43c9b932e1d96de18fd93a21130858120dc847815babd70ebd3f1b011fd09fdb

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Size

372KB
MD5

0af3c4c39595ac5ca0535318843c6aae
SHA1

80e322dbe80c3b14a278872735f3feb6c38253b2
SHA256

43c9b932e1d96de18fd93a21130858120dc847815babd70ebd3f1b011fd09fdb
SHA512

535473b75e7bce9c9fb8afbd77f95f6370615b246e6d593fb168c8acb7d8ff3ca4ca780570d84963192270904b8d2798531202ad4ecf9096014cf660670d5a86
SSDEEP

3072:CEGh0ozlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002323f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023244-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000022fdf-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002324e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}\stubpath = "C:\\Windows\\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe"	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}\stubpath = "C:\\Windows\\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe"	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD01DF7F-20B1-4961-9CD9-DC6DA49F92CC}\stubpath = "C:\\Windows\\{BD01DF7F-20B1-4961-9CD9-DC6DA49F92CC}.exe"	{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD01DF7F-20B1-4961-9CD9-DC6DA49F92CC}	{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}\stubpath = "C:\\Windows\\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe"	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504D4313-95B1-490c-8897-133813577CEB}	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}	{504D4313-95B1-490c-8897-133813577CEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C19A120-65CE-435a-956B-39D98A4E2485}\stubpath = "C:\\Windows\\{1C19A120-65CE-435a-956B-39D98A4E2485}.exe"	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407F1312-5253-4d16-94BC-5AD95E22DCA0}	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}\stubpath = "C:\\Windows\\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe"	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A10369-5576-4f64-A3A8-DB69B718D681}	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}\stubpath = "C:\\Windows\\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe"	{504D4313-95B1-490c-8897-133813577CEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}\stubpath = "C:\\Windows\\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe"	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407F1312-5253-4d16-94BC-5AD95E22DCA0}\stubpath = "C:\\Windows\\{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe"	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A10369-5576-4f64-A3A8-DB69B718D681}\stubpath = "C:\\Windows\\{66A10369-5576-4f64-A3A8-DB69B718D681}.exe"	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504D4313-95B1-490c-8897-133813577CEB}\stubpath = "C:\\Windows\\{504D4313-95B1-490c-8897-133813577CEB}.exe"	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B0C212-902E-4fb7-A6F7-431ACA221366}	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B0C212-902E-4fb7-A6F7-431ACA221366}\stubpath = "C:\\Windows\\{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe"	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C19A120-65CE-435a-956B-39D98A4E2485}	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe

Executes dropped EXE 11 IoCs

pid	Process
4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
624	{504D4313-95B1-490c-8897-133813577CEB}.exe
4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
3584	{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
File created	C:\Windows\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	{504D4313-95B1-490c-8897-133813577CEB}.exe
File created	C:\Windows\{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
File created	C:\Windows\{1C19A120-65CE-435a-956B-39D98A4E2485}.exe	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
File created	C:\Windows\{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
File created	C:\Windows\{BD01DF7F-20B1-4961-9CD9-DC6DA49F92CC}.exe	{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe
File created	C:\Windows\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
File created	C:\Windows\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
File created	C:\Windows\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
File created	C:\Windows\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
File created	C:\Windows\{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
File created	C:\Windows\{504D4313-95B1-490c-8897-133813577CEB}.exe	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
Token: SeIncBasePriorityPrivilege	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
Token: SeIncBasePriorityPrivilege	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
Token: SeIncBasePriorityPrivilege	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
Token: SeIncBasePriorityPrivilege	624	{504D4313-95B1-490c-8897-133813577CEB}.exe
Token: SeIncBasePriorityPrivilege	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
Token: SeIncBasePriorityPrivilege	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
Token: SeIncBasePriorityPrivilege	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
Token: SeIncBasePriorityPrivilege	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
Token: SeIncBasePriorityPrivilege	3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4604	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	90
PID 412 wrote to memory of 4604	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	90
PID 412 wrote to memory of 4604	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	90
PID 412 wrote to memory of 1036	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	91
PID 412 wrote to memory of 1036	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	91
PID 412 wrote to memory of 1036	412	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	91
PID 4604 wrote to memory of 1224	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	92
PID 4604 wrote to memory of 1224	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	92
PID 4604 wrote to memory of 1224	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	92
PID 4604 wrote to memory of 2976	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	93
PID 4604 wrote to memory of 2976	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	93
PID 4604 wrote to memory of 2976	4604	{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe	93
PID 1224 wrote to memory of 3108	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	102
PID 1224 wrote to memory of 3108	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	102
PID 1224 wrote to memory of 3108	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	102
PID 1224 wrote to memory of 3572	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	103
PID 1224 wrote to memory of 3572	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	103
PID 1224 wrote to memory of 3572	1224	{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe	103
PID 3108 wrote to memory of 3512	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	105
PID 3108 wrote to memory of 3512	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	105
PID 3108 wrote to memory of 3512	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	105
PID 3108 wrote to memory of 2108	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	106
PID 3108 wrote to memory of 2108	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	106
PID 3108 wrote to memory of 2108	3108	{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe	106
PID 3512 wrote to memory of 624	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	107
PID 3512 wrote to memory of 624	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	107
PID 3512 wrote to memory of 624	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	107
PID 3512 wrote to memory of 448	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	108
PID 3512 wrote to memory of 448	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	108
PID 3512 wrote to memory of 448	3512	{66A10369-5576-4f64-A3A8-DB69B718D681}.exe	108
PID 624 wrote to memory of 4344	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	109
PID 624 wrote to memory of 4344	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	109
PID 624 wrote to memory of 4344	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	109
PID 624 wrote to memory of 32	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	110
PID 624 wrote to memory of 32	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	110
PID 624 wrote to memory of 32	624	{504D4313-95B1-490c-8897-133813577CEB}.exe	110
PID 4344 wrote to memory of 4576	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	111
PID 4344 wrote to memory of 4576	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	111
PID 4344 wrote to memory of 4576	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	111
PID 4344 wrote to memory of 3768	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	112
PID 4344 wrote to memory of 3768	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	112
PID 4344 wrote to memory of 3768	4344	{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe	112
PID 4576 wrote to memory of 4540	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	113
PID 4576 wrote to memory of 4540	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	113
PID 4576 wrote to memory of 4540	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	113
PID 4576 wrote to memory of 1968	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	114
PID 4576 wrote to memory of 1968	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	114
PID 4576 wrote to memory of 1968	4576	{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe	114
PID 4540 wrote to memory of 1984	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	115
PID 4540 wrote to memory of 1984	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	115
PID 4540 wrote to memory of 1984	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	115
PID 4540 wrote to memory of 4032	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	116
PID 4540 wrote to memory of 4032	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	116
PID 4540 wrote to memory of 4032	4540	{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe	116
PID 1984 wrote to memory of 3832	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	117
PID 1984 wrote to memory of 3832	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	117
PID 1984 wrote to memory of 3832	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	117
PID 1984 wrote to memory of 2088	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	118
PID 1984 wrote to memory of 2088	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	118
PID 1984 wrote to memory of 2088	1984	{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe	118
PID 3832 wrote to memory of 3584	3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe	119
PID 3832 wrote to memory of 3584	3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe	119
PID 3832 wrote to memory of 3584	3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe	119
PID 3832 wrote to memory of 3836	3832	{1C19A120-65CE-435a-956B-39D98A4E2485}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
  C:\Windows\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
    C:\Windows\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
      C:\Windows\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
        
        C:\Windows\{66A10369-5576-4f64-A3A8-DB69B718D681}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Windows\{504D4313-95B1-490c-8897-133813577CEB}.exe
        
        C:\Windows\{504D4313-95B1-490c-8897-133813577CEB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
        
        C:\Windows\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
        
        C:\Windows\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
        
        C:\Windows\{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
        
        C:\Windows\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
        
        C:\Windows\{1C19A120-65CE-435a-956B-39D98A4E2485}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe
        
        C:\Windows\{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C19A~1.EXE > nul
        12⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF80~1.EXE > nul
        11⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B0C~1.EXE > nul
        10⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A681~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89AD3~1.EXE > nul
        8⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504D4~1.EXE > nul
        7⤵
        
        PID:32
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A10~1.EXE > nul
        6⤵
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29016~1.EXE > nul
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8390A~1.EXE > nul
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB7AF~1.EXE > nul
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C19A120-65CE-435a-956B-39D98A4E2485}.exe

Filesize
372KB

MD5
697fdc0360695cc622e2c30125d4ad82

SHA1
e8be46531d05ac528ad268b1759a53cf5399e91a

SHA256
7a71a928c17872c2092b3df253ca81041474ba5161b546e1869f5dacdd9c1a25

SHA512
68dcebfa23d57f2d9addd04caf355a4501cecb6770bc024c20c0b6b1b767d57f517d43998980f26014f020e02daa9f6c56c1b578372831c5cc55d2a6d387de98

Download Submit
C:\Windows\{29016341-39B6-4cde-B9D1-1413D8F2EE5A}.exe

Filesize
372KB

MD5
641c6999ed77eb5cdc6165eba8a02e5e

SHA1
2f8db4b8b41e80108ca3f0243c0ac96450a1421d

SHA256
0f3d2c712db8f213e0f42a333a343fda1ecc98087f397747e28637aca217ff0c

SHA512
db909121bd41d4d64c275abbb5d6adf8b33f1af598bf45fc6c88ea9b57e7763ef445d5ae10438505b2e33be028692626d592052f6131a12b950fc1a47a479c5a

Download Submit
C:\Windows\{407F1312-5253-4d16-94BC-5AD95E22DCA0}.exe

Filesize
372KB

MD5
5025b9b9385a4cf4d715ea88f4433028

SHA1
d791d1f11cbc6f4b48312a58c88226eb1d69de22

SHA256
b9e85cbae8d99aa59457670b7437bb10384f37b7b4b9a0b971dc800e04bf468a

SHA512
f2e0f388290f6abc589dc22db632f693d749d81a20bc196239558983486af5cb181a7a80e2723ae055714430c6bea987b3f076a84ffa32e905efe90e065efd77

Download Submit
C:\Windows\{504D4313-95B1-490c-8897-133813577CEB}.exe

Filesize
372KB

MD5
0fc8d8024cc45d33a5723739eb321db5

SHA1
c00f6573665fbb3ab91b51f3a726aaa18dd73300

SHA256
b5a638c068d9c7455e83ea94e4db98ebe5cd5186b1125cb1bbb150a56e7dfcf9

SHA512
c4df16d57e06f9b1118841cd1f593baf2ebecf8e134acb83d6b1413c138bbfc8a9fe747204b91d89be889620e85bb99871eb7552b730ad0389c5479454b105f4

Download Submit
C:\Windows\{66A10369-5576-4f64-A3A8-DB69B718D681}.exe

Filesize
372KB

MD5
9e7066285c7f32b5dbc05cec20babb05

SHA1
e5e9253db66a729ef2a1df360e3b682cede5c5a2

SHA256
ab10c85f53b167104b3136ac2431a0c046d90558a88d4662506fe5df0b0fdf1b

SHA512
7ebd07e0081548f1ec7364c78dc9085d2379b49639a27322468824d1890597d64d28aea07abfb07918795ba17daa27145bad59a06065ca51ebe576daa8b9e442

Download Submit
C:\Windows\{8390AC3F-45C9-4c3b-B10B-C01DF00D3AEA}.exe

Filesize
372KB

MD5
90e81e63b19816ca7fd91bccf648ea5c

SHA1
2d4c403e4e0ca4ce29f57c2caef28982bcc479e5

SHA256
67a04ecb9a9206dd2ea49ff43a4ec31a6750ab61491c65fb96109bbd71d1b14d

SHA512
2d7ac7c5d4b4099b36d44e835c4f5f9e7400fd82f5a3c92c59f6ff2e28d9b714dc641c5842bd9a5e50eb75b98af4e710e2b430c6913860ac2e13d9d703bb9929

Download Submit
C:\Windows\{89AD3B1C-74B6-4428-908F-EE7B850E96BC}.exe

Filesize
372KB

MD5
8f05045fbde849c61e9726d9cb12092b

SHA1
06f491fc5c977dce609e0447e9334e0ef947db1d

SHA256
87b4718938a731507901d311308f3341262c7d18514c6b9a9de84c278a87be6c

SHA512
8088e80d108a957af671e690c5526a1f8301e020ea0c2322f14db6e7c155bef7355653e1996f0470e3188a004575c04e3934c573c6acbcaa98930b12af2743ec

Download Submit
C:\Windows\{9A6811B7-4A4A-4eab-A893-AC8A0A245C29}.exe

Filesize
372KB

MD5
25a507c185fd058d860a64e1b4018886

SHA1
0427f082697ece388eaff9d0e7fea7946053ec86

SHA256
37063f19e3708ae8c592b2fbbba20a47c2d37b998a43dac70ca8ea118a017c15

SHA512
d8326af6cafb61ac6096260773dd514a8057d78fb2587523c7598b6802be4bcd7000b001b289df084dd2894fb3ad0d5469bc4e688155b9dfef4f6135df783817

Download Submit
C:\Windows\{9BF80DCC-0F9D-408c-B93F-ED41FB31F124}.exe

Filesize
372KB

MD5
4c013035e84648f4a120a151eb97c14a

SHA1
bbeba92dc21a34043973ee906262b8d67d738e71

SHA256
a96fd9c1ff7e63890901ba95774c9f6c94cf721d7ba549fc6a6a259b6598be22

SHA512
6bd6f91fd5efe775ec65a058a269a0f28bf76a263877f6b95c3ac8e383445a4399cbb936e1f906b625fc0bc882ecc0b6a7b190b62436e63cac2cd971fa1043cc

Download Submit
C:\Windows\{CB7AFA35-5951-49f6-8AE8-A7444C3E0B85}.exe

Filesize
372KB

MD5
f0b6daea7e0c2bcd8695557040f4449a

SHA1
9bdda518524b7519ca58391eb2c66ffe9b31f08e

SHA256
11a523cfa8e7a1b86a66fe7369478832564bac6ba2211d74e37efc4d29d42859

SHA512
a789b891476f38902b5e19d064750af2da2ed0c451e9aede40a3ae1eb041538ba829c8a8e73ae26e999bcc9183333abf61ea8f68719273335b8c0c285a364cbd

Download Submit
C:\Windows\{F7B0C212-902E-4fb7-A6F7-431ACA221366}.exe

Filesize
372KB

MD5
bd64b78a12012caddc182709aac1b1fa

SHA1
dba59378fb33e3b4abb74dcebd2acac0e08e4545

SHA256
1f810b5f7f81137b799098f5483a25620f6ff60b26d815c892c02725d36c6680

SHA512
37c4317d809109956f9ac98c254db0afbeb11b3c69ccb0d8cce173363dc98af97351854d4839f36cca3d9d2c0186b556ca64751e6c65e75c2917fc858b644638

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads