e883982c556a58f5f82f4e98bb197b6ffbfce9312fe5f8557d10029619b2a5d1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe
Size

380KB
MD5

9da615e97678e13b28ddb6cb6fc52567
SHA1

5b01aa6adf4a175ba931f0fb20122be733bd4da5
SHA256

e883982c556a58f5f82f4e98bb197b6ffbfce9312fe5f8557d10029619b2a5d1
SHA512

2021f2db4ec3a37156215ccbb471e1567e8116c098224418ac11775d2d6e44b5daeddbe0b7be9d996d49aa3cae40501590052e32f2c86f5f551a787facaf209f
SSDEEP

3072:mEGh0o7lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023278-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023288-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e2e1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023287-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e2e1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F23549-D429-49c6-BB59-025AB85EA860}\stubpath = "C:\\Windows\\{B5F23549-D429-49c6-BB59-025AB85EA860}.exe"	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}\stubpath = "C:\\Windows\\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe"	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}\stubpath = "C:\\Windows\\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe"	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05BFB76C-798E-4575-B76D-9E5131BE172E}\stubpath = "C:\\Windows\\{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe"	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F23549-D429-49c6-BB59-025AB85EA860}	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BC2837-A03A-4b0e-A218-708265502E4A}	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46DB8042-8124-4fad-AEFD-3E607943D6EA}	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}\stubpath = "C:\\Windows\\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe"	{9B128313-9148-406b-8715-6421CE6E38AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}\stubpath = "C:\\Windows\\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe"	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05BFB76C-798E-4575-B76D-9E5131BE172E}	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46DB8042-8124-4fad-AEFD-3E607943D6EA}\stubpath = "C:\\Windows\\{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe"	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}	{9B128313-9148-406b-8715-6421CE6E38AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BC2837-A03A-4b0e-A218-708265502E4A}\stubpath = "C:\\Windows\\{87BC2837-A03A-4b0e-A218-708265502E4A}.exe"	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}\stubpath = "C:\\Windows\\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe"	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B128313-9148-406b-8715-6421CE6E38AC}	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B128313-9148-406b-8715-6421CE6E38AC}\stubpath = "C:\\Windows\\{9B128313-9148-406b-8715-6421CE6E38AC}.exe"	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}\stubpath = "C:\\Windows\\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe"	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe
1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
836	{87BC2837-A03A-4b0e-A218-708265502E4A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
File created	C:\Windows\{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
File created	C:\Windows\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	{9B128313-9148-406b-8715-6421CE6E38AC}.exe
File created	C:\Windows\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
File created	C:\Windows\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
File created	C:\Windows\{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
File created	C:\Windows\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
File created	C:\Windows\{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
File created	C:\Windows\{9B128313-9148-406b-8715-6421CE6E38AC}.exe	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
File created	C:\Windows\{87BC2837-A03A-4b0e-A218-708265502E4A}.exe	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
File created	C:\Windows\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
Token: SeIncBasePriorityPrivilege	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
Token: SeIncBasePriorityPrivilege	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
Token: SeIncBasePriorityPrivilege	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
Token: SeIncBasePriorityPrivilege	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
Token: SeIncBasePriorityPrivilege	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
Token: SeIncBasePriorityPrivilege	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
Token: SeIncBasePriorityPrivilege	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe
Token: SeIncBasePriorityPrivilege	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
Token: SeIncBasePriorityPrivilege	4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4344	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	96
PID 5064 wrote to memory of 4344	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	96
PID 5064 wrote to memory of 4344	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	96
PID 5064 wrote to memory of 876	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	97
PID 5064 wrote to memory of 876	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	97
PID 5064 wrote to memory of 876	5064	2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe	97
PID 4344 wrote to memory of 1116	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	101
PID 4344 wrote to memory of 1116	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	101
PID 4344 wrote to memory of 1116	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	101
PID 4344 wrote to memory of 2688	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	102
PID 4344 wrote to memory of 2688	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	102
PID 4344 wrote to memory of 2688	4344	{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe	102
PID 1116 wrote to memory of 764	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	103
PID 1116 wrote to memory of 764	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	103
PID 1116 wrote to memory of 764	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	103
PID 1116 wrote to memory of 3420	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	104
PID 1116 wrote to memory of 3420	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	104
PID 1116 wrote to memory of 3420	1116	{B5F23549-D429-49c6-BB59-025AB85EA860}.exe	104
PID 764 wrote to memory of 4788	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	106
PID 764 wrote to memory of 4788	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	106
PID 764 wrote to memory of 4788	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	106
PID 764 wrote to memory of 2604	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	107
PID 764 wrote to memory of 2604	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	107
PID 764 wrote to memory of 2604	764	{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe	107
PID 4788 wrote to memory of 1696	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	108
PID 4788 wrote to memory of 1696	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	108
PID 4788 wrote to memory of 1696	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	108
PID 4788 wrote to memory of 3948	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	109
PID 4788 wrote to memory of 3948	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	109
PID 4788 wrote to memory of 3948	4788	{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe	109
PID 1696 wrote to memory of 2440	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	110
PID 1696 wrote to memory of 2440	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	110
PID 1696 wrote to memory of 2440	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	110
PID 1696 wrote to memory of 1100	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	111
PID 1696 wrote to memory of 1100	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	111
PID 1696 wrote to memory of 1100	1696	{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe	111
PID 2440 wrote to memory of 2016	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	112
PID 2440 wrote to memory of 2016	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	112
PID 2440 wrote to memory of 2016	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	112
PID 2440 wrote to memory of 1960	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	113
PID 2440 wrote to memory of 1960	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	113
PID 2440 wrote to memory of 1960	2440	{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe	113
PID 2016 wrote to memory of 1508	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	114
PID 2016 wrote to memory of 1508	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	114
PID 2016 wrote to memory of 1508	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	114
PID 2016 wrote to memory of 1940	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	115
PID 2016 wrote to memory of 1940	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	115
PID 2016 wrote to memory of 1940	2016	{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe	115
PID 1508 wrote to memory of 1168	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	116
PID 1508 wrote to memory of 1168	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	116
PID 1508 wrote to memory of 1168	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	116
PID 1508 wrote to memory of 3532	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	117
PID 1508 wrote to memory of 3532	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	117
PID 1508 wrote to memory of 3532	1508	{9B128313-9148-406b-8715-6421CE6E38AC}.exe	117
PID 1168 wrote to memory of 4780	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	118
PID 1168 wrote to memory of 4780	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	118
PID 1168 wrote to memory of 4780	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	118
PID 1168 wrote to memory of 4716	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	119
PID 1168 wrote to memory of 4716	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	119
PID 1168 wrote to memory of 4716	1168	{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe	119
PID 4780 wrote to memory of 836	4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe	120
PID 4780 wrote to memory of 836	4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe	120
PID 4780 wrote to memory of 836	4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe	120
PID 4780 wrote to memory of 812	4780	{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_9da615e97678e13b28ddb6cb6fc52567_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
  C:\Windows\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
    C:\Windows\{B5F23549-D429-49c6-BB59-025AB85EA860}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
      C:\Windows\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
        
        C:\Windows\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
        
        C:\Windows\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
        
        C:\Windows\{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
        
        C:\Windows\{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{9B128313-9148-406b-8715-6421CE6E38AC}.exe
        
        C:\Windows\{9B128313-9148-406b-8715-6421CE6E38AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
        
        C:\Windows\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
        
        C:\Windows\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{87BC2837-A03A-4b0e-A218-708265502E4A}.exe
        
        C:\Windows\{87BC2837-A03A-4b0e-A218-708265502E4A}.exe
        12⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D357F~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D988D~1.EXE > nul
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B128~1.EXE > nul
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DB8~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05BFB~1.EXE > nul
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{924F7~1.EXE > nul
        7⤵
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D79F~1.EXE > nul
        6⤵
        
        PID:3948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0D8~1.EXE > nul
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F23~1.EXE > nul
      4⤵
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA29~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05BFB76C-798E-4575-B76D-9E5131BE172E}.exe

Filesize
380KB

MD5
4f6fdd521108e8921f69c540544fcea7

SHA1
6b49906bf03a05dfa3eacb3fef850ad24bf133b7

SHA256
6742427c9d23916197db0079d2e30150314bc7b23c33c2340a7c2d109981ce39

SHA512
17e9403276da5d887204f0697d2150ed4ecc561ef3f64760e639ee4118c8d2f651477535d15ef4ed8cad3f1d1dbeb27d33ccad9f03c35801c0606a85f6a8e96c

Download Submit
C:\Windows\{2BA291DB-0047-4c86-ADF3-B8F74D62B83A}.exe

Filesize
380KB

MD5
4934b9aa2bf3c3c714aceaaa2fc4b981

SHA1
bf577cb4d269a4736df475a5fc437454bf5e39d3

SHA256
9a200b6eec410e16ded99183bbe911027d6e9062515be96dee354d5c28ccfa06

SHA512
7e44f69fe7dd27e4004be25ca7aa4215045483c207bd112c98b9670c1fdcd6115aeffbb912fda0f5a0c651d80d59591ede78aa13220ea1ecba359d0b469ff53d

Download Submit
C:\Windows\{46DB8042-8124-4fad-AEFD-3E607943D6EA}.exe

Filesize
380KB

MD5
c2cd3e4acf06321336e0c0bfae3d33b7

SHA1
b87602538bb9d7ec7632a72ca861c13c03439782

SHA256
e4d66eb525b73dc4f7720d366d5cc4b73e7db11c565aeb93178f0e07d02c5d21

SHA512
e5da6dba32190dd31acbccfe6c5bdbf02f55fe13ada0d5ab2ecd3eeda2c7b28ef6300161d2b32556c7d6eda4ead98ac6a78eb4d03155b0f54e0f5426cdd92e8d

Download Submit
C:\Windows\{4D79F67C-2772-4e4b-8B42-A442E5A5E16A}.exe

Filesize
380KB

MD5
6cf3465f3fa70aa6c3a488e1a22de732

SHA1
0fff92805b5cabac3ad65b55d79b4fa5e88bcc17

SHA256
6a997d56ce07460caf7cb257bd01f6ef09ae39ddf60eaefd74a93603d243f031

SHA512
0bcb981b407c9109a288792e49d5e776875d78490213a33c602347d1ee244381a0a76c45fb14bb585f014fe34f1e5926ae48e26a1ffa4241da3630ac52e4c962

Download Submit
C:\Windows\{5A0D8B52-F83F-43f9-B9E1-53D0B7E7C7A6}.exe

Filesize
380KB

MD5
0f629f78cea01565d07bf0fa363c3202

SHA1
9245ab6db7f61cf6ebfedd8a49ca431184d7f686

SHA256
ffb9c940fafdc3763ea9e6dcb449531381c7c6d8ede3f171fbc9ce5320ccc7e9

SHA512
9ab2464f22dd13e0186a1f12dac457fb243e7a405fe27dff0a8bd72206c05e288f1085f55d63c18ab03d7f13630001f4c2c45c90a220613e23ebba8bc0b218fe

Download Submit
C:\Windows\{87BC2837-A03A-4b0e-A218-708265502E4A}.exe

Filesize
380KB

MD5
ec93a3136e6ba566bb76d39bdf238c0c

SHA1
631cf3a185aa69720f40c1608c4f061446057505

SHA256
dfe1ea422f867cae10406ed4f421e0164e7df316e03f3554182249bcf123b04f

SHA512
34df6ce598f7c0c711fa7a86912f3ac1c2f873340e5aedbd40767563ea307a05b3228dfe29a075f5dd903b95e3a68910498d809c620422adae15d57528ede87a

Download Submit
C:\Windows\{924F726F-A16D-4373-A7E0-51C8EFD8A66D}.exe

Filesize
380KB

MD5
51a87ffd88c8ced6ef6b09a4b99b8eb7

SHA1
72140c831cf8a11be30878a1c3e65e8f702aa305

SHA256
47cae30f0ed6b8aa58bd189fff8a244b05ffc2894074f752da6df53a1140b5ee

SHA512
0d0a132a04138486ee6c37c8b3d468d37d5efc7f75170a3b5c364d2f725275f46282db1081393b60d6d5274ca9255cb96069eb2ecdff06c8afc70592f2b3e47c

Download Submit
C:\Windows\{9B128313-9148-406b-8715-6421CE6E38AC}.exe

Filesize
380KB

MD5
4599a5155af061b920977deeb669221c

SHA1
2b18438b5c0240c5312911de4726a9ad9694914e

SHA256
5868e84cd9c9c14fbe90e5975863b8525856817bbe355a1a6bfabf3b7b136cb6

SHA512
c09971a66d170a3df9ce88164c3a7d4a8e981d536609395653a171218280b95f45b327b25ad85c6657aa7007d94e4681bcf9cce1c79d8b69ada8620ba66d465c

Download Submit
C:\Windows\{B5F23549-D429-49c6-BB59-025AB85EA860}.exe

Filesize
380KB

MD5
a602d33019aaca2a12442191ea24f018

SHA1
3438b7484fb3d0295e79855c9e341a0158de1e85

SHA256
cf0c32d8b6df28e7d3c3ef55d01f550abcc88bfffcb779b5ddefc20252aa8b32

SHA512
3903118b214f281369c2d20f8e7dd01cb0402198a23a60568d833e1e295a1184d515527430d88b603c4558a525ee745c80c4c0a31b21ea04ecfd392bc9ee133a

Download Submit
C:\Windows\{D357FCB0-4AE6-49cc-A8A2-2C0D9EBFEE01}.exe

Filesize
380KB

MD5
966e90dc4019b16d2db8896577e8b0f0

SHA1
10f9959421d027058503555625a0bba6ba58ae3f

SHA256
fdb5d420ec4a420b8a05a8c1ddadc062ada90f3c9666129b5c9e2bf07bbd66ea

SHA512
5ba372df051961af4fab41e6e90bafeb1d1640928aee0cb439e5a7dd056e70a1760bc7068e4953e1078aaab9680eb5d4a5e42a69f106517dfaf50ada5a9e19bb

Download Submit
C:\Windows\{D988D08A-CF99-447d-AF03-39E6CC1B9B95}.exe

Filesize
380KB

MD5
6f90d1b1477ad7504c2c1aac0f65e42f

SHA1
30153016651a615dd6a44e65a2b9548af470a297

SHA256
1a6fec93a33ea34782cae67e9dd88e9bf576d90b158d7dc5674ce8e203745d85

SHA512
929ccb28331887dda0ab15e9446977e50f5eb3907dd45bcbef9d8b0e16997b80f5ecb08f97d3d0c497dab997860942e3538ace11c8730e9a5db6365ec2f91df7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads