85c4632be6f7f609526f12d39444f67c386a16183537e6d22f0ed4535e5ce028

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Size

408KB
MD5

b8e3b8466d67c42687b726dd959b5172
SHA1

e33b0566f8e6e30d6a198cf3defc91cd78b458e3
SHA256

85c4632be6f7f609526f12d39444f67c386a16183537e6d22f0ed4535e5ce028
SHA512

9530dfb3f7507d0e52b44fbebce915c6fa4405f4a8916e4e44cd6ba59bc0e2601ab56f275fbe8f924982d537fa38f0c4f2dd689451dfe7724d46b68832d49292
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGLldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023327-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023334-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000167e1-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023346-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000167e1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023346-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000167e1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023346-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000226af-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230f1-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000226af-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000230f3-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}\stubpath = "C:\\Windows\\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe"	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5266E660-9D15-452e-B353-A319EAF481D9}	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}	{5266E660-9D15-452e-B353-A319EAF481D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}\stubpath = "C:\\Windows\\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe"	{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CF29E5-C43F-4148-8587-56E36CFC4159}\stubpath = "C:\\Windows\\{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe"	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{813804A6-1E90-41fd-8394-C23D20442FFB}\stubpath = "C:\\Windows\\{813804A6-1E90-41fd-8394-C23D20442FFB}.exe"	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F4DEB8-0565-4647-AE64-F6B82B394744}	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}\stubpath = "C:\\Windows\\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe"	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F27139-9320-40d8-826D-121614530212}\stubpath = "C:\\Windows\\{E4F27139-9320-40d8-826D-121614530212}.exe"	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}	{E4F27139-9320-40d8-826D-121614530212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CF29E5-C43F-4148-8587-56E36CFC4159}	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBF4E7C-A382-4866-8CA3-55B082195E12}	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBF4E7C-A382-4866-8CA3-55B082195E12}\stubpath = "C:\\Windows\\{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe"	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84DA096F-E6B7-480e-9600-DD10633AFE0A}\stubpath = "C:\\Windows\\{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe"	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}\stubpath = "C:\\Windows\\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe"	{5266E660-9D15-452e-B353-A319EAF481D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}	{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{813804A6-1E90-41fd-8394-C23D20442FFB}	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F4DEB8-0565-4647-AE64-F6B82B394744}\stubpath = "C:\\Windows\\{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe"	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84DA096F-E6B7-480e-9600-DD10633AFE0A}	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F27139-9320-40d8-826D-121614530212}	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}\stubpath = "C:\\Windows\\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe"	{E4F27139-9320-40d8-826D-121614530212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5266E660-9D15-452e-B353-A319EAF481D9}\stubpath = "C:\\Windows\\{5266E660-9D15-452e-B353-A319EAF481D9}.exe"	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe

Executes dropped EXE 12 IoCs

pid	Process
1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
2564	{E4F27139-9320-40d8-826D-121614530212}.exe
4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe
1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe
884	{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
972	{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
File created	C:\Windows\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
File created	C:\Windows\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	{E4F27139-9320-40d8-826D-121614530212}.exe
File created	C:\Windows\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe	{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
File created	C:\Windows\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe	{5266E660-9D15-452e-B353-A319EAF481D9}.exe
File created	C:\Windows\{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
File created	C:\Windows\{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
File created	C:\Windows\{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
File created	C:\Windows\{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
File created	C:\Windows\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
File created	C:\Windows\{E4F27139-9320-40d8-826D-121614530212}.exe	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
File created	C:\Windows\{5266E660-9D15-452e-B353-A319EAF481D9}.exe	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
Token: SeIncBasePriorityPrivilege	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
Token: SeIncBasePriorityPrivilege	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
Token: SeIncBasePriorityPrivilege	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
Token: SeIncBasePriorityPrivilege	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
Token: SeIncBasePriorityPrivilege	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
Token: SeIncBasePriorityPrivilege	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
Token: SeIncBasePriorityPrivilege	2564	{E4F27139-9320-40d8-826D-121614530212}.exe
Token: SeIncBasePriorityPrivilege	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe
Token: SeIncBasePriorityPrivilege	1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe
Token: SeIncBasePriorityPrivilege	884	{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1400	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	97
PID 2612 wrote to memory of 1400	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	97
PID 2612 wrote to memory of 1400	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	97
PID 2612 wrote to memory of 4864	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	98
PID 2612 wrote to memory of 4864	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	98
PID 2612 wrote to memory of 4864	2612	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	98
PID 1400 wrote to memory of 2880	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	106
PID 1400 wrote to memory of 2880	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	106
PID 1400 wrote to memory of 2880	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	106
PID 1400 wrote to memory of 1684	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	107
PID 1400 wrote to memory of 1684	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	107
PID 1400 wrote to memory of 1684	1400	{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe	107
PID 2880 wrote to memory of 3296	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	112
PID 2880 wrote to memory of 3296	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	112
PID 2880 wrote to memory of 3296	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	112
PID 2880 wrote to memory of 440	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	113
PID 2880 wrote to memory of 440	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	113
PID 2880 wrote to memory of 440	2880	{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe	113
PID 3296 wrote to memory of 4412	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	115
PID 3296 wrote to memory of 4412	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	115
PID 3296 wrote to memory of 4412	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	115
PID 3296 wrote to memory of 2564	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	116
PID 3296 wrote to memory of 2564	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	116
PID 3296 wrote to memory of 2564	3296	{813804A6-1E90-41fd-8394-C23D20442FFB}.exe	116
PID 4412 wrote to memory of 3764	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	117
PID 4412 wrote to memory of 3764	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	117
PID 4412 wrote to memory of 3764	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	117
PID 4412 wrote to memory of 2820	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	118
PID 4412 wrote to memory of 2820	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	118
PID 4412 wrote to memory of 2820	4412	{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe	118
PID 3764 wrote to memory of 3192	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	120
PID 3764 wrote to memory of 3192	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	120
PID 3764 wrote to memory of 3192	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	120
PID 3764 wrote to memory of 3176	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	121
PID 3764 wrote to memory of 3176	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	121
PID 3764 wrote to memory of 3176	3764	{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe	121
PID 3192 wrote to memory of 64	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	122
PID 3192 wrote to memory of 64	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	122
PID 3192 wrote to memory of 64	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	122
PID 3192 wrote to memory of 3228	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	123
PID 3192 wrote to memory of 3228	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	123
PID 3192 wrote to memory of 3228	3192	{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe	123
PID 64 wrote to memory of 2564	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	124
PID 64 wrote to memory of 2564	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	124
PID 64 wrote to memory of 2564	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	124
PID 64 wrote to memory of 3296	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	125
PID 64 wrote to memory of 3296	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	125
PID 64 wrote to memory of 3296	64	{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe	125
PID 2564 wrote to memory of 4608	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	133
PID 2564 wrote to memory of 4608	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	133
PID 2564 wrote to memory of 4608	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	133
PID 2564 wrote to memory of 4012	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	134
PID 2564 wrote to memory of 4012	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	134
PID 2564 wrote to memory of 4012	2564	{E4F27139-9320-40d8-826D-121614530212}.exe	134
PID 4608 wrote to memory of 1540	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	135
PID 4608 wrote to memory of 1540	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	135
PID 4608 wrote to memory of 1540	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	135
PID 4608 wrote to memory of 1628	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	136
PID 4608 wrote to memory of 1628	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	136
PID 4608 wrote to memory of 1628	4608	{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe	136
PID 1540 wrote to memory of 884	1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe	137
PID 1540 wrote to memory of 884	1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe	137
PID 1540 wrote to memory of 884	1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe	137
PID 1540 wrote to memory of 2728	1540	{5266E660-9D15-452e-B353-A319EAF481D9}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
  C:\Windows\{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
    C:\Windows\{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
      C:\Windows\{813804A6-1E90-41fd-8394-C23D20442FFB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
        
        C:\Windows\{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
        
        C:\Windows\{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
        
        C:\Windows\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
        
        C:\Windows\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\{E4F27139-9320-40d8-826D-121614530212}.exe
        
        C:\Windows\{E4F27139-9320-40d8-826D-121614530212}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe
        
        C:\Windows\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{5266E660-9D15-452e-B353-A319EAF481D9}.exe
        
        C:\Windows\{5266E660-9D15-452e-B353-A319EAF481D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
        
        C:\Windows\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe
        
        C:\Windows\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe
        13⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1097B~1.EXE > nul
        13⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5266E~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{117ED~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4F27~1.EXE > nul
        10⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98E97~1.EXE > nul
        9⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DBF1~1.EXE > nul
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84DA0~1.EXE > nul
        7⤵
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F4D~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81380~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5DBF4~1.EXE > nul
      4⤵
      PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6CF2~1.EXE > nul
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3176 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8
1⤵
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1097B3AD-1053-4a50-8F3C-DD81B8F3BB27}.exe

Filesize
408KB

MD5
fae926e76efad2896b82802e2ccc7d68

SHA1
2eb8e585e9b1bb23a8774d0bd61e5db9cd5b00b0

SHA256
51c16d9296b5a4c07e6fa71a2b1466e12e1bf696f9c4f3e301d34094f27aba27

SHA512
30fdb81e616cfb276895fd521287c6122d5ce2f543dd09cc46982b850c7de62b1fc3fd40aea995ef7aa72b79dad1f99defbdcbc9c4aa71bd4e678d1144089ccb

Download Submit
C:\Windows\{117EDEBF-5354-4125-BEB0-06F9F6CAF570}.exe

Filesize
408KB

MD5
14a5d934a6b32eb3aeede07f25e49f1f

SHA1
91ab4c1c36177ac05fa1b302eae5d1bd5d72369f

SHA256
bf542092e4bd85a3c2f60321807f31b54db08cb02558b400fcbaf808b7c00e2e

SHA512
3a5a9ed1de54fe42bd909355d65d9c11381ae01a6ffe51af8b37e5fceb9138d000c1c6e0dad133caff5dd53769458d34a06c4423916d5b90c537d91a383e90fe

Download Submit
C:\Windows\{2D9A8256-3C8A-4553-B287-B9E196A84A6F}.exe

Filesize
408KB

MD5
5d1bd8a91ec4476ca833fba723d0fa79

SHA1
9fcf744d2361469f820b92903d10183e93484ec2

SHA256
788e7782873898b35cc828871492e40b3e208c39f9143b9fa062eb45d083f807

SHA512
d44b28285cba5a3c0d7f4240a44760b44845c11a378fa42507a7a5599887579b045ec5bd8feede0ba77beb818bdfd757bba51d7a0873457abe3fdbe6bb0436f9

Download Submit
C:\Windows\{2DBF181B-C806-4c1e-A017-DA43DD8A41C3}.exe

Filesize
408KB

MD5
c46ba0f6706b37f0e55a08c48d6dffe5

SHA1
b666296355c2eb15a68cc706db40d89628f58b27

SHA256
737a15087f3f4b40cc7e452879bf266249794ac92fb44739c62f3b4bbeeb9de6

SHA512
e4d0e169bfa2f23c84868d324b4e1882294dfefd6ed850e775daac102db6351e76b071dcf9bbc68cf41cf19a047a83fad3bf30330ddbd289e9647510b0a5cbcf

Download Submit
C:\Windows\{5266E660-9D15-452e-B353-A319EAF481D9}.exe

Filesize
408KB

MD5
5a44fd9743542171e36a0fc4d497fe7a

SHA1
6de03dfc29e2cac853de57eca5add287aee74366

SHA256
ee960994dd16e2e602cf621e9aed4ca7b2bd0ba89155f2ca72114f9ef26dd7a0

SHA512
4ccdafe16f018b9b8ea98f9bf5d6053ccdba60d348cfb9f1caeec81bf7f97e62922b24686682c65ec3aa84e8e428f73e71753ea40eb51b4ae9e88a2a4f41a98e

Download Submit
C:\Windows\{5DBF4E7C-A382-4866-8CA3-55B082195E12}.exe

Filesize
408KB

MD5
9c5a57bb156f9f899884529fa1b4a236

SHA1
933a5e6c9cc0285d4c4f8f04fff0850c27e27cea

SHA256
77ae5fd150d5fe8cb699bfc239d2f5433966b950d0ab6cf1fffd864e95d332cd

SHA512
779b73768db48d517a481215aa11dcfd9dc7a007f832997ea00cd085b78a26678de6cf00940e0fbcd6d6eb9583ac83df6b1afe984632f7278b4e4f3ff0f57ece

Download Submit
C:\Windows\{813804A6-1E90-41fd-8394-C23D20442FFB}.exe

Filesize
408KB

MD5
84cebede8231b824877b50e714dd62cf

SHA1
dd812d26d50a73bbc8cb87dda07bd397a903482b

SHA256
24a61dc45bdd9d9abdcabdba7a0a39c44a799587de417d37eb21438e91e17934

SHA512
6516a3f0a2a779de76ad3cddc67626078b32a9dc96a76db0b2f8a4c539fe1000e79db5b1ae2f41f71f25ad9ffa7a52105f10360a5d271f331eb4552395baea8d

Download Submit
C:\Windows\{84DA096F-E6B7-480e-9600-DD10633AFE0A}.exe

Filesize
408KB

MD5
4cf4a9f69c9a83b65e54a6a90910efc0

SHA1
d6a0d695bfa68a9305e7c96dde5eb71e7b942ff1

SHA256
a9b9b4cdd73f68d79b4b2b6a2e81de6ce4207cefb1667669990997c0d6475167

SHA512
d29f450ce2beb85f4c7e22a76e864e04c61099367a8fa1c0b79037445b8c67921420b4c0b65baa5b3bc01784a3cc270af2652b23d9ea4768408c3bfb987f3a93

Download Submit
C:\Windows\{98E97BBF-59C5-44b3-9533-7B3B9C0FC7E2}.exe

Filesize
408KB

MD5
77e60fe7c813c46d847eab91e0b5392e

SHA1
58dfa47463230cb1dccccec06b5734c24812f7b5

SHA256
4d6c71d5c08767ed6546fb30beccd2406756dd97f9d20a039dbe6ce7c64ff85e

SHA512
9e157cbcef85e6ffa8099502f540862ef3f9255d187597b7214d04cbc77dfcc6e22237d9b0d2135f44f45dd963a6b492d994a2fc975f3f736c58324b60a58e22

Download Submit
C:\Windows\{B6CF29E5-C43F-4148-8587-56E36CFC4159}.exe

Filesize
408KB

MD5
85c6ea1275a9bb807ff5fc8236414cd4

SHA1
aeddd1604b06398949bfe68089bd1173e3a38a0f

SHA256
8ed54a260f929a0150293a5e8d12086402c26d2c55e64172a7af0b52b11abe10

SHA512
704ea621344ac84f00f010ea244669c9188c0d1b65cb32d9c85eb8bc8757727b7b668bd13609db0eb2e8a0bcec9c9420ea750d358461414a6c03cf9d0eecd93d

Download Submit
C:\Windows\{C5F4DEB8-0565-4647-AE64-F6B82B394744}.exe

Filesize
408KB

MD5
710f0ddad125ab11e597a7d7f0189c2a

SHA1
a87022a10a57dea2d0d2a64969dacef853f4fc12

SHA256
7e9fad13b807e1f202d94c434629e40776ceba5984f587db015db0b72a19bc9a

SHA512
479bcb2e311a350ab3e2aaa82cd01fe8696ae424c5b84e618e55bdac5b2ca1c63c9cf2ec78b87118bc995d274e44dda5f3e6d9fab15949041a1a9fc7a21c1382

Download Submit
C:\Windows\{E4F27139-9320-40d8-826D-121614530212}.exe

Filesize
408KB

MD5
1058559840aee6f33f8cc614515cfde0

SHA1
30095617ac18b65db7331e7077bd2325f7544572

SHA256
f754a3579de6b6fd8061dd96a9f66bb618b9097476cc073c31b822814160cce5

SHA512
bdfc0a079eaa48cd9b9010860f12053d594d490ceaa945e053daa75956fd3ad33606f11cfde48c0f44fbbee0886fdf59eff5e628fab80ecbdc09d684f59e6515

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads