287b9f8cc977be6aaa202f4ba0c64654fc1564658c0d16d01d8699b4ba415c8f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Size

180KB
MD5

c7b901c333537732680213b79fd71b97
SHA1

3588897f5e01ea6e3589575d75784e578dcd1b49
SHA256

287b9f8cc977be6aaa202f4ba0c64654fc1564658c0d16d01d8699b4ba415c8f
SHA512

504c0890063c7f4e7b9d566c3db4ba63f533c980f33bdb04176449f1eec39c11917164932b865dd2ea32a9d3b6cdd6588124e21c8f807255c1635b1a8c09cd76
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022d25-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002326b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023272-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002326b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023272-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002326b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016fa5-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A473B8EA-21D3-4179-83AE-F0E91453109A}	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A473B8EA-21D3-4179-83AE-F0E91453109A}\stubpath = "C:\\Windows\\{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe"	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5599FBE9-E67E-49f3-856C-52DE1878B423}	{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}\stubpath = "C:\\Windows\\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe"	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AFC754-01A9-49d9-A63E-A492072906F4}	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AFC754-01A9-49d9-A63E-A492072906F4}\stubpath = "C:\\Windows\\{63AFC754-01A9-49d9-A63E-A492072906F4}.exe"	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}\stubpath = "C:\\Windows\\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe"	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}\stubpath = "C:\\Windows\\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe"	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F9568B-3CB4-4203-BA6E-0500938E166E}	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11C1928-1648-4b54-82B7-641D03F62DD8}\stubpath = "C:\\Windows\\{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe"	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464FC050-7FA6-4813-9A76-55EFD7B860D4}\stubpath = "C:\\Windows\\{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe"	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}\stubpath = "C:\\Windows\\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe"	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}\stubpath = "C:\\Windows\\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe"	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}\stubpath = "C:\\Windows\\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe"	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F9568B-3CB4-4203-BA6E-0500938E166E}\stubpath = "C:\\Windows\\{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe"	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11C1928-1648-4b54-82B7-641D03F62DD8}	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464FC050-7FA6-4813-9A76-55EFD7B860D4}	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5599FBE9-E67E-49f3-856C-52DE1878B423}\stubpath = "C:\\Windows\\{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe"	{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
4212	{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe
3724	{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
File created	C:\Windows\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
File created	C:\Windows\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
File created	C:\Windows\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
File created	C:\Windows\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
File created	C:\Windows\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
File created	C:\Windows\{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
File created	C:\Windows\{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
File created	C:\Windows\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
File created	C:\Windows\{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
File created	C:\Windows\{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
File created	C:\Windows\{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe	{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
Token: SeIncBasePriorityPrivilege	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
Token: SeIncBasePriorityPrivilege	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
Token: SeIncBasePriorityPrivilege	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
Token: SeIncBasePriorityPrivilege	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
Token: SeIncBasePriorityPrivilege	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
Token: SeIncBasePriorityPrivilege	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
Token: SeIncBasePriorityPrivilege	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
Token: SeIncBasePriorityPrivilege	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
Token: SeIncBasePriorityPrivilege	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
Token: SeIncBasePriorityPrivilege	3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
Token: SeIncBasePriorityPrivilege	4212	{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 928	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	99
PID 4000 wrote to memory of 928	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	99
PID 4000 wrote to memory of 928	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	99
PID 4000 wrote to memory of 1084	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	100
PID 4000 wrote to memory of 1084	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	100
PID 4000 wrote to memory of 1084	4000	2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe	100
PID 928 wrote to memory of 968	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	104
PID 928 wrote to memory of 968	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	104
PID 928 wrote to memory of 968	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	104
PID 928 wrote to memory of 3560	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	105
PID 928 wrote to memory of 3560	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	105
PID 928 wrote to memory of 3560	928	{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe	105
PID 968 wrote to memory of 1420	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	107
PID 968 wrote to memory of 1420	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	107
PID 968 wrote to memory of 1420	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	107
PID 968 wrote to memory of 4544	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	108
PID 968 wrote to memory of 4544	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	108
PID 968 wrote to memory of 4544	968	{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe	108
PID 1420 wrote to memory of 3724	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	110
PID 1420 wrote to memory of 3724	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	110
PID 1420 wrote to memory of 3724	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	110
PID 1420 wrote to memory of 2796	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	111
PID 1420 wrote to memory of 2796	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	111
PID 1420 wrote to memory of 2796	1420	{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe	111
PID 3724 wrote to memory of 4236	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	112
PID 3724 wrote to memory of 4236	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	112
PID 3724 wrote to memory of 4236	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	112
PID 3724 wrote to memory of 1596	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	113
PID 3724 wrote to memory of 1596	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	113
PID 3724 wrote to memory of 1596	3724	{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe	113
PID 4236 wrote to memory of 896	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	114
PID 4236 wrote to memory of 896	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	114
PID 4236 wrote to memory of 896	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	114
PID 4236 wrote to memory of 1688	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	115
PID 4236 wrote to memory of 1688	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	115
PID 4236 wrote to memory of 1688	4236	{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe	115
PID 896 wrote to memory of 1644	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	116
PID 896 wrote to memory of 1644	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	116
PID 896 wrote to memory of 1644	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	116
PID 896 wrote to memory of 2220	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	117
PID 896 wrote to memory of 2220	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	117
PID 896 wrote to memory of 2220	896	{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe	117
PID 1644 wrote to memory of 1384	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	118
PID 1644 wrote to memory of 1384	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	118
PID 1644 wrote to memory of 1384	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	118
PID 1644 wrote to memory of 1600	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	119
PID 1644 wrote to memory of 1600	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	119
PID 1644 wrote to memory of 1600	1644	{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe	119
PID 1384 wrote to memory of 4316	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	120
PID 1384 wrote to memory of 4316	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	120
PID 1384 wrote to memory of 4316	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	120
PID 1384 wrote to memory of 4744	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	121
PID 1384 wrote to memory of 4744	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	121
PID 1384 wrote to memory of 4744	1384	{63AFC754-01A9-49d9-A63E-A492072906F4}.exe	121
PID 4316 wrote to memory of 3968	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	122
PID 4316 wrote to memory of 3968	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	122
PID 4316 wrote to memory of 3968	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	122
PID 4316 wrote to memory of 1108	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	123
PID 4316 wrote to memory of 1108	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	123
PID 4316 wrote to memory of 1108	4316	{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe	123
PID 3968 wrote to memory of 4212	3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe	124
PID 3968 wrote to memory of 4212	3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe	124
PID 3968 wrote to memory of 4212	3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe	124
PID 3968 wrote to memory of 4800	3968	{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_c7b901c333537732680213b79fd71b97_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
  C:\Windows\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
    C:\Windows\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
      C:\Windows\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
        
        C:\Windows\{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
        
        C:\Windows\{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
        
        C:\Windows\{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
        
        C:\Windows\{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
        
        C:\Windows\{63AFC754-01A9-49d9-A63E-A492072906F4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
        
        C:\Windows\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
        
        C:\Windows\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe
        
        C:\Windows\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe
        
        C:\Windows\{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe
        13⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B96~1.EXE > nul
        13⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{764DC~1.EXE > nul
        12⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AA3~1.EXE > nul
        11⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63AFC~1.EXE > nul
        10⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{464FC~1.EXE > nul
        9⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C11C1~1.EXE > nul
        8⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F95~1.EXE > nul
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A473B~1.EXE > nul
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B019~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD53C~1.EXE > nul
      4⤵
      PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD226~1.EXE > nul
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B01935D-7C8B-4caf-B6A6-5A9E26CC412D}.exe

Filesize
180KB

MD5
16398d36f420d2fc77338656ed912e12

SHA1
edca7726dc89bdfd21f9711fef0b88f3f458ab8b

SHA256
fccca2b5a466f1f3c378a7a8d4a994469fdc692eee90448790f37cce533fd703

SHA512
e0ce3b739948004d05b80bcccf66fafc5b0cfa80dbdaa2404b9aff172b6c20dc0b401a1794a79fe8f47f0f351a568a9fd4cb7a5766efde7cb720d123997bd47f

Download Submit
C:\Windows\{464FC050-7FA6-4813-9A76-55EFD7B860D4}.exe

Filesize
180KB

MD5
6ca9e2b29ce16e89d0e249e90d22e17a

SHA1
0803d9b75c60bd148f684350655a3a7e25ef57f0

SHA256
34485220aa37cdf978bc1a726244573d2f1387e515202c9b263a3403573bea95

SHA512
102761402655b4c5b9aea44f6baedcb61d97fbf7bb2f615f14a5bb9fee72543efbd26255a98ffd52afb4012dcf4cd936ed25ff58866409b2ba11c3de2cbd667e

Download Submit
C:\Windows\{5599FBE9-E67E-49f3-856C-52DE1878B423}.exe

Filesize
180KB

MD5
6a05f845df5abe3f42518db9ebc120d6

SHA1
3e014fc40591a4121c63cd3a57b49c85f2ee49b0

SHA256
f4d1f12abbcda3c2957d91a532c88ea4778d863c2f0799dff03600a9f9d3e1dc

SHA512
d811b1e4dd40c35a6e13155c068f20382b520fd1c3f5b332416a03463b2ae4103e86334f36ac5b2e57547fe6aa4c1159c626fa38634f9812ab54c6349ee6bd27

Download Submit
C:\Windows\{63AFC754-01A9-49d9-A63E-A492072906F4}.exe

Filesize
180KB

MD5
4b82a27c0c6a4edc9b3bcf28adfde13f

SHA1
08e9a07757ee385fdacec4999bdd1239eed5e28e

SHA256
7fbab81b54295889507ee0666215118a691caa033fbe322f35e9d5f97b4c6f3a

SHA512
17a120d45fbd5250bdd48bbfa99c5f7adc11391f8b3a82d90ea616ee6803163f840c1562efceea84513ec2d61ebeb8ced526519486df677ae0a148f3e5df7af1

Download Submit
C:\Windows\{764DC547-7E4F-4f00-ABCB-75F4597FB55A}.exe

Filesize
180KB

MD5
8da2086c3c57dcea31d92999120297f5

SHA1
5fba33cb9ca1d08328429a2ada4c98896ea44891

SHA256
bdb48032cab80d7a35675ad74988eb9c744e54f835be2e0c8101b3947362d759

SHA512
63f0efa8a3aa0a321ac5055c7ac98483f421ab5dc444770d2e32e04b551ece42792c58addbe8f35a3df2487aa0c25f47c405c2cc27047e7f0ab745d3a6b5538d

Download Submit
C:\Windows\{92B96F11-AF1D-483c-9A74-1470DEBDDF2D}.exe

Filesize
180KB

MD5
45fafe6bc3f5303875f1df173f183d0f

SHA1
3a8401f80d2edeaba39b8efae11e2630a8a514d9

SHA256
92394a96d419fcfae8d1e38f52547c0cc0c99547a6d2ed0da0d858876059b1be

SHA512
8d64258776183ac32300b25eb91588f7cbac67453c3573e425e00f3ecb51b27ad5e81e14b25c9734c1dea4027259b41c40a7ddb9c5b83c0517d93b4a60c4eb8f

Download Submit
C:\Windows\{A473B8EA-21D3-4179-83AE-F0E91453109A}.exe

Filesize
180KB

MD5
ad6e9a54e73bc04cbc475d651008086f

SHA1
4616b36661aa58e480f975509eae6b13470bc0af

SHA256
8218a1c80b3b7745162bf38f4fc8aea5dd83b327b43f6055cd437df9eae5e147

SHA512
f7a282f97d22d343bac84f2125b23e2ed5829a2812a8b48eb13070db2a0a62a0356857ae61337e4689686b0782bf62b4e68c9662ca4dd28d296805e4ff98c421

Download Submit
C:\Windows\{A8AA36AC-AB26-4908-9B36-388095FE1F1E}.exe

Filesize
180KB

MD5
aa8a7cd8197142f2e551bd0f33ef22dd

SHA1
9d786fdde93391a38bda83b73bde7701e8e9c06b

SHA256
4ca958a5ae646d963af797981d7cebaee5cb157c68ae66e8e5dad50ad4449a92

SHA512
01e6769bbf5bf6aa5258eb9dd495b06a9babd8756a80ea883c302d332771e0ae51da8b491ab7b59a24974fdd17b387965062ff57a3f14a477c981a4aa20535e7

Download Submit
C:\Windows\{C11C1928-1648-4b54-82B7-641D03F62DD8}.exe

Filesize
180KB

MD5
2b9c02766b7c5ddf56642c954bc79d50

SHA1
31f49084a292d63032813da5d7e6c7e2a3f0d62a

SHA256
1440b9008e43d75ab35d9b36bf5b8aa20fac1a96bd1c6b0067a53a60fa84fd52

SHA512
84483c2b77fea91e9c80c8a78f49e9aae7c8275c818b0cbac87b71b71285e62a233af520549170dd7949ebb52f8e1428173873dee8f2440dbb6213f79024501e

Download Submit
C:\Windows\{C9F9568B-3CB4-4203-BA6E-0500938E166E}.exe

Filesize
180KB

MD5
0e4d0e84c788414d955500d5e707a096

SHA1
d4475220431fa1dc7f75ad17ffefc316767da3bb

SHA256
3c81cd865227576ba64f77c0b704c6f2e2586c4bc78465c4f7cc09bdef01518a

SHA512
8519a1a89b02ba4171357a8193cd897eb9999e69eecb86ab39a8d1c340ebca430478f38cc8186f0a4450fa74c9e28d71c0eb93a9f2b0124df3fefaef34511067

Download Submit
C:\Windows\{CD2261ED-15BA-477f-A3F8-8D8ADF85E093}.exe

Filesize
180KB

MD5
8b98a237d58e4cf510a6cf7c43d92ac7

SHA1
c95b3fde99f7b3eadf01fce90b933587d8e26748

SHA256
90329abd2f5fb5f4c9dc4c5814ab05f687e6682dac940ddd2d7a5be53779a609

SHA512
b638310d1a1cfd1bc1b3ae20502646824ac10bb8575a7c74cc54d4c653a9f4521be2c57d7215b8f65b2c9470d95f81fe0a853c730ff114c70e095a54fca44d15

Download Submit
C:\Windows\{CD53CC58-4E41-4223-ABA4-8A2BD8A6B22D}.exe

Filesize
180KB

MD5
200be3521e694c030b3d5969f9e8548d

SHA1
98ba94988b6a1c98e7d301831cd98c06fa91a491

SHA256
b9ad8ec8042ffb181ee944ccc132e4d9023248a4d6eefba1b8291718062feb8e

SHA512
dabbcc20a0c30b258c37a12cf09084269b29e3ece7451c541916fed241c2df4df72cc08447b924fe2a0a63f11fb52d30f82e6dfd48811a3f3be660b15e56f60d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads