d7f9c57893ccdb610ef08e888972124df76658ecf640bc945e6a7416f23a1a64

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
Size

204KB
MD5

097dc6e6fc2f4240418b4423803dcfdb
SHA1

0f0920eff138c3e1385cd1cbb4127336ecf234a3
SHA256

d7f9c57893ccdb610ef08e888972124df76658ecf640bc945e6a7416f23a1a64
SHA512

08f094460eba1071d1c224bace667060ba5f43c8042579e916193a23f3c319ad245d649794d713966ac57382ae3dc34a2cabd8beb8ce2627806156a9702de596
SSDEEP

1536:1EGh0ofl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ofl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023035-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}\stubpath = "C:\\Windows\\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe"	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40254CDB-C3FA-40ea-A420-0BF08901F494}	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDCA9129-C066-4f54-9779-134827C4EA97}\stubpath = "C:\\Windows\\{DDCA9129-C066-4f54-9779-134827C4EA97}.exe"	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43F52CD-2159-460f-A5B4-5529F9210E52}	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43F52CD-2159-460f-A5B4-5529F9210E52}\stubpath = "C:\\Windows\\{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe"	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7DB6CF-5401-4fc9-9824-6627326F2739}\stubpath = "C:\\Windows\\{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe"	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}\stubpath = "C:\\Windows\\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe"	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30DEC45F-B5D5-42c8-92F1-046175F1840A}\stubpath = "C:\\Windows\\{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe"	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30DEC45F-B5D5-42c8-92F1-046175F1840A}	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7DB6CF-5401-4fc9-9824-6627326F2739}	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40254CDB-C3FA-40ea-A420-0BF08901F494}\stubpath = "C:\\Windows\\{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe"	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}\stubpath = "C:\\Windows\\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe"	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}\stubpath = "C:\\Windows\\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe"	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}\stubpath = "C:\\Windows\\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe"	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDCA9129-C066-4f54-9779-134827C4EA97}	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}\stubpath = "C:\\Windows\\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe"	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe

Executes dropped EXE 11 IoCs

pid	Process
1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
4352	{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
File created	C:\Windows\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
File created	C:\Windows\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
File created	C:\Windows\{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
File created	C:\Windows\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
File created	C:\Windows\{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
File created	C:\Windows\{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
File created	C:\Windows\{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
File created	C:\Windows\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
File created	C:\Windows\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
File created	C:\Windows\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
Token: SeIncBasePriorityPrivilege	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
Token: SeIncBasePriorityPrivilege	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
Token: SeIncBasePriorityPrivilege	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
Token: SeIncBasePriorityPrivilege	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
Token: SeIncBasePriorityPrivilege	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
Token: SeIncBasePriorityPrivilege	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
Token: SeIncBasePriorityPrivilege	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
Token: SeIncBasePriorityPrivilege	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
Token: SeIncBasePriorityPrivilege	2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1452	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	95
PID 3708 wrote to memory of 1452	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	95
PID 3708 wrote to memory of 1452	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	95
PID 3708 wrote to memory of 3612	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	96
PID 3708 wrote to memory of 3612	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	96
PID 3708 wrote to memory of 3612	3708	2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe	96
PID 1452 wrote to memory of 3524	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	102
PID 1452 wrote to memory of 3524	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	102
PID 1452 wrote to memory of 3524	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	102
PID 1452 wrote to memory of 2484	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	103
PID 1452 wrote to memory of 2484	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	103
PID 1452 wrote to memory of 2484	1452	{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe	103
PID 3524 wrote to memory of 4144	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	104
PID 3524 wrote to memory of 4144	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	104
PID 3524 wrote to memory of 4144	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	104
PID 3524 wrote to memory of 4796	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	105
PID 3524 wrote to memory of 4796	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	105
PID 3524 wrote to memory of 4796	3524	{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe	105
PID 4144 wrote to memory of 1336	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	107
PID 4144 wrote to memory of 1336	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	107
PID 4144 wrote to memory of 1336	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	107
PID 4144 wrote to memory of 4988	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	108
PID 4144 wrote to memory of 4988	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	108
PID 4144 wrote to memory of 4988	4144	{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe	108
PID 1336 wrote to memory of 760	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	109
PID 1336 wrote to memory of 760	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	109
PID 1336 wrote to memory of 760	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	109
PID 1336 wrote to memory of 1652	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	110
PID 1336 wrote to memory of 1652	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	110
PID 1336 wrote to memory of 1652	1336	{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe	110
PID 760 wrote to memory of 4340	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	111
PID 760 wrote to memory of 4340	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	111
PID 760 wrote to memory of 4340	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	111
PID 760 wrote to memory of 4984	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	112
PID 760 wrote to memory of 4984	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	112
PID 760 wrote to memory of 4984	760	{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe	112
PID 4340 wrote to memory of 3632	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	113
PID 4340 wrote to memory of 3632	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	113
PID 4340 wrote to memory of 3632	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	113
PID 4340 wrote to memory of 3512	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	114
PID 4340 wrote to memory of 3512	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	114
PID 4340 wrote to memory of 3512	4340	{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe	114
PID 3632 wrote to memory of 2248	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	115
PID 3632 wrote to memory of 2248	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	115
PID 3632 wrote to memory of 2248	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	115
PID 3632 wrote to memory of 5088	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	116
PID 3632 wrote to memory of 5088	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	116
PID 3632 wrote to memory of 5088	3632	{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe	116
PID 2248 wrote to memory of 2936	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	117
PID 2248 wrote to memory of 2936	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	117
PID 2248 wrote to memory of 2936	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	117
PID 2248 wrote to memory of 4444	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	118
PID 2248 wrote to memory of 4444	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	118
PID 2248 wrote to memory of 4444	2248	{DDCA9129-C066-4f54-9779-134827C4EA97}.exe	118
PID 2936 wrote to memory of 2224	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	119
PID 2936 wrote to memory of 2224	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	119
PID 2936 wrote to memory of 2224	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	119
PID 2936 wrote to memory of 3776	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	120
PID 2936 wrote to memory of 3776	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	120
PID 2936 wrote to memory of 3776	2936	{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe	120
PID 2224 wrote to memory of 4352	2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe	121
PID 2224 wrote to memory of 4352	2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe	121
PID 2224 wrote to memory of 4352	2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe	121
PID 2224 wrote to memory of 3148	2224	{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_097dc6e6fc2f4240418b4423803dcfdb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
  C:\Windows\{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
    C:\Windows\{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
      C:\Windows\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
        
        C:\Windows\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
        
        C:\Windows\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
        
        C:\Windows\{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
        
        C:\Windows\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
        
        C:\Windows\{DDCA9129-C066-4f54-9779-134827C4EA97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
        
        C:\Windows\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
        
        C:\Windows\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe
        
        C:\Windows\{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe
        12⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0CEA~1.EXE > nul
        12⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68EAB~1.EXE > nul
        11⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDCA9~1.EXE > nul
        10⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F311~1.EXE > nul
        9⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40254~1.EXE > nul
        8⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D46A~1.EXE > nul
        7⤵
        
        PID:4984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6165~1.EXE > nul
        6⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7067~1.EXE > nul
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC7DB~1.EXE > nul
      4⤵
      PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B43F5~1.EXE > nul
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30DEC45F-B5D5-42c8-92F1-046175F1840A}.exe

Filesize
204KB

MD5
1fc8850a13366a4d092dbaaafe058dcc

SHA1
cc138209277f00f32a40db4c11203ed39a9807a0

SHA256
0a29d9a33fffc1ec077df5ec64f8228491ef4d6a8deb447958324aba9b6ce3b2

SHA512
e72169aacf882cef0c9f845a8352d84745b15c46291690e56164888f52041c28bb90a344d5d90dd742e172be0ff7aab3d0cd81fdb6684bedc60ff26bada38095

Download Submit
C:\Windows\{40254CDB-C3FA-40ea-A420-0BF08901F494}.exe

Filesize
204KB

MD5
770c926a5d6be935a558e6f985459f68

SHA1
87148082f95aec49e9dbd163be38cf3a85b43849

SHA256
6eda9c716877a11c9bba20fcadf705364679fd51998cbd95da2d7159bfa600df

SHA512
d6acdb70418b02fb6022f6813c268519f2090585625cd48bb1cf69c31589e00081a44096b3bf2f1289eaee734c79103339af3eb03e61e09f92900eca136b5bc2

Download Submit
C:\Windows\{5D46A8EE-94A9-4d5b-94AC-ABB8BD9D52E4}.exe

Filesize
204KB

MD5
43f034d5e5750f81614cbe4bf7c91586

SHA1
c67caa20dcff8e3d94c0d3f4317109685c661459

SHA256
6942fc9a66211998864da07229ee4ccc67b09f9136056af2903557f8b96b0157

SHA512
9ebd0ac88724c5c65c1280530af61a91b70eabf3718ef8e7e6c2209c6c78cdaa093a9c00d34cca9a9d4a5fe0140826abc1c6139ddf375f7dd358f691ea33745c

Download Submit
C:\Windows\{68EAB5F1-ED8C-4b3a-BE0A-86282AFEEEB8}.exe

Filesize
204KB

MD5
4642594dae1ec3c12a54a6f5647ea9c3

SHA1
2888268b9c6cec4d153e16a05bedc6e215e63f4c

SHA256
6d00e08003e3dab306fb76baf090e70b24eb50c1edbfb5402f063c891e3c6e80

SHA512
6101c15175ed3bab63b8d37dcb30b82f42d976d858ce2d03fc6940e494664ad5155abc64fde3d0d244c70f14d97b801feb3c942433fb86d8f4804522385a0c3b

Download Submit
C:\Windows\{9F311BDE-3C86-4247-A9E2-D8C1BEF3D302}.exe

Filesize
204KB

MD5
a07982aa93ef1296709d01376e5b60a8

SHA1
a276f0bfa420916881851376060d2025c4f768c1

SHA256
b0a2cca9699405493401be20d907b158785557179bc86680baf8f26a0054502c

SHA512
e13d0a7df74d3ebaab761634cd1e556e8c9d3d3f9de80fa1b636dfe8143c10bb63a6c478231fc66027947be1396d5c7fc6347c39dfec55d245532573be47bd04

Download Submit
C:\Windows\{B43F52CD-2159-460f-A5B4-5529F9210E52}.exe

Filesize
204KB

MD5
fd916cc01ec39f4e130835010d62a30f

SHA1
977be68ffac57eaffc27c57afa7b327b1a5e73c8

SHA256
2a18f79138c4580d8d0f128f4af5ed69ddd1e4ce591ade5e4de94563bea62bee

SHA512
96426ec34ce9a65610d1250e92cd34df6b43abe4a741ded2b99975c0d9a82d2fb9fbb3573ea830a297e3c4d005bef06886205bdf8fc56491332bc1168555aa46

Download Submit
C:\Windows\{CC7DB6CF-5401-4fc9-9824-6627326F2739}.exe

Filesize
204KB

MD5
1f0f74886c29d4dace5ad4aa01d6a590

SHA1
f24688026dbdb92a4d07e5a8099bb290e1c34ffa

SHA256
a02a79325339536528abe4b310cee25312baa3e4fd3ee69e9b3742d8f3c55c99

SHA512
5f6ea544a1a92631a185894fd702933891b38a9994a86bebba547dd69b1e1536f49d2c3e4318816291ba39d4840877b897dd2cd71d073f461d28e9c1ee1f1dce

Download Submit
C:\Windows\{D0CEA091-3B15-4e88-A21F-FB31DE7F18AF}.exe

Filesize
204KB

MD5
e6c988d814adec5232094cc5fa72ca90

SHA1
c2aa4fd9840aaf63d7593f6770674361c0834ca2

SHA256
95e7c09a871ebfcb29ee7037fa7c4cb1c9de4de2d433ae11fa192aa0ffae8933

SHA512
aa512672aeed046360b2694015b3c33f69621f40b53217a456075e09b4abf5bab67137cd937c42bc433993a742e033c19957f5a231e0e2c502aa6cd9632d4e4d

Download Submit
C:\Windows\{DDCA9129-C066-4f54-9779-134827C4EA97}.exe

Filesize
204KB

MD5
8dc6ba7750b1324ed9c223afa1ecaaaa

SHA1
6dcff44f7c8c9a0d233c449424c46bb1aff6129e

SHA256
7aefa74233ea57eca1a8d8358f52196e9124fb6f1f42ce1eefc15fb36ee86a46

SHA512
65d1c6a04f9f151397ab1a76cca15f499bbe11507ff92602b928e624b0934f02a9c89270828a12568dd18b9654ad423a6724969ff0e5506b5f8263505b555298

Download Submit
C:\Windows\{E6165C43-1E5A-4154-BEB0-D4B6537E65B7}.exe

Filesize
204KB

MD5
f8643c2b62dd9a881882895e1f23e97f

SHA1
b0a395cdd7669bcb1b94baaa3a0981f8ce404562

SHA256
0431b4536fb9631e51a0e96b5366d54ba3b4a35caa46c2e8982ff38532bb44c2

SHA512
0fe2d76743b2eb0cb379e2dfaab410eb308ee3320e6555d28b68ffbfb55297c4bc59c6f1b303a9c2dc3eafbd516315564cf83e271330894762173ca842b6a1e4

Download Submit
C:\Windows\{F70674F9-600B-44b2-B4EF-76D4FCD158C4}.exe

Filesize
204KB

MD5
905fc4941054259c7b1b3f9b723b6f3a

SHA1
c97385b5850bdf1af577fbe7b099cfba9ad9330e

SHA256
cc475eb14d3ab143d8df9f32e01a1962e9c4c90d599f5541142ea6a614f3435c

SHA512
618dad10fc148e3bf5d1f3564b76e9c576988f798464ae7adefae2ef28587e4181ed6d033996e28cc7957a2456208325b284ac8dd2229795b07240ecee1212d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads