b5a907b0d571aede7de120b326342858ca649b5c1f340540d8223bf824d2464e

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
Size

408KB
MD5

996a824bb17e1dc4fc1af53ac96b9139
SHA1

aa20fecd652554c055480b47d743676583ca4442
SHA256

b5a907b0d571aede7de120b326342858ca649b5c1f340540d8223bf824d2464e
SHA512

39429fdfb140cb8e0189a2dc613029b1ec285bc5829cfd8ff5f18e9ac5734be07f198830107ec30c78c6675db763ac9eae0d67402bc4b526a489c2a411f9066a
SSDEEP

3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG6ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023288-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023294-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002329f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023294-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016fa5-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CADCE4-8CF9-422f-872F-977F618273C2}\stubpath = "C:\\Windows\\{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe"	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE987018-CBC5-4376-B98F-EB650891284F}\stubpath = "C:\\Windows\\{AE987018-CBC5-4376-B98F-EB650891284F}.exe"	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}\stubpath = "C:\\Windows\\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe"	{AE987018-CBC5-4376-B98F-EB650891284F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}\stubpath = "C:\\Windows\\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe"	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A36B506-71CA-4e4b-8624-567837BF919A}	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30699659-17C3-4f68-94E5-18330B0E6E65}	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}\stubpath = "C:\\Windows\\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe"	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}	{AE987018-CBC5-4376-B98F-EB650891284F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}\stubpath = "C:\\Windows\\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe"	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CADCE4-8CF9-422f-872F-977F618273C2}	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF99174-B87D-4f11-ABC9-3C8D47606185}	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF99174-B87D-4f11-ABC9-3C8D47606185}\stubpath = "C:\\Windows\\{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe"	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE987018-CBC5-4376-B98F-EB650891284F}	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D89A7E0-EECC-44b5-9698-8D58FB154569}	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D89A7E0-EECC-44b5-9698-8D58FB154569}\stubpath = "C:\\Windows\\{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe"	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58748B81-9F4F-43ee-9635-58D264F6FC0D}	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58748B81-9F4F-43ee-9635-58D264F6FC0D}\stubpath = "C:\\Windows\\{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe"	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A36B506-71CA-4e4b-8624-567837BF919A}\stubpath = "C:\\Windows\\{7A36B506-71CA-4e4b-8624-567837BF919A}.exe"	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30699659-17C3-4f68-94E5-18330B0E6E65}\stubpath = "C:\\Windows\\{30699659-17C3-4f68-94E5-18330B0E6E65}.exe"	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe

Executes dropped EXE 11 IoCs

pid	Process
1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe
2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
4640	{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
File created	C:\Windows\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
File created	C:\Windows\{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
File created	C:\Windows\{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
File created	C:\Windows\{AE987018-CBC5-4376-B98F-EB650891284F}.exe	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
File created	C:\Windows\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	{AE987018-CBC5-4376-B98F-EB650891284F}.exe
File created	C:\Windows\{30699659-17C3-4f68-94E5-18330B0E6E65}.exe	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
File created	C:\Windows\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
File created	C:\Windows\{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
File created	C:\Windows\{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
File created	C:\Windows\{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
Token: SeIncBasePriorityPrivilege	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
Token: SeIncBasePriorityPrivilege	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe
Token: SeIncBasePriorityPrivilege	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
Token: SeIncBasePriorityPrivilege	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
Token: SeIncBasePriorityPrivilege	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
Token: SeIncBasePriorityPrivilege	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
Token: SeIncBasePriorityPrivilege	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
Token: SeIncBasePriorityPrivilege	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
Token: SeIncBasePriorityPrivilege	3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1948	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	91
PID 1964 wrote to memory of 1948	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	91
PID 1964 wrote to memory of 1948	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	91
PID 1964 wrote to memory of 1324	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	92
PID 1964 wrote to memory of 1324	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	92
PID 1964 wrote to memory of 1324	1964	2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe	92
PID 1948 wrote to memory of 4632	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	98
PID 1948 wrote to memory of 4632	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	98
PID 1948 wrote to memory of 4632	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	98
PID 1948 wrote to memory of 3972	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	99
PID 1948 wrote to memory of 3972	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	99
PID 1948 wrote to memory of 3972	1948	{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe	99
PID 4632 wrote to memory of 416	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	104
PID 4632 wrote to memory of 416	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	104
PID 4632 wrote to memory of 416	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	104
PID 4632 wrote to memory of 1420	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	105
PID 4632 wrote to memory of 1420	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	105
PID 4632 wrote to memory of 1420	4632	{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe	105
PID 416 wrote to memory of 2272	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	106
PID 416 wrote to memory of 2272	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	106
PID 416 wrote to memory of 2272	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	106
PID 416 wrote to memory of 3956	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	107
PID 416 wrote to memory of 3956	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	107
PID 416 wrote to memory of 3956	416	{AE987018-CBC5-4376-B98F-EB650891284F}.exe	107
PID 2272 wrote to memory of 4728	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	108
PID 2272 wrote to memory of 4728	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	108
PID 2272 wrote to memory of 4728	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	108
PID 2272 wrote to memory of 4332	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	109
PID 2272 wrote to memory of 4332	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	109
PID 2272 wrote to memory of 4332	2272	{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe	109
PID 4728 wrote to memory of 2876	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	110
PID 4728 wrote to memory of 2876	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	110
PID 4728 wrote to memory of 2876	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	110
PID 4728 wrote to memory of 4320	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	111
PID 4728 wrote to memory of 4320	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	111
PID 4728 wrote to memory of 4320	4728	{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe	111
PID 2876 wrote to memory of 4532	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	112
PID 2876 wrote to memory of 4532	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	112
PID 2876 wrote to memory of 4532	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	112
PID 2876 wrote to memory of 3916	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	113
PID 2876 wrote to memory of 3916	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	113
PID 2876 wrote to memory of 3916	2876	{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe	113
PID 4532 wrote to memory of 4964	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	114
PID 4532 wrote to memory of 4964	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	114
PID 4532 wrote to memory of 4964	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	114
PID 4532 wrote to memory of 2440	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	115
PID 4532 wrote to memory of 2440	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	115
PID 4532 wrote to memory of 2440	4532	{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe	115
PID 4964 wrote to memory of 912	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	116
PID 4964 wrote to memory of 912	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	116
PID 4964 wrote to memory of 912	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	116
PID 4964 wrote to memory of 1572	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	117
PID 4964 wrote to memory of 1572	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	117
PID 4964 wrote to memory of 1572	4964	{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe	117
PID 912 wrote to memory of 3336	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	118
PID 912 wrote to memory of 3336	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	118
PID 912 wrote to memory of 3336	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	118
PID 912 wrote to memory of 4632	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	119
PID 912 wrote to memory of 4632	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	119
PID 912 wrote to memory of 4632	912	{7A36B506-71CA-4e4b-8624-567837BF919A}.exe	119
PID 3336 wrote to memory of 4640	3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe	120
PID 3336 wrote to memory of 4640	3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe	120
PID 3336 wrote to memory of 4640	3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe	120
PID 3336 wrote to memory of 1944	3336	{30699659-17C3-4f68-94E5-18330B0E6E65}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_996a824bb17e1dc4fc1af53ac96b9139_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
  C:\Windows\{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
    C:\Windows\{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\{AE987018-CBC5-4376-B98F-EB650891284F}.exe
      C:\Windows\{AE987018-CBC5-4376-B98F-EB650891284F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:416
    - - C:\Windows\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
        
        C:\Windows\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
        
        C:\Windows\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
        
        C:\Windows\{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
        
        C:\Windows\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
        
        C:\Windows\{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
        
        C:\Windows\{7A36B506-71CA-4e4b-8624-567837BF919A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
        
        C:\Windows\{30699659-17C3-4f68-94E5-18330B0E6E65}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe
        
        C:\Windows\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe
        12⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30699~1.EXE > nul
        12⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A36B~1.EXE > nul
        11⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58748~1.EXE > nul
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D4C~1.EXE > nul
        9⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D89A~1.EXE > nul
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04DCE~1.EXE > nul
        7⤵
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A66~1.EXE > nul
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE987~1.EXE > nul
        5⤵
        
        PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF99~1.EXE > nul
      4⤵
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CAD~1.EXE > nul
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04DCE00C-85F8-4c0a-87FE-A9AC99823009}.exe

Filesize
408KB

MD5
43b54e952723b3186181b5acb4632308

SHA1
8c4b6eebf4d8c4fc39950e8ac61281b065a65a01

SHA256
a7d3f128458bed93be953fa9e34aa019b7291b238eedd0ec1b7a508fba6f8194

SHA512
ad8fb78853ecf26a82efb8020367f1b470ba67e6c093b41c070b16fa2dfbea6c041e880af53680cb0461df04a89bd484babf1d7586f5764cf80f1cf0f6278549

Download Submit
C:\Windows\{30699659-17C3-4f68-94E5-18330B0E6E65}.exe

Filesize
408KB

MD5
1341058ef3d6d70110ce10321aeb22cc

SHA1
6e7d1fca02aefed50105a9166287529deb6c077b

SHA256
a05ef83aed733e897d980bbfe76b9117bd9804a82157054d8fdd8a32fad6f1fb

SHA512
52a8dd36bbec1545bbc2c79a74e42fb69597a145396fe5aadac3c8059d89a1062bd763f0fc6295c4a15234109c03622fbbc0288c654f18744bdc9cbd60a9a6e5

Download Submit
C:\Windows\{37D4C1CC-D2E0-4e50-B571-0998188F34D4}.exe

Filesize
408KB

MD5
a6e6335c31b2586d4e582c573a9046bf

SHA1
e0b98ea21592309bb71c9bb9a10709e35d5aebb2

SHA256
eb87cf2d962dc39aec7477b624a351a201d305a726f6d0ad2d232f3c88a10f44

SHA512
ead8f403224b9b2f8cea26aa7aade12e5cac57fef76099ae43c7083b6a060d015a469bf27d232006417e30ec85557fa50ad0a1df814cfbeb649e649cf58b3beb

Download Submit
C:\Windows\{4D89A7E0-EECC-44b5-9698-8D58FB154569}.exe

Filesize
408KB

MD5
f0238739e5b988b298b30b7b561d6923

SHA1
d3b41a7d62ea6e8ca878eef74808f93c418a1d35

SHA256
30c591bc98a9a002d538893773468df73ab7bb47f3279f2fec43c96c51246496

SHA512
c6ae6004a879aebba6175168bcfd72f8f2c4a2bf5e5841aea44d0627fabb020f8e72c2c8e0402cb67b90f28c6ef093cd2528f14b5f2bd50f8e1dab25421c9196

Download Submit
C:\Windows\{58748B81-9F4F-43ee-9635-58D264F6FC0D}.exe

Filesize
408KB

MD5
be3690edd4ac1cb2c33e95bf22037503

SHA1
6498db08cbb6670085f81d1b5c981ed7879b2001

SHA256
9a9fc974162b6589bdc7dd10ebaa281635af01c19e873b88f280921275f82e4d

SHA512
464467b1b8d14357a5477d580081b35a937dae1174fd24d235e3b4e3828e4203d01faf2a05efe1cd4441be311dcc7a46e74e79f8af3f9730c172b48c117281fd

Download Submit
C:\Windows\{7A36B506-71CA-4e4b-8624-567837BF919A}.exe

Filesize
408KB

MD5
3403b7446950454568bed5eb536974f9

SHA1
bd8145e5a2b6e41239f8db2008ebe967c5479774

SHA256
f78d93f0b677e7f06454bccb960a7d7601deb5f81554f3f6799ab0078d182a8e

SHA512
e6756f6f06242224a77d07c8934deb6163b57a5698dc076f8c1384835c8767c807b567f8a2b149eec2d39661c0f99be913985348a9980718c8c8335020a33867

Download Submit
C:\Windows\{7FF99174-B87D-4f11-ABC9-3C8D47606185}.exe

Filesize
408KB

MD5
c5d48560826dc39bc58b84fe64c479d0

SHA1
cbd113155a54d5abe6a5a90574f2152ae3e6f083

SHA256
810b8a4899cfdaed44a769ab5b801c3fe3b160eaf44ec88e6a7ccf21a5fa7f73

SHA512
67a947cabef6c9d98a4cd5ac400710afdf66a14fd9a061a8642233a997cc1326f09b871b357a57156d338cbeb694934eb474b6158c1494ee362e38740801fa27

Download Submit
C:\Windows\{95D223D8-A725-4c7d-9D5D-CB3D3242763C}.exe

Filesize
408KB

MD5
f6d9f5f272acfafd9cc193eac2ba1eeb

SHA1
f005bfc2830276d1025801c9975ca01db401e4c8

SHA256
ceffb8a2a823673d21587216db66e6070dba05b763c5bfed454d92faff24453e

SHA512
a1b3f87be32564de9e6fb0919e903a449fe2cddf62962de27113924f57d77ae0535596ef734e01140312cfc2cb4e356a51b1cfad53a916c11e3ec2fbc8ed4f9d

Download Submit
C:\Windows\{A7CADCE4-8CF9-422f-872F-977F618273C2}.exe

Filesize
408KB

MD5
9c4c2ac6dee31ed9e557115278f92408

SHA1
389f29becf6d951298c19cadeb5e358a9ce8f79c

SHA256
6d98c49adab54525451479cbe4b0e04d04567b47d3d3d7d99105395e50bd7aa1

SHA512
0d5b89aa4318cbb59feb867318fcc78d89b94e3e074695f84d9f20b286acbe62668e2635afa7830847f7ef3c108e5d9ace0cb75e20cb6eb035943066d47081d5

Download Submit
C:\Windows\{AE987018-CBC5-4376-B98F-EB650891284F}.exe

Filesize
408KB

MD5
4e2ef169cae4a1ae8de0c6cedb562d88

SHA1
f66803a3e943858638901c373e0a6b76b46d94fe

SHA256
aae8b3a4211e81e1ab295fa5497b8c7ead2faea3312b4c6e582b6a97e20d5866

SHA512
10ab1629301c4d9488c4b16232ead9d048b7e3256653deca44a5539cb9705f9918b45af2e77266eae50176e4a744f3489d40dd3f71ad2dd8a66a7b2ba95e86c5

Download Submit
C:\Windows\{F9A66A2E-1A4E-4010-8A13-3C15307E8F2C}.exe

Filesize
408KB

MD5
a1c229af3b6f940bf7c613db70e3e1c6

SHA1
dd14a9ce255df0f825a881a5e3e283b3628ce569

SHA256
e945357bdabfe13a51b1309bd97e90af4cbc09ed592919d6d60c67bc537a8a1e

SHA512
08ca4f059782f7fc6fa910a96e420172a12b56bd4eb1bea54ca8bd059a1f40bd8292eee6001349107ae60f6cee4c59a00441182c4d09340609eca58f5607d933

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads