6ae8c5fa2b0ba638b05b276ee282f1a47fecde6650dcf53cecf923780fd5e542

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Size

344KB
MD5

d717ac675d7ee91dac172103ae578f48
SHA1

fe060ad36ecf762117d1dd6d7dc28bd8aa111f48
SHA256

6ae8c5fa2b0ba638b05b276ee282f1a47fecde6650dcf53cecf923780fd5e542
SHA512

0f3b71de1a25a32a1c7a5eb1cca5183a8aad129023dbbf24f6fbb9b91412450605f9f3014fc67203f55e904c5fba2325384b0299e9dbd8a5fc1c7108d7a0e442
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023271-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023273-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023284-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023273-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023284-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e3d2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000507-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}\stubpath = "C:\\Windows\\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe"	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154648E-542A-4a33-A52D-9245C9B43799}	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A10BA818-E952-46fd-8B63-422FED879294}	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A10BA818-E952-46fd-8B63-422FED879294}\stubpath = "C:\\Windows\\{A10BA818-E952-46fd-8B63-422FED879294}.exe"	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}	{E154648E-542A-4a33-A52D-9245C9B43799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C2DE62-9895-4699-87FC-CF63D3880D89}	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C2DE62-9895-4699-87FC-CF63D3880D89}\stubpath = "C:\\Windows\\{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe"	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}\stubpath = "C:\\Windows\\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe"	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}\stubpath = "C:\\Windows\\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe"	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154648E-542A-4a33-A52D-9245C9B43799}\stubpath = "C:\\Windows\\{E154648E-542A-4a33-A52D-9245C9B43799}.exe"	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}	{A10BA818-E952-46fd-8B63-422FED879294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}\stubpath = "C:\\Windows\\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe"	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}\stubpath = "C:\\Windows\\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe"	{A10BA818-E952-46fd-8B63-422FED879294}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}\stubpath = "C:\\Windows\\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe"	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}\stubpath = "C:\\Windows\\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe"	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}\stubpath = "C:\\Windows\\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe"	{E154648E-542A-4a33-A52D-9245C9B43799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe

Executes dropped EXE 11 IoCs

pid	Process
4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe
2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe
3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
100	{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
File created	C:\Windows\{E154648E-542A-4a33-A52D-9245C9B43799}.exe	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
File created	C:\Windows\{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
File created	C:\Windows\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
File created	C:\Windows\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
File created	C:\Windows\{A10BA818-E952-46fd-8B63-422FED879294}.exe	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
File created	C:\Windows\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	{A10BA818-E952-46fd-8B63-422FED879294}.exe
File created	C:\Windows\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
File created	C:\Windows\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
File created	C:\Windows\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
File created	C:\Windows\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	{E154648E-542A-4a33-A52D-9245C9B43799}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
Token: SeIncBasePriorityPrivilege	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
Token: SeIncBasePriorityPrivilege	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe
Token: SeIncBasePriorityPrivilege	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
Token: SeIncBasePriorityPrivilege	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
Token: SeIncBasePriorityPrivilege	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
Token: SeIncBasePriorityPrivilege	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe
Token: SeIncBasePriorityPrivilege	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
Token: SeIncBasePriorityPrivilege	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
Token: SeIncBasePriorityPrivilege	4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4200	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	89
PID 1496 wrote to memory of 4200	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	89
PID 1496 wrote to memory of 4200	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	89
PID 1496 wrote to memory of 4604	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	90
PID 1496 wrote to memory of 4604	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	90
PID 1496 wrote to memory of 4604	1496	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	90
PID 4200 wrote to memory of 2180	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	97
PID 4200 wrote to memory of 2180	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	97
PID 4200 wrote to memory of 2180	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	97
PID 4200 wrote to memory of 732	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	98
PID 4200 wrote to memory of 732	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	98
PID 4200 wrote to memory of 732	4200	{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe	98
PID 2180 wrote to memory of 1520	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	101
PID 2180 wrote to memory of 1520	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	101
PID 2180 wrote to memory of 1520	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	101
PID 2180 wrote to memory of 4904	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	102
PID 2180 wrote to memory of 4904	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	102
PID 2180 wrote to memory of 4904	2180	{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe	102
PID 1520 wrote to memory of 2988	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	104
PID 1520 wrote to memory of 2988	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	104
PID 1520 wrote to memory of 2988	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	104
PID 1520 wrote to memory of 2352	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	105
PID 1520 wrote to memory of 2352	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	105
PID 1520 wrote to memory of 2352	1520	{E154648E-542A-4a33-A52D-9245C9B43799}.exe	105
PID 2988 wrote to memory of 2760	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	106
PID 2988 wrote to memory of 2760	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	106
PID 2988 wrote to memory of 2760	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	106
PID 2988 wrote to memory of 364	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	107
PID 2988 wrote to memory of 364	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	107
PID 2988 wrote to memory of 364	2988	{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe	107
PID 2760 wrote to memory of 2492	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	108
PID 2760 wrote to memory of 2492	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	108
PID 2760 wrote to memory of 2492	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	108
PID 2760 wrote to memory of 1920	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	109
PID 2760 wrote to memory of 1920	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	109
PID 2760 wrote to memory of 1920	2760	{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe	109
PID 2492 wrote to memory of 2320	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	110
PID 2492 wrote to memory of 2320	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	110
PID 2492 wrote to memory of 2320	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	110
PID 2492 wrote to memory of 736	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	111
PID 2492 wrote to memory of 736	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	111
PID 2492 wrote to memory of 736	2492	{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe	111
PID 2320 wrote to memory of 3704	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	112
PID 2320 wrote to memory of 3704	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	112
PID 2320 wrote to memory of 3704	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	112
PID 2320 wrote to memory of 3808	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	113
PID 2320 wrote to memory of 3808	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	113
PID 2320 wrote to memory of 3808	2320	{A10BA818-E952-46fd-8B63-422FED879294}.exe	113
PID 3704 wrote to memory of 3024	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	114
PID 3704 wrote to memory of 3024	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	114
PID 3704 wrote to memory of 3024	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	114
PID 3704 wrote to memory of 832	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	115
PID 3704 wrote to memory of 832	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	115
PID 3704 wrote to memory of 832	3704	{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe	115
PID 3024 wrote to memory of 4640	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	116
PID 3024 wrote to memory of 4640	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	116
PID 3024 wrote to memory of 4640	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	116
PID 3024 wrote to memory of 2656	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	117
PID 3024 wrote to memory of 2656	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	117
PID 3024 wrote to memory of 2656	3024	{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe	117
PID 4640 wrote to memory of 100	4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe	118
PID 4640 wrote to memory of 100	4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe	118
PID 4640 wrote to memory of 100	4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe	118
PID 4640 wrote to memory of 388	4640	{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
  C:\Windows\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
    C:\Windows\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\{E154648E-542A-4a33-A52D-9245C9B43799}.exe
      C:\Windows\{E154648E-542A-4a33-A52D-9245C9B43799}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
        
        C:\Windows\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
        
        C:\Windows\{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
        
        C:\Windows\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{A10BA818-E952-46fd-8B63-422FED879294}.exe
        
        C:\Windows\{A10BA818-E952-46fd-8B63-422FED879294}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
        
        C:\Windows\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
        
        C:\Windows\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
        
        C:\Windows\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe
        
        C:\Windows\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe
        12⤵
        Executes dropped EXE
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BAC8~1.EXE > nul
        12⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45EE2~1.EXE > nul
        11⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC554~1.EXE > nul
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A10BA~1.EXE > nul
        9⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E543~1.EXE > nul
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C2D~1.EXE > nul
        7⤵
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{135E5~1.EXE > nul
        6⤵
        
        PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1546~1.EXE > nul
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D5FFC~1.EXE > nul
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{133C1~1.EXE > nul
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BAC8E1B-B321-49a8-90E1-BFEDCECAAD7F}.exe

Filesize
344KB

MD5
f21b0638109b99af344189147c2d90cb

SHA1
75ff4cf315f01e82a06367e4bb07b5af78c21d50

SHA256
d3bd3e095e62919d44e6d3526a7e744f0a8ececabc3e52131a359e07d53a197f

SHA512
7d97b27791f641a9e676f971822ece1caf15f9478349a12a566cb519ce8de1a446ef8e91d312d02016313828d3d8d1b7a9bae279a54327af2323ff2629edba8c

Download Submit
C:\Windows\{133C1CBE-6247-4e7d-BF53-05EA7A213A3F}.exe

Filesize
344KB

MD5
13e70b3becb41f569ee88da6681ecb6c

SHA1
a924bfed548386eb90aa23d040312f0630047855

SHA256
7445cc3fdb325b3169ff3a4dd097792629afffc667df2ae9418f2796a87796cd

SHA512
6a3f3abe576c4812729d29c20783e59b903d4c7318dbbb00aa9fe6270d2d1e72bf1556510d37a252e4fafb527c17eb2385044b3556366ae52d50b7bc09887af2

Download Submit
C:\Windows\{135E59DB-84F3-4641-AB42-92A2BF8A1C1F}.exe

Filesize
344KB

MD5
528e378fb786813b7f7a827091081b02

SHA1
5c0994f870af6232f2c195c6d2be0b1e7370f061

SHA256
6cfbc12e90cfe3249bc037181b5e404ae0dd7f817b668e2b9376230ac6fb27ef

SHA512
d04f99242c85fcd651febb242ffad554c7f1b9ca3e33f745b92b00574652fcfa5ca9418a0e7b71c1f6f6af345cc6db702fbc7a3245511745fefffa76a301738a

Download Submit
C:\Windows\{1E543D2F-11DA-4ed0-BA71-87E828AE9D4E}.exe

Filesize
344KB

MD5
c729d36682ccee0b96ff139f42a19dc8

SHA1
47293ec58aacfb63f7c958e2b9b1727f25185f45

SHA256
d0c669b8273c61c9a8028bbd6a879686f12b525b9d79f6218c69cf1cc44a2bab

SHA512
0c55052f7dcf4d4e37fda86a44ba165f7e1b49f0fb9e8bda3bc4f6bdc07cb98f399de49753021e05ab32bb35545c59a01714d2315d1fc10fd1f8ba8366a4d335

Download Submit
C:\Windows\{45EE2EDB-0B72-4f9c-A393-7D4567E7B45B}.exe

Filesize
344KB

MD5
46df4ed4d1719a5cde37001a3115593f

SHA1
76c60c33c5a4124efe13e66a1876bc59737302e7

SHA256
182397e4348f13ff6bd962129a9ee64456c9c16c412454926b62137ab7be4e9e

SHA512
14a89b0a5f83f4d12f37b10e514d5635e13df76ca672e1edde182b08be78f6d5b0fa1996e248a931fcf742f4d19bbe4c9515049fc0ce49fbd301b7f956fc40e0

Download Submit
C:\Windows\{A10BA818-E952-46fd-8B63-422FED879294}.exe

Filesize
344KB

MD5
c003d3db50283f6666d17e66d0bd5674

SHA1
49344ae1a508c632ce4ba717091351c3acb2933a

SHA256
e5bb51d013ea95a2bbf4c89abc8703c60a860c119f7610c1a1382a07ed1c0136

SHA512
985e49ec4f110931a897a33509f4e45b0dc629232c230367b7a9d1d245a8a995f5693a30585f0f5c9676f1c737dd9d8df0e2445f20c210d0428a25fee1f7fd25

Download Submit
C:\Windows\{A6C2DE62-9895-4699-87FC-CF63D3880D89}.exe

Filesize
344KB

MD5
432a869e96ed6462097c8f8dd0b4b8d8

SHA1
a4512b74f5ce24cc20904ea7c4c2d435eb848870

SHA256
3fc55b29058095a8b0c9bc8ac76c1d555e12ae9e8c47a5b20ad7a8907ee55dac

SHA512
ab03e8c2a1dbcd758bed785d4b906fb59b5f04731bd64b5c5a11d5958612c564d818fbc93ea53726508446e0eaf392fe2f90d6007a84fbac70ad958068bc2cf8

Download Submit
C:\Windows\{AC5548C1-D6E0-47dc-AFDF-865E799CBA40}.exe

Filesize
344KB

MD5
887d841fb669e9caa4977e4dac5c3346

SHA1
fee56300ff5a93d898470f37cc7a4baf8ada4978

SHA256
9f469ad7d0f2c2becdd03ef7bcefdbd23dc7722a852bb0d77fa6262c18738cd3

SHA512
1d31e8216a621efb400e11e74db83bf707dbe9e4f16fef302f4a621c61000078ebcc573a184eb24c39a91aaa367aa294cce247c2df38055de291b93ffa687843

Download Submit
C:\Windows\{D5FFC82E-9240-418d-BD03-787F1CAAFD14}.exe

Filesize
344KB

MD5
b0e6ebc21e845d3dc97dd02e8f291418

SHA1
e09c9c33393ebf42280302b3f3835fa434a37163

SHA256
b4f757a1ae373aa3e95bfc42441e226fec9968314bc23b23fa77b412cb45b92d

SHA512
9805535cdaeee0ef37724fc2478b76bec6d2ade3120eccec1237cb8209410b0a8056095e49df7b7174c094026cc52f72f30340713ed11b0d2f76ef9a2e575eb1

Download Submit
C:\Windows\{DD80BB12-E9D5-4148-93B3-FCB120D2FE7C}.exe

Filesize
344KB

MD5
297def169a33beaafcc9dfb64804a2c0

SHA1
c04a91a0a7986e3e6f16b3d8b41953ded511d86c

SHA256
a3f96b70c56be88d8e7ac3a4dcb15437e9d22eaa9f70a48f182a346334a0b9ba

SHA512
b00b5149600578e6cbab7824b5fe0f6b79b5b445af817f677bbe39b1b494d66b011afa870f24718a529fd977e6735d66f7e4eee68293087c90497a5fdb7a03c9

Download Submit
C:\Windows\{E154648E-542A-4a33-A52D-9245C9B43799}.exe

Filesize
344KB

MD5
48c6b520f79a1368e7e97277d608b70a

SHA1
cb863eccd624c19b89cee89b94f3e891b06f0252

SHA256
a471bc0271fd0d9eb4e8ed843cb8f423f7b3628d2c3ec91a8ec07b10c527a48d

SHA512
abdc193e615668b2930661536dfe8494f987367cf8fa770cf2491abca2ddc634803802642f7fd6d81d09118f388e4c8db45b68c869802b323833cc6f530a5211

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads