ed101167245ff40adbd54e09a3c24f8c1937f2a4a0d525bbaf71c3ebb040fb8a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Size

180KB
MD5

90a75baad13f1d2ed66626c86be3297f
SHA1

a21dc5bd5a09d0c5c7c5a7cdfef58d0a0f8914f6
SHA256

ed101167245ff40adbd54e09a3c24f8c1937f2a4a0d525bbaf71c3ebb040fb8a
SHA512

400d6528217193aa32db66a5bc207b740b664dc9dd4cb5f061b617914437be2d92e64a4d7d3a26366ea5f48e8827170a8f107e9fa81dd1f6289c057f9c001739
SSDEEP

3072:jEGh0owlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023359-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023362-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023369-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000167e1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023369-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000167e1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023369-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000167e1-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000001e303-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000167e1-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000001e303-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000230f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B74205-AFD3-4164-9C65-AC3279179838}	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B74205-AFD3-4164-9C65-AC3279179838}\stubpath = "C:\\Windows\\{B8B74205-AFD3-4164-9C65-AC3279179838}.exe"	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50D5F368-FC77-4725-83CE-27892C1DAE00}\stubpath = "C:\\Windows\\{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe"	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{759F872E-3635-4c63-A2D1-134628263864}	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}\stubpath = "C:\\Windows\\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe"	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110EC86E-D588-43e8-8384-4C9691BADA82}\stubpath = "C:\\Windows\\{110EC86E-D588-43e8-8384-4C9691BADA82}.exe"	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}\stubpath = "C:\\Windows\\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe"	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}\stubpath = "C:\\Windows\\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe"	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF807691-3290-4ca4-8822-F72F75E6D472}	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}\stubpath = "C:\\Windows\\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe"	{759F872E-3635-4c63-A2D1-134628263864}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551036C3-F018-400c-9A16-950CA3A752F0}	{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110EC86E-D588-43e8-8384-4C9691BADA82}	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551036C3-F018-400c-9A16-950CA3A752F0}\stubpath = "C:\\Windows\\{551036C3-F018-400c-9A16-950CA3A752F0}.exe"	{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D50E441-E6E4-438f-AD41-3B9107A722BD}\stubpath = "C:\\Windows\\{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe"	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50D5F368-FC77-4725-83CE-27892C1DAE00}	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0927D88-913C-402f-8B17-B7753DC19E1C}	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{759F872E-3635-4c63-A2D1-134628263864}\stubpath = "C:\\Windows\\{759F872E-3635-4c63-A2D1-134628263864}.exe"	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}	{759F872E-3635-4c63-A2D1-134628263864}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D50E441-E6E4-438f-AD41-3B9107A722BD}	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF807691-3290-4ca4-8822-F72F75E6D472}\stubpath = "C:\\Windows\\{DF807691-3290-4ca4-8822-F72F75E6D472}.exe"	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0927D88-913C-402f-8B17-B7753DC19E1C}\stubpath = "C:\\Windows\\{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe"	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe

Executes dropped EXE 12 IoCs

pid	Process
1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
4336	{759F872E-3635-4c63-A2D1-134628263864}.exe
4132	{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
3752	{551036C3-F018-400c-9A16-950CA3A752F0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
File created	C:\Windows\{551036C3-F018-400c-9A16-950CA3A752F0}.exe	{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
File created	C:\Windows\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
File created	C:\Windows\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
File created	C:\Windows\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
File created	C:\Windows\{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
File created	C:\Windows\{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
File created	C:\Windows\{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
File created	C:\Windows\{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
File created	C:\Windows\{759F872E-3635-4c63-A2D1-134628263864}.exe	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
File created	C:\Windows\{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
File created	C:\Windows\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe	{759F872E-3635-4c63-A2D1-134628263864}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
Token: SeIncBasePriorityPrivilege	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
Token: SeIncBasePriorityPrivilege	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
Token: SeIncBasePriorityPrivilege	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
Token: SeIncBasePriorityPrivilege	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
Token: SeIncBasePriorityPrivilege	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
Token: SeIncBasePriorityPrivilege	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
Token: SeIncBasePriorityPrivilege	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
Token: SeIncBasePriorityPrivilege	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
Token: SeIncBasePriorityPrivilege	4336	{759F872E-3635-4c63-A2D1-134628263864}.exe
Token: SeIncBasePriorityPrivilege	4132	{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1164	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	104
PID 2928 wrote to memory of 1164	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	104
PID 2928 wrote to memory of 1164	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	104
PID 2928 wrote to memory of 4136	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	105
PID 2928 wrote to memory of 4136	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	105
PID 2928 wrote to memory of 4136	2928	2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe	105
PID 1164 wrote to memory of 3568	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	108
PID 1164 wrote to memory of 3568	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	108
PID 1164 wrote to memory of 3568	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	108
PID 1164 wrote to memory of 4868	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	109
PID 1164 wrote to memory of 4868	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	109
PID 1164 wrote to memory of 4868	1164	{110EC86E-D588-43e8-8384-4C9691BADA82}.exe	109
PID 3568 wrote to memory of 4556	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	111
PID 3568 wrote to memory of 4556	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	111
PID 3568 wrote to memory of 4556	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	111
PID 3568 wrote to memory of 4736	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	112
PID 3568 wrote to memory of 4736	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	112
PID 3568 wrote to memory of 4736	3568	{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe	112
PID 4556 wrote to memory of 3448	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	114
PID 4556 wrote to memory of 3448	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	114
PID 4556 wrote to memory of 3448	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	114
PID 4556 wrote to memory of 968	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	115
PID 4556 wrote to memory of 968	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	115
PID 4556 wrote to memory of 968	4556	{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe	115
PID 3448 wrote to memory of 3756	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	117
PID 3448 wrote to memory of 3756	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	117
PID 3448 wrote to memory of 3756	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	117
PID 3448 wrote to memory of 1164	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	118
PID 3448 wrote to memory of 1164	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	118
PID 3448 wrote to memory of 1164	3448	{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe	118
PID 3756 wrote to memory of 460	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	120
PID 3756 wrote to memory of 460	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	120
PID 3756 wrote to memory of 460	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	120
PID 3756 wrote to memory of 4884	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	121
PID 3756 wrote to memory of 4884	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	121
PID 3756 wrote to memory of 4884	3756	{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe	121
PID 460 wrote to memory of 2960	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	122
PID 460 wrote to memory of 2960	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	122
PID 460 wrote to memory of 2960	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	122
PID 460 wrote to memory of 3000	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	123
PID 460 wrote to memory of 3000	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	123
PID 460 wrote to memory of 3000	460	{B8B74205-AFD3-4164-9C65-AC3279179838}.exe	123
PID 2960 wrote to memory of 1228	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	124
PID 2960 wrote to memory of 1228	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	124
PID 2960 wrote to memory of 1228	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	124
PID 2960 wrote to memory of 4116	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	125
PID 2960 wrote to memory of 4116	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	125
PID 2960 wrote to memory of 4116	2960	{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe	125
PID 1228 wrote to memory of 3568	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	134
PID 1228 wrote to memory of 3568	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	134
PID 1228 wrote to memory of 3568	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	134
PID 1228 wrote to memory of 3000	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	135
PID 1228 wrote to memory of 3000	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	135
PID 1228 wrote to memory of 3000	1228	{DF807691-3290-4ca4-8822-F72F75E6D472}.exe	135
PID 3568 wrote to memory of 4336	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	136
PID 3568 wrote to memory of 4336	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	136
PID 3568 wrote to memory of 4336	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	136
PID 3568 wrote to memory of 3964	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	137
PID 3568 wrote to memory of 3964	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	137
PID 3568 wrote to memory of 3964	3568	{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe	137
PID 4336 wrote to memory of 4132	4336	{759F872E-3635-4c63-A2D1-134628263864}.exe	138
PID 4336 wrote to memory of 4132	4336	{759F872E-3635-4c63-A2D1-134628263864}.exe	138
PID 4336 wrote to memory of 4132	4336	{759F872E-3635-4c63-A2D1-134628263864}.exe	138
PID 4336 wrote to memory of 4288	4336	{759F872E-3635-4c63-A2D1-134628263864}.exe	139

C:\Users\Admin\AppData\Local\Temp\2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_90a75baad13f1d2ed66626c86be3297f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
  C:\Windows\{110EC86E-D588-43e8-8384-4C9691BADA82}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
    C:\Windows\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
      C:\Windows\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
        
        C:\Windows\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
        
        C:\Windows\{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
        
        C:\Windows\{B8B74205-AFD3-4164-9C65-AC3279179838}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
        
        C:\Windows\{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
        
        C:\Windows\{DF807691-3290-4ca4-8822-F72F75E6D472}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
        
        C:\Windows\{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{759F872E-3635-4c63-A2D1-134628263864}.exe
        
        C:\Windows\{759F872E-3635-4c63-A2D1-134628263864}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
        
        C:\Windows\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\{551036C3-F018-400c-9A16-950CA3A752F0}.exe
        
        C:\Windows\{551036C3-F018-400c-9A16-950CA3A752F0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ACD4~1.EXE > nul
        13⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{759F8~1.EXE > nul
        12⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0927~1.EXE > nul
        11⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF807~1.EXE > nul
        10⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50D5F~1.EXE > nul
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B74~1.EXE > nul
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D50E~1.EXE > nul
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EFF4~1.EXE > nul
        6⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C15D8~1.EXE > nul
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84F5E~1.EXE > nul
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{110EC~1.EXE > nul
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{110EC86E-D588-43e8-8384-4C9691BADA82}.exe

Filesize
180KB

MD5
b7f056b96f038dd781e33ed2645556d7

SHA1
33e93b0acc38b999717f7d08d612b8f16bf38274

SHA256
d89d176f3a6d80a7b01e4422323e9c50a33c401b953c2472575abe37f9ce6e1e

SHA512
cfc2ce9c8ac2d86543b587247f4360a694ccb699183f8b7fffcf68d638980060f083899d5b55e9bdd7ef8e8c3ce3bd3b7d849957fdc81d67f92a25b2288169e8

Download Submit
C:\Windows\{3D50E441-E6E4-438f-AD41-3B9107A722BD}.exe

Filesize
180KB

MD5
80e4d85613cbef0b0064a50afb248422

SHA1
20f5c30c85a824a72cae8cb6eeb565c0efc76fda

SHA256
05b581e76ab3364e16ee9543483b51a6688cfba3c7ad51d1e9ade8c047eb8d4c

SHA512
7220fedbe9ab7dbcf64ce3115bcdaec8801b695ccb85fd76e298e4ffa6f0ab7eac8ddfe5672f992b8ba4bd70bbb0ebc41fbbc30e048024acce1eb9f64075ad90

Download Submit
C:\Windows\{50D5F368-FC77-4725-83CE-27892C1DAE00}.exe

Filesize
180KB

MD5
dff03177423e58f870b70c0bf1d75b6c

SHA1
37ce30cb35176e1ca1963c3def7be227ae990d0e

SHA256
0bc7398a0ee93240629f112274fc73f09e2279c5d5aa35240f52969dcf592837

SHA512
edad33ee38c16438e3c54392c7f2ca1bf40ba507dc85ac4e7590f9c3857183750c9944c9af0f4ba944fcc28a460b105cd8155bcf33a2f861d02f7b4ecedc9855

Download Submit
C:\Windows\{551036C3-F018-400c-9A16-950CA3A752F0}.exe

Filesize
180KB

MD5
cfa53fc5aa46582145290363d8ee20a9

SHA1
0e988205a439cc585808ad36329564167aa3bf1c

SHA256
b21ed975699af6512a47cc777cc1492b093f708d68d52a8a23aadb82a51f8016

SHA512
b0bc31f98864b7adc3e1fa0c0d29f4fc38b5ba4e32c8a80a9165cbbd8b2f0818216ff69f6ae9d131e08aebbcf82c37c749631b798a5efc5d9090272b85aeeaea

Download Submit
C:\Windows\{5EFF4738-291F-4afc-B8CD-ECD85E631B94}.exe

Filesize
180KB

MD5
4c97d5a99aab17de35a77fc49cd0030a

SHA1
60408a719272d70d7af520a5d08e5196339ce118

SHA256
02bf754943401dc476399e71aea6ec0109d09b329d55dfe32c5c214c46495228

SHA512
b7954a79b5ed0c8c09d438504e607297601d9cd1ac02f91598996ec54bb1a2aefbfea3f5b530445c77fc3b04a470aacb97b4e020d40f81a6f069cbedb08c7d7c

Download Submit
C:\Windows\{759F872E-3635-4c63-A2D1-134628263864}.exe

Filesize
180KB

MD5
1f19354789cfc863a2c1465d2bac4291

SHA1
8d8635be59e8dbf02027bd662e049c0ee19b8a8a

SHA256
5edfdc8e91a51701849788f8a61dfb867cc83fd7ecc9770c5e42101ddcbda0eb

SHA512
055d4139fc3324d5ee7c28f8ec59b64f4b6c48ad561ac58db6fa4627b47be121f16a35862145e1e07ba9fd899d451f121ac64ed9f1689781269dc2c2aa294703

Download Submit
C:\Windows\{84F5E5C3-A5D9-482e-8907-278E9AE9536C}.exe

Filesize
180KB

MD5
06614436a82e51459c7bf1befe0f53d3

SHA1
f1e12fe91d1924d32f613dc0512d09eab2ca24a8

SHA256
80a4d549073ce35dca7a8fd482e5747144448ad7604dfbc9f35d5b7740dc05c5

SHA512
1cf8060a403ab0c36b3eb12b590d28fe6c63d5b0082e63832e7c4c15ac8db2d816fdb2843a03df09ee0d00de7224f1eb844027fba7d6be07c36ca98df99fc15d

Download Submit
C:\Windows\{8ACD43C5-7075-4e91-8508-D9C2A59E388E}.exe

Filesize
180KB

MD5
c10fdf722c415b155df10b3ce0e52a1b

SHA1
a988116ae13f3e659a31d3daabf73d8abd814c5f

SHA256
ddc5602f30ab802af64827008787142a07996f07bfb99e08c12fa65221868953

SHA512
a6b00efbc9c3ea5de90e06061f0d916736f929fd0d7c5cb7be52cbb75cb4930f4f507c027f04c440ab6e250e8451aa2cea8167683731a50943d5466b391e9843

Download Submit
C:\Windows\{A0927D88-913C-402f-8B17-B7753DC19E1C}.exe

Filesize
180KB

MD5
48927158d171f72e8a922041397174d0

SHA1
08b4a0fdeebb144ca2edb6900f723b60646e55a0

SHA256
44c28f307ad58937dadad1c19894ce8bd5b4d8c20ae1a9769513bfd7b5dd4e64

SHA512
b1bb22c5e5e2ac224a136620dfa0c2738fcaa965c905bec643ec8c057425d83dbf824f588f47ce5b78fbbe2522eaaa1217f441d7824aa2fb7836920ea03ff6c1

Download Submit
C:\Windows\{B8B74205-AFD3-4164-9C65-AC3279179838}.exe

Filesize
180KB

MD5
f9a1c8717a4226a65f1a2a033d040ef3

SHA1
ddf87eb786789e6e5a90cd039a35b9fe961b92fe

SHA256
673498bf72e02daf404a0941f49cfc1ea77315cec95b1d0fc0fb01d5ab0a5573

SHA512
b6def60476fdf6c417e9d5ecf9971c5a35aee203c549c76c474231ce32e9b3dc24126a878b8ab0ff96ac439c65a3c4a1def01206448bcdb36ca09830514c4d9d

Download Submit
C:\Windows\{C15D8430-5C7B-4dd7-8793-5BD7B8DCEB74}.exe

Filesize
180KB

MD5
da52d5c8b438aa45f6cb45ee6d9f411d

SHA1
0c59e7e26146d30e6b51e0e897763d528e8f85d1

SHA256
4000ed665c69bac9745be0fcdcad31ef72644fe44d783395b72b4cbd5d2956de

SHA512
ab9536c12c5c6ad8515eda74c7507599f58dda827ca43c7826dcc5ae82ba20d744a5ef5414eba7564d4be0ffb3db9ecedd35b7a78fe236a0ba6e10c3cea2175e

Download Submit
C:\Windows\{DF807691-3290-4ca4-8822-F72F75E6D472}.exe

Filesize
180KB

MD5
b661ac13d528c0076f44bcd4301d9633

SHA1
e40adbf0928c5965d2c6f315ee0317104bf1eb4f

SHA256
d92d0170db1deeb6b1cff7b55586e190171228f3dcf2c21c1115863c3f14a636

SHA512
01b1b1019b810b9a8461d5ccc77224a0c2309d661248717524428b3fc667503bd281a957aa1f3cd7ce751baca4ad6ff652054494fe48d3c19757bc74cf3cdc22

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads