21dfc97c983daf57430a5c8829c64d0ce033e2fb9f081559a638cf3707be2a2f

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Size

408KB
MD5

85fc9d379a3bd3f9924558b4e6597873
SHA1

211e2ac8635e8a24bda501fd31544e78acb388e3
SHA256

21dfc97c983daf57430a5c8829c64d0ce033e2fb9f081559a638cf3707be2a2f
SHA512

e72593d77d4e19258f9c6f6882efe6c32374df6883b44a7ac2cdf0c0b75cb3a780c5bd91abea2137603d50773ef3d2e6cf087db98d2d0780e60c3638a517827d
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGoldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023260-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023121-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}\stubpath = "C:\\Windows\\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe"	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}\stubpath = "C:\\Windows\\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe"	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}\stubpath = "C:\\Windows\\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe"	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88237038-EDB3-4c09-A977-88091A23DBF5}	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}\stubpath = "C:\\Windows\\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe"	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04180BCF-4419-421a-9CC1-FE62923B3E02}	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95409789-DA5C-4fb0-B181-B7A0C915163E}	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88237038-EDB3-4c09-A977-88091A23DBF5}\stubpath = "C:\\Windows\\{88237038-EDB3-4c09-A977-88091A23DBF5}.exe"	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}\stubpath = "C:\\Windows\\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe"	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04180BCF-4419-421a-9CC1-FE62923B3E02}\stubpath = "C:\\Windows\\{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe"	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95409789-DA5C-4fb0-B181-B7A0C915163E}\stubpath = "C:\\Windows\\{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe"	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{603C5F93-3DBB-4628-B154-24ADD9668E7C}	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{603C5F93-3DBB-4628-B154-24ADD9668E7C}\stubpath = "C:\\Windows\\{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe"	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B469D523-40E6-41e7-8948-0D63E0BFF956}	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B469D523-40E6-41e7-8948-0D63E0BFF956}\stubpath = "C:\\Windows\\{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe"	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}\stubpath = "C:\\Windows\\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe"	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe

Executes dropped EXE 11 IoCs

pid	Process
3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe
4948	{88237038-EDB3-4c09-A977-88091A23DBF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
File created	C:\Windows\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
File created	C:\Windows\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
File created	C:\Windows\{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
File created	C:\Windows\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
File created	C:\Windows\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
File created	C:\Windows\{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
File created	C:\Windows\{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
File created	C:\Windows\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
File created	C:\Windows\{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
File created	C:\Windows\{88237038-EDB3-4c09-A977-88091A23DBF5}.exe	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
Token: SeIncBasePriorityPrivilege	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
Token: SeIncBasePriorityPrivilege	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
Token: SeIncBasePriorityPrivilege	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
Token: SeIncBasePriorityPrivilege	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
Token: SeIncBasePriorityPrivilege	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
Token: SeIncBasePriorityPrivilege	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
Token: SeIncBasePriorityPrivilege	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
Token: SeIncBasePriorityPrivilege	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
Token: SeIncBasePriorityPrivilege	2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3788	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	90
PID 1424 wrote to memory of 3788	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	90
PID 1424 wrote to memory of 3788	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	90
PID 1424 wrote to memory of 4160	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	91
PID 1424 wrote to memory of 4160	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	91
PID 1424 wrote to memory of 4160	1424	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	91
PID 3788 wrote to memory of 1084	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	100
PID 3788 wrote to memory of 1084	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	100
PID 3788 wrote to memory of 1084	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	100
PID 3788 wrote to memory of 1332	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	101
PID 3788 wrote to memory of 1332	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	101
PID 3788 wrote to memory of 1332	3788	{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe	101
PID 1084 wrote to memory of 3872	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	103
PID 1084 wrote to memory of 3872	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	103
PID 1084 wrote to memory of 3872	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	103
PID 1084 wrote to memory of 1592	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	104
PID 1084 wrote to memory of 1592	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	104
PID 1084 wrote to memory of 1592	1084	{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe	104
PID 3872 wrote to memory of 2788	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	105
PID 3872 wrote to memory of 2788	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	105
PID 3872 wrote to memory of 2788	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	105
PID 3872 wrote to memory of 624	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	106
PID 3872 wrote to memory of 624	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	106
PID 3872 wrote to memory of 624	3872	{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe	106
PID 2788 wrote to memory of 4900	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	107
PID 2788 wrote to memory of 4900	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	107
PID 2788 wrote to memory of 4900	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	107
PID 2788 wrote to memory of 2228	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	108
PID 2788 wrote to memory of 2228	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	108
PID 2788 wrote to memory of 2228	2788	{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe	108
PID 4900 wrote to memory of 1732	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	109
PID 4900 wrote to memory of 1732	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	109
PID 4900 wrote to memory of 1732	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	109
PID 4900 wrote to memory of 2140	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	110
PID 4900 wrote to memory of 2140	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	110
PID 4900 wrote to memory of 2140	4900	{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe	110
PID 1732 wrote to memory of 3888	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	111
PID 1732 wrote to memory of 3888	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	111
PID 1732 wrote to memory of 3888	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	111
PID 1732 wrote to memory of 548	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	112
PID 1732 wrote to memory of 548	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	112
PID 1732 wrote to memory of 548	1732	{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe	112
PID 3888 wrote to memory of 4480	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	113
PID 3888 wrote to memory of 4480	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	113
PID 3888 wrote to memory of 4480	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	113
PID 3888 wrote to memory of 4940	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	114
PID 3888 wrote to memory of 4940	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	114
PID 3888 wrote to memory of 4940	3888	{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe	114
PID 4480 wrote to memory of 2988	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	115
PID 4480 wrote to memory of 2988	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	115
PID 4480 wrote to memory of 2988	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	115
PID 4480 wrote to memory of 2216	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	116
PID 4480 wrote to memory of 2216	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	116
PID 4480 wrote to memory of 2216	4480	{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe	116
PID 2988 wrote to memory of 2764	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	117
PID 2988 wrote to memory of 2764	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	117
PID 2988 wrote to memory of 2764	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	117
PID 2988 wrote to memory of 4604	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	118
PID 2988 wrote to memory of 4604	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	118
PID 2988 wrote to memory of 4604	2988	{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe	118
PID 2764 wrote to memory of 4948	2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe	119
PID 2764 wrote to memory of 4948	2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe	119
PID 2764 wrote to memory of 4948	2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe	119
PID 2764 wrote to memory of 2452	2764	{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
  C:\Windows\{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
    C:\Windows\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
      C:\Windows\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
        
        C:\Windows\{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
        
        C:\Windows\{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
        
        C:\Windows\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
        
        C:\Windows\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
        
        C:\Windows\{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
        
        C:\Windows\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe
        
        C:\Windows\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{88237038-EDB3-4c09-A977-88091A23DBF5}.exe
        
        C:\Windows\{88237038-EDB3-4c09-A977-88091A23DBF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E52~1.EXE > nul
        12⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC394~1.EXE > nul
        11⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{603C5~1.EXE > nul
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE5EF~1.EXE > nul
        9⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8F6E~1.EXE > nul
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95409~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04180~1.EXE > nul
        6⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB8A~1.EXE > nul
        5⤵
        
        PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A69C2~1.EXE > nul
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B469D~1.EXE > nul
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04180BCF-4419-421a-9CC1-FE62923B3E02}.exe

Filesize
408KB

MD5
0fa7ede37f99a7c2384cb63939fd7c4f

SHA1
41f4b2d32e5cc91a884d2056a704b44932891c02

SHA256
118e013a0b3b1c7290e5f8ac88862b25604109621125c588c93a8104daa124fd

SHA512
c8735fcc28bc13b8f23a0589734738665f6a6dc097d50909c2e7d3abe74d49ac71264bbc3767397c7eff72ab2ee38c642941275255c58a199d7b58793288de63

Download Submit
C:\Windows\{603C5F93-3DBB-4628-B154-24ADD9668E7C}.exe

Filesize
408KB

MD5
41dc845e6cbf0d9afe65d397a6875f0b

SHA1
70c00a20513aa6af665c663ec736b4542bccc018

SHA256
9417e68e902746e45a9b236757e7c758ecd5a7a2d9b6c3e398fe9da533df4b39

SHA512
8579533c111e1f959d121553326c4c15be90cb72609eb15a1273b3a7b8fea77d88a5db6c3a6678b4e520590b1144f7510c08d732294cb80a30715ebf44f0cd46

Download Submit
C:\Windows\{76E523F8-6586-475f-8ADB-AC5AEA2C42D0}.exe

Filesize
408KB

MD5
5cff8f1db6743af812efde7664ed2c84

SHA1
18eaeea15670bb155aa7477020185e8625d07c76

SHA256
9286062d6411c08ebe60489ccb910b53be4297306a37a40ff003ab2941a8bbe3

SHA512
c7dedc6ef21c4f749b2a2057a1e9b64a411ff4cdd815905144a48f5d33bc029e284822800a0bf62e4645773c58ca99db70c59c9399f3a539b2d5303c3d04a72b

Download Submit
C:\Windows\{88237038-EDB3-4c09-A977-88091A23DBF5}.exe

Filesize
408KB

MD5
faefc553f6447e23bf6d74a8b4b54e9d

SHA1
9a9106295e04641dda8b950da7a27cbc3151b9bb

SHA256
38874651f8ef40caee0bbc76bd9cfd832b928caafba24b121f6b7322dbf79adc

SHA512
435be5aa5df3e0af560cac5e58f761320d408a60597ae71a477a1e6a5f1100d595cef2696a8323240350e0a5c39ca9cf32ee9b4e57facbcc4675c8e75b785cd1

Download Submit
C:\Windows\{95409789-DA5C-4fb0-B181-B7A0C915163E}.exe

Filesize
408KB

MD5
1a559cb9744a4e197a52170e19adec0c

SHA1
8e05a5cd9dcd1e2d4793a81637ecf170442773f5

SHA256
7e8af9ad26b53c5b33e785e7182c30ff25be0e0e3dde95582d413f26612076a6

SHA512
e547f47b84a31b4f4b526cbd43c5b9e2a0d45fa338a2a763df09be5be98f12ed0dc4cc977e8b9afed74a08531cb3031577df111fbc0ddd74d4b9195289f6691d

Download Submit
C:\Windows\{A69C21AB-C9AD-4d07-8C70-921A431B1B59}.exe

Filesize
408KB

MD5
ec2a1327595e419523f563a3e34cf545

SHA1
f616592005579210676fd1938fe05aa2f01d4e1f

SHA256
707eed9d077250ad739553247e70247b0564be35180f0e6efa4f6b5499565713

SHA512
339a76d145f799114a7f64f5b3237060f97b576e2fdde4b8d2f3d78e8d33c5f3c28157d2ceb80983bed2944e9ec011fd2fadf7ea15f6bebd8e31f0227cf582a9

Download Submit
C:\Windows\{B469D523-40E6-41e7-8948-0D63E0BFF956}.exe

Filesize
408KB

MD5
ef2515b327445f8fbc0b429dc666b026

SHA1
3b88c8fef027950ec46a39d38cb5075897d9963e

SHA256
a81d294fa1e9c2abf3a61f157fcf4c8c26c05de05ad3d8cacce8cb153aa1bb17

SHA512
d4d10f78606663c3b8114eb043a0c47ce8d73b4727673fb023520366d493eca7503bff1571962659677140fac1de79312b80ded20f3b9b436efeb7c032f4d4e4

Download Submit
C:\Windows\{BC3943C8-C0A3-4f3d-9415-A3B4C4EA7D48}.exe

Filesize
408KB

MD5
add8fc09feef1e823b947d02bdeb8312

SHA1
e730046365f286343e134400329ae4356a9ee6c8

SHA256
884ea74dc67649e8933abbd500ee2754553cb43f11dc5013c0cbda437e1e5bea

SHA512
9f05350eb469710cd930c8d494f75a9edd014ee2c3ba5f7bba41d953b738d29372abc2eda21cd3aa2088aafbb3e01dbaedb962f4141f7d58ba97fe80d1288294

Download Submit
C:\Windows\{CE5EF1D6-8F34-406b-8F45-5143381A4B7E}.exe

Filesize
408KB

MD5
9bfd5e7c682b95411b774035a9ea7e50

SHA1
e0975719b33e28a3448f74fdc1daaefa673aaa11

SHA256
712b6a2420c4468e440166dceca9c587c004d466b0da8fb1b660431e4afe9fa7

SHA512
36cccfba6ebb602e75377a50bc533a90835bc42a1bd3215ae17f2c70e081f6b58aa0d8e3b6db7fa2530985f60d09248aa2d036c4f1d73b3060f253ebb7233b46

Download Submit
C:\Windows\{DEB8AB99-9DE4-4914-96DB-B5DE09314A29}.exe

Filesize
408KB

MD5
d9cd6ba11d6944b4d0531f4d4486e4ed

SHA1
6b1d388ea5ad654f99c8216e38acac6215ac6e05

SHA256
c346ca6cd64d65c552d079283e4f4efa8260d96bfb58de229987fde62c1bfb6b

SHA512
91b1ea4ba6d0baece13f4b0fa7bf345960ba7dc3c820ed5d961832c1abee41900c62c7fa1a671c079f039ff48313ff4b754f7d64664f488818580abb39bcaac0

Download Submit
C:\Windows\{F8F6E5EF-F9D7-45e6-859A-1D3669F49089}.exe

Filesize
408KB

MD5
238810f5b25806fe0c87d83bb82a6ba1

SHA1
6f4dacdf297aa1084deeadc47b38413a07e16769

SHA256
a8bf2709c615b7080e8d85dc76691c5a825a9b4eb46ebe4d01ef1418784df978

SHA512
1eaa8e7cd7aeabfc7186fddbe564d2986e8f19a59f8fe47bd886aca7c54716710fe83276efa7833d306303291f897598ae74572e7e1c560d8b2b055d6642f23c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads