385df9021db84c230321c8fb7c00e3b90a23a820acd949c5319006ca5a52502a

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Size

372KB
MD5

a0915d7c9161dc6d762ee5f52ea8afa4
SHA1

318e908143af17ad6472274e974823de84bdd16a
SHA256

385df9021db84c230321c8fb7c00e3b90a23a820acd949c5319006ca5a52502a
SHA512

3e46ad68f5fc2b265ff5171b9565065a27c4b73d6c22d9bfee308d2397c04f18c007466e4aaf5c45d66a3f5961174374b211606ad3c9ec2f6c98d826aac503d2
SSDEEP

3072:CEGh0o/mlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJmlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023261-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023272-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002326f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023272-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51873C73-8B8B-449e-97B8-5CDB5B84522E}\stubpath = "C:\\Windows\\{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe"	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}\stubpath = "C:\\Windows\\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe"	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A979843-5AFB-4655-B6FE-5E82645497F1}\stubpath = "C:\\Windows\\{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe"	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6431A9D-1543-4ddf-A475-9BA734A31789}\stubpath = "C:\\Windows\\{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe"	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}\stubpath = "C:\\Windows\\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe"	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}\stubpath = "C:\\Windows\\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe"	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51873C73-8B8B-449e-97B8-5CDB5B84522E}	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}\stubpath = "C:\\Windows\\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe"	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}\stubpath = "C:\\Windows\\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe"	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A979843-5AFB-4655-B6FE-5E82645497F1}	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}\stubpath = "C:\\Windows\\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe"	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6431A9D-1543-4ddf-A475-9BA734A31789}	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}\stubpath = "C:\\Windows\\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe"	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe

Executes dropped EXE 10 IoCs

pid	Process
3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
260	{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
File created	C:\Windows\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
File created	C:\Windows\{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
File created	C:\Windows\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
File created	C:\Windows\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
File created	C:\Windows\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
File created	C:\Windows\{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
File created	C:\Windows\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
File created	C:\Windows\{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
File created	C:\Windows\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
Token: SeIncBasePriorityPrivilege	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
Token: SeIncBasePriorityPrivilege	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
Token: SeIncBasePriorityPrivilege	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
Token: SeIncBasePriorityPrivilege	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
Token: SeIncBasePriorityPrivilege	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
Token: SeIncBasePriorityPrivilege	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
Token: SeIncBasePriorityPrivilege	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
Token: SeIncBasePriorityPrivilege	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3276	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	94
PID 1424 wrote to memory of 3276	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	94
PID 1424 wrote to memory of 3276	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	94
PID 1424 wrote to memory of 4880	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	95
PID 1424 wrote to memory of 4880	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	95
PID 1424 wrote to memory of 4880	1424	2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe	95
PID 3276 wrote to memory of 1084	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	100
PID 3276 wrote to memory of 1084	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	100
PID 3276 wrote to memory of 1084	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	100
PID 3276 wrote to memory of 1332	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	101
PID 3276 wrote to memory of 1332	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	101
PID 3276 wrote to memory of 1332	3276	{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe	101
PID 1084 wrote to memory of 412	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	102
PID 1084 wrote to memory of 412	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	102
PID 1084 wrote to memory of 412	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	102
PID 1084 wrote to memory of 4916	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	103
PID 1084 wrote to memory of 4916	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	103
PID 1084 wrote to memory of 4916	1084	{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe	103
PID 412 wrote to memory of 4820	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	105
PID 412 wrote to memory of 4820	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	105
PID 412 wrote to memory of 4820	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	105
PID 412 wrote to memory of 3460	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	106
PID 412 wrote to memory of 3460	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	106
PID 412 wrote to memory of 3460	412	{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe	106
PID 4820 wrote to memory of 4944	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	107
PID 4820 wrote to memory of 4944	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	107
PID 4820 wrote to memory of 4944	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	107
PID 4820 wrote to memory of 1692	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	108
PID 4820 wrote to memory of 1692	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	108
PID 4820 wrote to memory of 1692	4820	{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe	108
PID 4944 wrote to memory of 2140	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	109
PID 4944 wrote to memory of 2140	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	109
PID 4944 wrote to memory of 2140	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	109
PID 4944 wrote to memory of 4172	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	110
PID 4944 wrote to memory of 4172	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	110
PID 4944 wrote to memory of 4172	4944	{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe	110
PID 2140 wrote to memory of 816	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	111
PID 2140 wrote to memory of 816	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	111
PID 2140 wrote to memory of 816	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	111
PID 2140 wrote to memory of 916	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	112
PID 2140 wrote to memory of 916	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	112
PID 2140 wrote to memory of 916	2140	{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe	112
PID 816 wrote to memory of 2728	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	113
PID 816 wrote to memory of 2728	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	113
PID 816 wrote to memory of 2728	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	113
PID 816 wrote to memory of 5112	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	114
PID 816 wrote to memory of 5112	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	114
PID 816 wrote to memory of 5112	816	{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe	114
PID 2728 wrote to memory of 4960	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	115
PID 2728 wrote to memory of 4960	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	115
PID 2728 wrote to memory of 4960	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	115
PID 2728 wrote to memory of 3876	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	116
PID 2728 wrote to memory of 3876	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	116
PID 2728 wrote to memory of 3876	2728	{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe	116
PID 4960 wrote to memory of 260	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	117
PID 4960 wrote to memory of 260	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	117
PID 4960 wrote to memory of 260	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	117
PID 4960 wrote to memory of 2920	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	118
PID 4960 wrote to memory of 2920	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	118
PID 4960 wrote to memory of 2920	4960	{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_a0915d7c9161dc6d762ee5f52ea8afa4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
  C:\Windows\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
    C:\Windows\{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
      C:\Windows\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
        
        C:\Windows\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
        
        C:\Windows\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
        
        C:\Windows\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
        
        C:\Windows\{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
        
        C:\Windows\{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
        
        C:\Windows\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe
        
        C:\Windows\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe
        11⤵
        Executes dropped EXE
        
        PID:260
        
        C:\Windows\{BC6CECE3-268F-40d7-A8A1-118E99EC9A5E}.exe
        
        C:\Windows\{BC6CECE3-268F-40d7-A8A1-118E99EC9A5E}.exe
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99723~1.EXE > nul
        12⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB6B~1.EXE > nul
        11⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51873~1.EXE > nul
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A979~1.EXE > nul
        9⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B33~1.EXE > nul
        8⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55870~1.EXE > nul
        7⤵
        
        PID:4172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49AEC~1.EXE > nul
        6⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{585CB~1.EXE > nul
        5⤵
        
        PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6431~1.EXE > nul
      4⤵
      PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F9A0~1.EXE > nul
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F9A0C03-7133-4c80-8B4E-1938EB04E4EC}.exe

Filesize
372KB

MD5
ad50b1489b1287ee7a8be67e817156ba

SHA1
7df7f6f3194a23ab05ea4fed010a8ecdac471e2d

SHA256
f3c74615f6f669dfb69128a702221b7124c90becb32fbfed5ee7c6c1f16021ed

SHA512
f18769f747b5dad4e6882c9a4f3677483f55d4988ddc020644980022bb19d9e9e4664ac4dc467034da8939d2a9c6ff398681ae1302c5eee5b73ad027a0bb362f

Download Submit
C:\Windows\{49AEC2C0-0A2D-4c03-9457-25C6E6D0A19C}.exe

Filesize
372KB

MD5
741faec4f470858737f781929bcc19bf

SHA1
2f3fa5ab233abcce109c59248b3c0fb308ccadfe

SHA256
a5eaf85b181888c334122fa2c317d6fcdde562fee82a5b2e63ddcdfaec553503

SHA512
00489ca55a6c89957f34d31bc48a556e5b66bafef73891ca339f7697b818b9c865f005cb25b32d59823fa93f2516a67e9e46c9d022302b092180421091a718a2

Download Submit
C:\Windows\{51873C73-8B8B-449e-97B8-5CDB5B84522E}.exe

Filesize
372KB

MD5
dd789219b2a08f577f299157a3fd23ef

SHA1
63c4ce31be3dd203ed9aba9e59e1873569897587

SHA256
70f1b535092ea91f7f45b6a4a18e7755337fbf3663158564f08d69121ec4062f

SHA512
07ee18e74bb8ea9e9803b946d5ff449637c5c64fa798466fef9522ffec3071fb3ca003a4b6c016f0e7f6b6812d2c08105348ec71d7f3b7d5dd3f418c40eb5fe5

Download Submit
C:\Windows\{55870396-DA1E-4888-AE90-F64BB6D4F7B5}.exe

Filesize
372KB

MD5
fc8ff41c939e24acc2fd378e5704e2a1

SHA1
a231abdaf651f4391559ced8e925eef07874c6d2

SHA256
50f940955eb45ffbba73c6eaa869ebb48dc7b8d0efe91839489ba90d46c6c7cc

SHA512
41a8109dff77cc76e3b4e41dc8375d015456ee0d3f31ecb872eb61dcee580e281f9176c6546f6c763136bf2f8d657564fa646daf8333cf904c5ad1bb1516e1d2

Download Submit
C:\Windows\{585CBC04-C832-46f7-9EAE-F5EB9FE90DA5}.exe

Filesize
372KB

MD5
76bd924633135fe819df03b32c699c46

SHA1
b925fdca5be0b89eaa76bb40590b0d5090bda962

SHA256
f4df484dea8248418a28d83b2a3372733d84f5946d228c42889f19b51905f647

SHA512
fcf5f3704fede7ae855c04d5f671a7458d8471feb7f4d3f559dd62d5b24981415a87c5b7c18fc29dfcf09787a265db4612262534774912460f8fd010ba0d92ef

Download Submit
C:\Windows\{6A979843-5AFB-4655-B6FE-5E82645497F1}.exe

Filesize
372KB

MD5
9f15a0f5d74c8a9493e43b178cfaf1ce

SHA1
dd62b7aa766586c2f5f9f56b34815445b81f6bae

SHA256
bef5d0db188a1fd7ba8a102e32d8d6fe0fa2b082736290a52e98ad12cb289287

SHA512
62856c9e12f6aa88298401f7f948adc1b759bdc5f0bb68d4b0068d332b864fb29896995924b783312b87ec552f8b67a385f1bb05221157a492d65358abfa2fb4

Download Submit
C:\Windows\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe

Filesize
192KB

MD5
f494db361ba3411d13c18e493aec6336

SHA1
dc47650dc4f46fde92ef6996a2c2842f440171d3

SHA256
2b4f0092a2fe074c0eee2090947428434de5b5444c0c95bab35d99572808e239

SHA512
a77332ee7acafac7ce13bac70dbb9626ce82dc2e78be032ab3075a4b53d69cc1a8d0c2383be1db1a39d3b96f9167526c0664aafd848f472a6be09d309faa5078

Download Submit
C:\Windows\{9972345C-739E-4304-BB1D-C5ACB56B1DBC}.exe

Filesize
372KB

MD5
8ec14a60b26f5821b131f3e6b6b6a7bb

SHA1
651e16b8a3b4b17aab5a06ba1860ff695007732b

SHA256
5f73eee2cb24d02ebc29fd35dd1b98e65457e632198e0b6eb7ec2855445cb3d8

SHA512
5057b6dac713a9d97244b404c08becb7163a09c537ba21ea16cc3b5032538092e5424e7b2f5fd93fb4d588eb0238d3906d63a30ea10898d09fd5c348a46986b8

Download Submit
C:\Windows\{BC6CECE3-268F-40d7-A8A1-118E99EC9A5E}.exe

Filesize
208KB

MD5
fa9c6ee7ec119dc7afd6886711a3e054

SHA1
f184565e8220b32884e9c46fc173a20f5ea41c32

SHA256
0530e6bbe36ec760438f737ebf4126692732185da3c2db084d449c194708decc

SHA512
e0d112146cd6d0856aea75bec17b2bd29c1ff3e69cff92d92c413f8ca5dfddc67594dee0ee65a8f52982a73c267d2f58dbc7bd7f5b096c3c6efe18c063a4128a

Download Submit
C:\Windows\{BC6CECE3-268F-40d7-A8A1-118E99EC9A5E}.exe

Filesize
252KB

MD5
8e0ed463fefdd31b2ee515ec43ea98c4

SHA1
aeb272db1ed08bd7eb4ca2f449406ce560a95062

SHA256
14422c9b7f967b2b709a42a5a2f339fcd95f73cd3cef858a5fe243e29dd73bf0

SHA512
117da1a40b4c9ae1444f2f303e1d19a20aa3741c058e963f422bf8f4c5c717e471623eb9af07c7e1c968e2cbd3ab477e357d607609d0f2b23d00907ad137e8c1

Download Submit
C:\Windows\{D6431A9D-1543-4ddf-A475-9BA734A31789}.exe

Filesize
372KB

MD5
84b861f2c178252df3d11882a347a6ec

SHA1
5f210aab5b22a20d4d0ba20e5f8fa1c314f36c12

SHA256
d69e704e3a6e1a0ea179cf430af1831e8350150d985929655fa759efda207fce

SHA512
cf0919e7a7575336efb2ccbe06e73dbba4cb4949d7ccc2857666f4c90ffde1aa9a67ae6d860af02e58538b480e678face6c51a0f260b5899a109f1d4fbbb99da

Download Submit
C:\Windows\{F7B3371B-8B70-47a2-A027-E43B168ED4D9}.exe

Filesize
372KB

MD5
883605767c554cf7151768ad3ab03e82

SHA1
d5d785a0f4b947870031c5f34f27665f97cd55c0

SHA256
316c6fd2e785d2a17d47f9b3253d039e1616041ade77afc78a5451334e85bd15

SHA512
f29c3e924de25ae05bf7b060b16bf3dc318b3091d070428107bb627c9405ff69d9bf6c2a649c21440ddb759b7f28ce3c1a149890ae7a6e01c3e917c3a0e717d7

Download Submit
C:\Windows\{FAB6B156-46C7-46d1-9BC0-B7AE9E213835}.exe

Filesize
372KB

MD5
d0883eea0026d64cb50aefa70830d5b6

SHA1
03f3b79b6e4cfcb735557c1953e69dcf62cbb8fa

SHA256
0d2608317e875d40489b92e5d0bacfe2e8b93c37adbd058f2a45ec2a702ee655

SHA512
075e0cc756c0a0093a67ff8d10fb082eec9d513ad23e001883af03fa3017a011c6b9c9e6f31f9ad7b5faf9f3da642f5de4b10e70fe96723bc824ba41b2dfbc50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads