3ea4f12edb6fb60a75a9870498c974fec67cf061f919571930813d5cf9b337f1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Size

372KB
MD5

46afb1cab6fcc1662494adf71d83f28f
SHA1

6146867f5d36a1c1e262dc541972843029ce10c4
SHA256

3ea4f12edb6fb60a75a9870498c974fec67cf061f919571930813d5cf9b337f1
SHA512

814ba0ca2c4063a96ea70be2ed2d66f46ac97584c5fa7643f41d6692007b4279679c743011a09a84c08bbe74e89d53b83707aa757bc628442ee0dc03a970bd03
SSDEEP

3072:CEGh0odlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGrlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023253-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023266-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023266-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C200B7C-9F07-4208-944C-A34554CD2C2E}\stubpath = "C:\\Windows\\{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe"	{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}\stubpath = "C:\\Windows\\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe"	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}\stubpath = "C:\\Windows\\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe"	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446D4E36-660B-41f2-BA9A-671BAD360FF1}	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EADA63D-81B2-418a-A613-B940E0A7464C}	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438EDA88-A86B-4c64-840D-72F9CB15166A}	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60201B6-B165-4719-B3A1-2CD23D151283}	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446D4E36-660B-41f2-BA9A-671BAD360FF1}\stubpath = "C:\\Windows\\{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe"	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24137C6F-6E44-439d-913D-879A367D8FD1}	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24137C6F-6E44-439d-913D-879A367D8FD1}\stubpath = "C:\\Windows\\{24137C6F-6E44-439d-913D-879A367D8FD1}.exe"	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438EDA88-A86B-4c64-840D-72F9CB15166A}\stubpath = "C:\\Windows\\{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe"	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C200B7C-9F07-4208-944C-A34554CD2C2E}	{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}\stubpath = "C:\\Windows\\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe"	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51692D12-C1F3-416b-BDC5-548CC74D53CD}\stubpath = "C:\\Windows\\{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe"	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1337A4-303B-42ea-B8AC-1705935902C8}	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1337A4-303B-42ea-B8AC-1705935902C8}\stubpath = "C:\\Windows\\{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe"	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51692D12-C1F3-416b-BDC5-548CC74D53CD}	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}\stubpath = "C:\\Windows\\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe"	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60201B6-B165-4719-B3A1-2CD23D151283}\stubpath = "C:\\Windows\\{E60201B6-B165-4719-B3A1-2CD23D151283}.exe"	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EADA63D-81B2-418a-A613-B940E0A7464C}\stubpath = "C:\\Windows\\{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe"	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe

Executes dropped EXE 12 IoCs

pid	Process
1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
4452	{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
1616	{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
File created	C:\Windows\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
File created	C:\Windows\{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
File created	C:\Windows\{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
File created	C:\Windows\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
File created	C:\Windows\{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
File created	C:\Windows\{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
File created	C:\Windows\{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
File created	C:\Windows\{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe	{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
File created	C:\Windows\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
File created	C:\Windows\{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
File created	C:\Windows\{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
Token: SeIncBasePriorityPrivilege	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
Token: SeIncBasePriorityPrivilege	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
Token: SeIncBasePriorityPrivilege	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
Token: SeIncBasePriorityPrivilege	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
Token: SeIncBasePriorityPrivilege	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
Token: SeIncBasePriorityPrivilege	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
Token: SeIncBasePriorityPrivilege	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
Token: SeIncBasePriorityPrivilege	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
Token: SeIncBasePriorityPrivilege	2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
Token: SeIncBasePriorityPrivilege	4452	{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 1016	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	96
PID 3176 wrote to memory of 1016	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	96
PID 3176 wrote to memory of 1016	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	96
PID 3176 wrote to memory of 4608	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	97
PID 3176 wrote to memory of 4608	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	97
PID 3176 wrote to memory of 4608	3176	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	97
PID 1016 wrote to memory of 2344	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	101
PID 1016 wrote to memory of 2344	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	101
PID 1016 wrote to memory of 2344	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	101
PID 1016 wrote to memory of 4208	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	102
PID 1016 wrote to memory of 4208	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	102
PID 1016 wrote to memory of 4208	1016	{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe	102
PID 2344 wrote to memory of 4848	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	104
PID 2344 wrote to memory of 4848	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	104
PID 2344 wrote to memory of 4848	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	104
PID 2344 wrote to memory of 4604	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	105
PID 2344 wrote to memory of 4604	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	105
PID 2344 wrote to memory of 4604	2344	{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe	105
PID 4848 wrote to memory of 4592	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	107
PID 4848 wrote to memory of 4592	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	107
PID 4848 wrote to memory of 4592	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	107
PID 4848 wrote to memory of 2484	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	108
PID 4848 wrote to memory of 2484	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	108
PID 4848 wrote to memory of 2484	4848	{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe	108
PID 4592 wrote to memory of 3788	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	109
PID 4592 wrote to memory of 3788	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	109
PID 4592 wrote to memory of 3788	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	109
PID 4592 wrote to memory of 4040	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	110
PID 4592 wrote to memory of 4040	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	110
PID 4592 wrote to memory of 4040	4592	{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe	110
PID 3788 wrote to memory of 4888	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	111
PID 3788 wrote to memory of 4888	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	111
PID 3788 wrote to memory of 4888	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	111
PID 3788 wrote to memory of 4036	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	112
PID 3788 wrote to memory of 4036	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	112
PID 3788 wrote to memory of 4036	3788	{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe	112
PID 4888 wrote to memory of 2240	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	113
PID 4888 wrote to memory of 2240	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	113
PID 4888 wrote to memory of 2240	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	113
PID 4888 wrote to memory of 1264	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	114
PID 4888 wrote to memory of 1264	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	114
PID 4888 wrote to memory of 1264	4888	{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe	114
PID 2240 wrote to memory of 4816	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	115
PID 2240 wrote to memory of 4816	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	115
PID 2240 wrote to memory of 4816	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	115
PID 2240 wrote to memory of 2140	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	116
PID 2240 wrote to memory of 2140	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	116
PID 2240 wrote to memory of 2140	2240	{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe	116
PID 4816 wrote to memory of 2300	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	117
PID 4816 wrote to memory of 2300	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	117
PID 4816 wrote to memory of 2300	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	117
PID 4816 wrote to memory of 4660	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	118
PID 4816 wrote to memory of 4660	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	118
PID 4816 wrote to memory of 4660	4816	{24137C6F-6E44-439d-913D-879A367D8FD1}.exe	118
PID 2300 wrote to memory of 2124	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	119
PID 2300 wrote to memory of 2124	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	119
PID 2300 wrote to memory of 2124	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	119
PID 2300 wrote to memory of 4576	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	120
PID 2300 wrote to memory of 4576	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	120
PID 2300 wrote to memory of 4576	2300	{E60201B6-B165-4719-B3A1-2CD23D151283}.exe	120
PID 2124 wrote to memory of 4452	2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe	121
PID 2124 wrote to memory of 4452	2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe	121
PID 2124 wrote to memory of 4452	2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe	121
PID 2124 wrote to memory of 1432	2124	{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
  C:\Windows\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
    C:\Windows\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
      C:\Windows\{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
        
        C:\Windows\{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
        
        C:\Windows\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
        
        C:\Windows\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
        
        C:\Windows\{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
        
        C:\Windows\{24137C6F-6E44-439d-913D-879A367D8FD1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
        
        C:\Windows\{E60201B6-B165-4719-B3A1-2CD23D151283}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
        
        C:\Windows\{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
        
        C:\Windows\{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe
        
        C:\Windows\{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{438ED~1.EXE > nul
        13⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EADA~1.EXE > nul
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6020~1.EXE > nul
        11⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24137~1.EXE > nul
        10⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{446D4~1.EXE > nul
        9⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88B89~1.EXE > nul
        8⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D65C~1.EXE > nul
        7⤵
        
        PID:4036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD133~1.EXE > nul
        6⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51692~1.EXE > nul
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEA3~1.EXE > nul
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22DD0~1.EXE > nul
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22DD0D73-6D2F-47f3-91BE-897C4FD07489}.exe

Filesize
372KB

MD5
d1024949e78d56682b7776388917ae9a

SHA1
ff973bcfe1841f8fbf3825716e985634ead8d72a

SHA256
33201ff1c56cf40f4293aa023bde5711d7e5fdd9077a16e3dfadcedd0bb6b55f

SHA512
e4e09eda0dc23f06f864bf592b05e8ec32c78e392f5bc48caea63f7f0e918ca30c6cab086e7c14274835c4401873124de0660025c7beb8e6992b04667021e6e1

Download Submit
C:\Windows\{24137C6F-6E44-439d-913D-879A367D8FD1}.exe

Filesize
372KB

MD5
a8820b6e43b5b8856bec745c0f4f9ec6

SHA1
73d80205988fac9d561e7a00fefdb26eaa5468a5

SHA256
7aa26175ebe1fb632992d31f3502ec9f3a05023041cfd7e211b67e507a1b2732

SHA512
a34d113c024757325149b278cf1257fdca35bc94d92b8652051743c78940a8b0a5967c6099977deccacb5df0e2b4d45671dbd516c5040b33366997020363a383

Download Submit
C:\Windows\{438EDA88-A86B-4c64-840D-72F9CB15166A}.exe

Filesize
372KB

MD5
7d043d64562c844828e57bc0d425294a

SHA1
6c854cb3497d1042a3bb01f5cf82ba63c990d0e6

SHA256
46eb7e97a8786d23631d347c0e6ec60e7d0a06885f4ab31e88affd20001d742b

SHA512
4b4ff62cb37f5941957696eea061658df7d58565c5b58f004a9142807c76c6545ba73ef0f8927ec07e396da5a4b2a190ac4e7aca78ea58aeda16336b80da666d

Download Submit
C:\Windows\{446D4E36-660B-41f2-BA9A-671BAD360FF1}.exe

Filesize
372KB

MD5
b1516315f9abd26f7bd99ddd48d9c949

SHA1
91b9076fda2fc2bba38262a16befcb4ecf2d32b4

SHA256
adb30434a08786e29c349155f7635149c648f5b0c2397f19bbd23b67fc100066

SHA512
41d155686bfc7e4c7fa4538cbf7f3e4d1908753c8a01e16d019efdf1868543564beaeaab04fe92564901fe7f6bba8458dc59bc9701109beeb5664f35a929b0a2

Download Submit
C:\Windows\{4EADA63D-81B2-418a-A613-B940E0A7464C}.exe

Filesize
372KB

MD5
205133be84beb4b5d6c5db28474606d4

SHA1
9201c764edd6596d9893e63c815ed39cd946187e

SHA256
c5393d5f12e091a564b7de7ff1645a65a5980efba43642b13fb3c3f257c99c43

SHA512
182d3478cd62bf52b4a63e21ce3c2f0f6618c954ef380d2774543d61401842152757e88425e67a63fd40e40e3d9e046a0fc80367bbb631ab6c928721264ec1bc

Download Submit
C:\Windows\{51692D12-C1F3-416b-BDC5-548CC74D53CD}.exe

Filesize
372KB

MD5
6c5eca4b12fc4b2f81276dbee25d5d7b

SHA1
53cb39ae6f72dd75be7d824f24d26022c6ff4137

SHA256
b3d9ee0399ee8767747c13c23a5a32d071718c0bfc00f6f3c428d0faf8729c0a

SHA512
58284f223b43c4a2c6f5a82bcf2364fcb05d9aad1985866aaacd891f1c2675327de08e32a2fd0abeb8a5b3500857a346caf27a6cd6aaea339cd2f2af02e146ce

Download Submit
C:\Windows\{6D65CA3F-53A1-48fe-961C-A5F475C50E54}.exe

Filesize
372KB

MD5
7e7bb391d3a0ccbb5d0f1ab9e00615a0

SHA1
28cbcb95bc20643d7a33ee3bcbaa943b7f98b8ff

SHA256
69613b1ae88147b930b7124d43378ddc49511cf5ab5bdec8e3536df3921dabcc

SHA512
2553f5a1d9227dbd0de5d9a7ca68f7e880a315ba8e6a7ef96d2f6efdd33d0cf248e05291e5ca0db94e9fd6bdeb8dc87a0374e52a8941f68a53561af0b3ab5ded

Download Submit
C:\Windows\{88B89481-E7A9-4acf-8EBA-156D0D5F38E7}.exe

Filesize
372KB

MD5
a289cd6361ff633df8c07977761433dd

SHA1
5e4b8c40dc231795432fb07ba313e39165d04340

SHA256
ccd045d2aa2db42fbee8bcfaa3231a9b1c039e6ba94f9c131210ed7e322d2c14

SHA512
2ec2ee255721999980d2c95e6239a97b0a0be656ca08242826a62fc58d4d4cce5ec1e882ad195085cdb7032e9e76c59ca65ce7df4843eb62cf81d9c87a9af55c

Download Submit
C:\Windows\{9C200B7C-9F07-4208-944C-A34554CD2C2E}.exe

Filesize
372KB

MD5
c6251240ae6430cecf6558837a47ed8f

SHA1
4d8890be679fec6bfdd00820e32614570471e973

SHA256
79994bd2c79647c39112409e020d2cdb6c1fc545193f3a9c54f764b399b80705

SHA512
e3343a5fadbf55885d0ecf5de66bf158970610e8ddfaa9907f7742457474b99439cb0b42805ef97157a5d7b57a6cfcd78dd7d3ea869e85d4cde1944bd83b7b0d

Download Submit
C:\Windows\{AD1337A4-303B-42ea-B8AC-1705935902C8}.exe

Filesize
372KB

MD5
390649daca90d96aca975baf9ea8b890

SHA1
b3e3ed857eac8a1fb73b6818e7ca32fa76c2210c

SHA256
74bdd514314d41a1c5d6da30f620ef4df68bc605000c1f20789b844cb939ac73

SHA512
17342a972a4f811243a23b8e42a55137d4d7482a06510b4971ed9ff916fa460cd0d11f8ebfae8cd46ee43930809f447acee37cedfab597ef8693ff61ac32b8c2

Download Submit
C:\Windows\{E60201B6-B165-4719-B3A1-2CD23D151283}.exe

Filesize
372KB

MD5
8e348b59ef76ce3ceb8a7888e979c5e5

SHA1
f06435f9b3474420604e7916262a40c6852e5ebd

SHA256
cd0d19aeb0bd4374c0e64e2f19529f86bae41cd2e051193c722ce0cdf0017f01

SHA512
9b2b0fb5630052b0d1fff4591cdf7eeb813d177b46f816651e854e687f9fde8064f21ab96e8f82011dba76f82b5ffe79daa962b40af15ebfb44e8646bb4f0d3a

Download Submit
C:\Windows\{EBEA38DF-A496-4749-91AB-BE4ABA233B71}.exe

Filesize
372KB

MD5
7f929225b950dcf80fe75656aeaec8b1

SHA1
afea09f6ddf4f55702fcba38aedd4f7d34fc7f18

SHA256
fcabe9d843bce4f318f93eeb0a71d7262e30e8df850eafb5fda9749f3fdb93b7

SHA512
8e7b0db9d6a71326b70f0cd3be40339f083fd5978ddc4667f222929e89f10058d02dcaef077d2aa842aa905261d92a22faf087bf92b5d12697d0d6da0347f6d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads