36d67f97374b387d64d28eb78b4f837e9a9b698f41251e3ebab942351929a71e

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Size

180KB
MD5

38f9caeb7d7555edb384d102b3e5e824
SHA1

9509853f3a21fa960fcc251778124764e2b214af
SHA256

36d67f97374b387d64d28eb78b4f837e9a9b698f41251e3ebab942351929a71e
SHA512

5fd536303a0004d83053ab6eecfa9254fa600e7a17a681fdb910eb6db1aa0d9bc4502eeb41eaef1450db2ceffc9457627b22b4c2d03285228d876ec1eacfb4c8
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002324b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016fa5-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022db8-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023260-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022db8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}\stubpath = "C:\\Windows\\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe"	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E64AFA-4809-4258-869F-4CC489E80831}\stubpath = "C:\\Windows\\{F1E64AFA-4809-4258-869F-4CC489E80831}.exe"	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}\stubpath = "C:\\Windows\\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe"	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7249937-4562-443a-8830-FF0812E701A8}\stubpath = "C:\\Windows\\{B7249937-4562-443a-8830-FF0812E701A8}.exe"	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}\stubpath = "C:\\Windows\\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe"	{B7249937-4562-443a-8830-FF0812E701A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3A956B-5862-430d-A456-EB1DA3AB7343}\stubpath = "C:\\Windows\\{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe"	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}\stubpath = "C:\\Windows\\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe"	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{911B3492-015D-4950-ADFC-6610AAB5B703}	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{911B3492-015D-4950-ADFC-6610AAB5B703}\stubpath = "C:\\Windows\\{911B3492-015D-4950-ADFC-6610AAB5B703}.exe"	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}\stubpath = "C:\\Windows\\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe"	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7249937-4562-443a-8830-FF0812E701A8}	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}	{B7249937-4562-443a-8830-FF0812E701A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E64AFA-4809-4258-869F-4CC489E80831}	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}\stubpath = "C:\\Windows\\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe"	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3A956B-5862-430d-A456-EB1DA3AB7343}	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C651D716-55A9-453b-94BA-ED415624D409}	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C651D716-55A9-453b-94BA-ED415624D409}\stubpath = "C:\\Windows\\{C651D716-55A9-453b-94BA-ED415624D409}.exe"	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe
5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
2080	{C651D716-55A9-453b-94BA-ED415624D409}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B7249937-4562-443a-8830-FF0812E701A8}.exe	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
File created	C:\Windows\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
File created	C:\Windows\{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
File created	C:\Windows\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
File created	C:\Windows\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
File created	C:\Windows\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	{B7249937-4562-443a-8830-FF0812E701A8}.exe
File created	C:\Windows\{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
File created	C:\Windows\{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
File created	C:\Windows\{C651D716-55A9-453b-94BA-ED415624D409}.exe	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
File created	C:\Windows\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
File created	C:\Windows\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
Token: SeIncBasePriorityPrivilege	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
Token: SeIncBasePriorityPrivilege	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
Token: SeIncBasePriorityPrivilege	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
Token: SeIncBasePriorityPrivilege	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
Token: SeIncBasePriorityPrivilege	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe
Token: SeIncBasePriorityPrivilege	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
Token: SeIncBasePriorityPrivilege	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
Token: SeIncBasePriorityPrivilege	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
Token: SeIncBasePriorityPrivilege	4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4688	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	91
PID 1364 wrote to memory of 4688	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	91
PID 1364 wrote to memory of 4688	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	91
PID 1364 wrote to memory of 3452	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	92
PID 1364 wrote to memory of 3452	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	92
PID 1364 wrote to memory of 3452	1364	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	92
PID 4688 wrote to memory of 1592	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	95
PID 4688 wrote to memory of 1592	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	95
PID 4688 wrote to memory of 1592	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	95
PID 4688 wrote to memory of 1504	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	96
PID 4688 wrote to memory of 1504	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	96
PID 4688 wrote to memory of 1504	4688	{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe	96
PID 1592 wrote to memory of 392	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	103
PID 1592 wrote to memory of 392	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	103
PID 1592 wrote to memory of 392	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	103
PID 1592 wrote to memory of 4532	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	104
PID 1592 wrote to memory of 4532	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	104
PID 1592 wrote to memory of 4532	1592	{911B3492-015D-4950-ADFC-6610AAB5B703}.exe	104
PID 392 wrote to memory of 3156	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	106
PID 392 wrote to memory of 3156	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	106
PID 392 wrote to memory of 3156	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	106
PID 392 wrote to memory of 880	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	107
PID 392 wrote to memory of 880	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	107
PID 392 wrote to memory of 880	392	{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe	107
PID 3156 wrote to memory of 4720	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	108
PID 3156 wrote to memory of 4720	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	108
PID 3156 wrote to memory of 4720	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	108
PID 3156 wrote to memory of 1344	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	109
PID 3156 wrote to memory of 1344	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	109
PID 3156 wrote to memory of 1344	3156	{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe	109
PID 4720 wrote to memory of 2344	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	110
PID 4720 wrote to memory of 2344	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	110
PID 4720 wrote to memory of 2344	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	110
PID 4720 wrote to memory of 4044	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	111
PID 4720 wrote to memory of 4044	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	111
PID 4720 wrote to memory of 4044	4720	{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe	111
PID 2344 wrote to memory of 5048	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	112
PID 2344 wrote to memory of 5048	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	112
PID 2344 wrote to memory of 5048	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	112
PID 2344 wrote to memory of 1364	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	113
PID 2344 wrote to memory of 1364	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	113
PID 2344 wrote to memory of 1364	2344	{B7249937-4562-443a-8830-FF0812E701A8}.exe	113
PID 5048 wrote to memory of 4696	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	114
PID 5048 wrote to memory of 4696	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	114
PID 5048 wrote to memory of 4696	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	114
PID 5048 wrote to memory of 1092	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	115
PID 5048 wrote to memory of 1092	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	115
PID 5048 wrote to memory of 1092	5048	{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe	115
PID 4696 wrote to memory of 1732	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	116
PID 4696 wrote to memory of 1732	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	116
PID 4696 wrote to memory of 1732	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	116
PID 4696 wrote to memory of 2940	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	117
PID 4696 wrote to memory of 2940	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	117
PID 4696 wrote to memory of 2940	4696	{F1E64AFA-4809-4258-869F-4CC489E80831}.exe	117
PID 1732 wrote to memory of 4588	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	118
PID 1732 wrote to memory of 4588	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	118
PID 1732 wrote to memory of 4588	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	118
PID 1732 wrote to memory of 4780	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	119
PID 1732 wrote to memory of 4780	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	119
PID 1732 wrote to memory of 4780	1732	{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe	119
PID 4588 wrote to memory of 2080	4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe	120
PID 4588 wrote to memory of 2080	4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe	120
PID 4588 wrote to memory of 2080	4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe	120
PID 4588 wrote to memory of 2592	4588	{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
  C:\Windows\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
    C:\Windows\{911B3492-015D-4950-ADFC-6610AAB5B703}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
      C:\Windows\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
        
        C:\Windows\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
        
        C:\Windows\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{B7249937-4562-443a-8830-FF0812E701A8}.exe
        
        C:\Windows\{B7249937-4562-443a-8830-FF0812E701A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
        
        C:\Windows\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
        
        C:\Windows\{F1E64AFA-4809-4258-869F-4CC489E80831}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
        
        C:\Windows\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
        
        C:\Windows\{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{C651D716-55A9-453b-94BA-ED415624D409}.exe
        
        C:\Windows\{C651D716-55A9-453b-94BA-ED415624D409}.exe
        12⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3A9~1.EXE > nul
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5B34~1.EXE > nul
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E64~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B015~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7249~1.EXE > nul
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4C1~1.EXE > nul
        7⤵
        
        PID:4044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEF4E~1.EXE > nul
        6⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB80~1.EXE > nul
        5⤵
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{911B3~1.EXE > nul
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDA9~1.EXE > nul
    3⤵
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B0150CD-E0BD-4173-BD3F-42F966F8B1B0}.exe

Filesize
180KB

MD5
782ed0aac89a8222d170a9cb01680778

SHA1
4002d4c1c0c14dd04cff96741c90b6934674f2ef

SHA256
f074cfa777333072db16c61f651d9068caf102065b6263713f8818d58ee14eae

SHA512
3e5d0ca386f844cfa4efcadb78f43b5f8822b8c4933aa400a2ad23dbd591dd41f0ec724f493543dbffb2f5056364611fb2d539c9c916291031201e65fd841ee9

Download Submit
C:\Windows\{2C3A956B-5862-430d-A456-EB1DA3AB7343}.exe

Filesize
180KB

MD5
0363500ee80df24ec3926d556fe9a46f

SHA1
3488e271ba6eb39afe7d0c76371c0bfebe3d3ad1

SHA256
5ab7d596ad0cc2e461584129358d495d01f1b2a506fe1ca5b8ed6f6376e321ff

SHA512
dd64eeb1b03d80a7fc2e56650f56c001c8c6942b2a9c0b110712640bb796d3112b20626aab6396368318a7bab4bb9bda7555aa5b5ee9696ff5be273c0add5021

Download Submit
C:\Windows\{7A4C1215-4C51-4edb-A7FC-A7E923B2633C}.exe

Filesize
180KB

MD5
cd0eb16f6b434cf364b19cbfae1e4b75

SHA1
682747939748ff3843a02edb48409665b972d2cd

SHA256
526f09ef4d888206034033ef87af2ecede08d7aafb1cc0ee19e58e5af9f257c8

SHA512
0405d348d6e67324bf905f96e4792166ce363d1ed17defa9d74211d11e2fd343420861eed73766c7ec2f513cec9857cdfd02276ecda485e7fd9a0fe6b3ce27a0

Download Submit
C:\Windows\{7EDA98B6-8DCF-4f39-A426-99C7120CBE7C}.exe

Filesize
180KB

MD5
f4029b2918ca136945a8f6d88f6d6250

SHA1
7313d7f4ffa4d023a6d0a94c358661b1e5a41e83

SHA256
88217937bc886f6721ec566731251aafb68f1d932259771f3925c3446de98a0c

SHA512
17c5a734c54ec2187922b06b243b2906a55fe849c20c398c73d31ad539dc409cdbae31e0d9d9e01d15fb8b8109f54eed13eb1328791c4c4990f4c7fc6be67e50

Download Submit
C:\Windows\{911B3492-015D-4950-ADFC-6610AAB5B703}.exe

Filesize
180KB

MD5
26502724cfbf70e80e923e2a1434ac62

SHA1
bd5408d037a6dd5ec68d224ea704b1245ccb71c1

SHA256
1ad9c391e71d72236d84729473057b91f656ce9a6143faec5baec1cae685e727

SHA512
d89b40d8f567c412818c95db3ffd3562ad7c0e40d05cc31b6edfc6c9aea055ded699afb59359a5b2a6b9a54ce8b9d2cac73b4b058e0d8a6b146d00d86231609b

Download Submit
C:\Windows\{B7249937-4562-443a-8830-FF0812E701A8}.exe

Filesize
180KB

MD5
c8f2d4fc33ea45eda004b78e8a04a1d2

SHA1
fde776b5a2740ac01809fdadbbbc91689f17863b

SHA256
e372f97624881c46f06e60d2dfaa4694249d9112a6d3d3b4bb71af6959818a46

SHA512
d26e7cc52c95c18afb84eaeb877edcd68290e24b741a1e474d9ba6a9ab809ae4781b621e6a8deb991e85668410a53d7ced7bad15035228f46ff79f801fae51d4

Download Submit
C:\Windows\{C651D716-55A9-453b-94BA-ED415624D409}.exe

Filesize
180KB

MD5
e3f988606de0bd941f3643eb7accb8e9

SHA1
ca71e353251ab1ea46552b6d66c853874d57b16b

SHA256
c59cdc950c23f2c60ffaa6ad1289a85788f008a4e9014e7afe7282df379585ab

SHA512
5c94f6d5929c24aaa258d8af6a44ebb00de6d66005f411dba55646d3364be4f05c5188616fb57e80ffaf44d4f2f26bb25dfae048cd2344af897f196aba1200d5

Download Submit
C:\Windows\{CEB80A3E-4474-4c56-92B6-3F7F44A25DD4}.exe

Filesize
180KB

MD5
77426255cd69898c3adb03db012a2d16

SHA1
001e408c29acd8917270081c5a0885f3c1d34f9b

SHA256
74f12009aa23399a41c6e0cbd4751b3b2dd1fc4946c4d309461ec829589c15dc

SHA512
b9e38d79627f3c1e7274ccf2d0dab42238a06da969b49bdb5ee112fa3236a97174b2d77a958e435ed12b902e0cab563db54bbfe76ff5bc4081835ac5d2e5d336

Download Submit
C:\Windows\{D5B34CFC-B4B5-40ba-9EF8-C0224BBDD942}.exe

Filesize
180KB

MD5
117a25d3ff5577f1527a0485ddd91638

SHA1
824d916fdcd1f879d021126ecd111577b320f164

SHA256
953de7b88578e2610a4f907e2db2b06efb7dac2af23a8ced8765da8c884354a7

SHA512
0fa874d0e9d0a65da59c7a2759b91fdd57e42b400402594e77f0ecd93ca5d55a9eb855d7dc0832826710f25fe3d41670aae6fcdfa784a5e487df8449c598a53b

Download Submit
C:\Windows\{F1E64AFA-4809-4258-869F-4CC489E80831}.exe

Filesize
180KB

MD5
46721035e31e10afb5f289e49c53c2bc

SHA1
c04971f9d8ec9116a40f326d4969c706a20bcbf7

SHA256
281f1d10c59805fa93a4da22cd5588b258a9234a2f158ebb38eea274df822494

SHA512
8eb49fb109057f988e41e1366b34ef1ffae988bfd82597975627c2ec36fb889570295845f0ee85d299037cb73cb7128ef18de8db65bf61e1eca0d4e16fd7c816

Download Submit
C:\Windows\{FEF4E6AF-DA4C-4e9a-8EC3-CF687ABC462E}.exe

Filesize
180KB

MD5
464fd3b262e6296d89b40feb1bec6a18

SHA1
6a4f7968efdd4356c06cbdf23fce9f006e073fec

SHA256
42bd8d3d293e6eb76da7637b07cfc0ebf6dbc740cc65133a85d4d084c67f2ec1

SHA512
a4d6e33212379fb3d3affd797c045ee2e6db4ddc347a7fd6192f99f772c8187fe03b3d1e0cf3d0dccd8e952eea5a39495235294c0705b20334cb8e14947835cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads