902c29e42187eb0cb77e8485a0e68ce9af7c07b09c268301c789e045b1f73a3a05bccdb393684146a43f12d

Download Submit
C:\Windows\{996C652B-9A5B-49f3-BA49-AC6F600666B0}.exe

Filesize
344KB

MD5
385c464fab5b16fd6086ab38869f1e26

SHA1
e8596fd5405cbc2aa5f6e187c59065f904ab3c86

SHA256
65589b2ada1bcf7324a1b53b791623b2415a6366edac3bef3143a4976cc0f893

SHA512
f7753c0ef161423bf950b56c789d6f959a43091f3892f71d4a2bf706bdd4540e279a708fa0039fa249b36d935f1b512ffa69c1805d0e46c467dcab1ca4d2a331

Download Submit
C:\Windows\{ACEA061C-C660-4aa3-961D-4DD96F4CA9A9}.exe

Filesize
344KB

MD5
29e0bd7daacbd9e89fa873cf95e50d1a

SHA1
9198dee1e5f1bc325dfe40e00f2dd3fd85cb611c

SHA256
089f1fb627044fc55c3feedef81d3f7496cbe5e951485487460f4673bf46b3b4

SHA512
874b8d57c38297d937c553bb8a8939ff2f710b9bcbd9414cf065f1de61b4a7e09578a2bc620615fc15e36a8a3c140d4fd4eadd703e1f16e0c40ebc2a6ca77ab3

Download Submit
C:\Windows\{BEDD0B6A-F221-4e12-B25E-564A5D116584}.exe

Filesize
344KB

MD5
b5dca22e7a1bcfe296bc24cc9ed4df55

SHA1
7236cb3ea113c1ef29028270e0b30b864651871a

SHA256
4e81a987e91db560affc923b065b869cb0a9e957a1d50a4102a4e2a9605a4291

SHA512
547730f6495280e2536a8e45f20acd0badace81fe3c845b057c9765aed49c8ba9d75d10a9c055acc985d529c6c7d5d27c2f078f691b5c03e78ba40529d0f4d8a

Download Submit
C:\Windows\{BF1B6743-A1C3-4f53-8775-199CA6D624EA}.exe

Filesize
344KB

MD5
abd8ba6c2f6de27c1378e171e06a2dd2

SHA1
6670d04dd9ca1ba3debc67c308b14c983c4bafb9

SHA256
c1e460a6a0767bdbb735ce05fc5c7f9a1d7818b05d5c7eccb2a73411eaa65525

SHA512
48ee6315b57e07194a2ab6b569543b86da7b216d0b36458b0399bfd02a8cc1285f34de7217d7acdd8bb04be4d4d7b308b28e191fe2411c9ba6de77975c3ea55c

Download Submit
C:\Windows\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe

Filesize
143KB

MD5
a4addf790dcdf9f3b8864ed4285fe929

SHA1
85af549562235ad451824373a29a1bc2fc85cda4

SHA256
33a68fbe48509f0a36003be86ee86151b8d46fc2f529b52556c9f30b5af813b9

SHA512
da4be7957f2b5939e7afa4ec856aa045fd6b9d96830258e16866ed1d0682ff586f03a8d70782f14b4b5329f038fcabd39f0cc5f2df1cc74592c7685cc820c4ea

Download Submit
C:\Windows\{D70B390D-E1A3-40b1-8F48-0708B5FA3374}.exe

Filesize
64KB

MD5
a3417cdab278ecb0e0283037497abea3

SHA1
e5deb032ca73520b6e4266021304d6b5a0f99b3c

SHA256
5192cd7e50e1dd20184c72797a789451c72c09a77530957f939a5994facf1f58

SHA512
fbe77b7e460e947a2c66cda23ca583d1eee6ca6ae31fabc653924c4679c072ca25139a2e158496196501f12cd1c308a8986a874f32dca3396c80209fd5589a61

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads