f8c6c073451dbe3dc391ddfc2819f7ab249a062866d7a5306bd87c26025317a8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
Size

216KB
MD5

3ef7fbb7c3226131fe89452e12df0bb5
SHA1

abd94fc8456f7c5acc6f11167c18f7e887674e33
SHA256

f8c6c073451dbe3dc391ddfc2819f7ab249a062866d7a5306bd87c26025317a8
SHA512

3fc2ddf999e73537e1b6240426c994fcc50901924a5ddf7e1528c03fb8d4a2e1ec24ec329af3a27f7a54ee6be1e3700cef5eca9a8d6006318f21fc6ac2164181
SSDEEP

3072:jEGh0oyl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG0lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023247-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023253-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023247-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022fda-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D5CC95-518D-4417-977F-2B2ED61A1A52}\stubpath = "C:\\Windows\\{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe"	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}\stubpath = "C:\\Windows\\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe"	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D5CC95-518D-4417-977F-2B2ED61A1A52}	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}\stubpath = "C:\\Windows\\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe"	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B016EE-1267-4323-82FB-7F1BDA3095C1}	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B016EE-1267-4323-82FB-7F1BDA3095C1}\stubpath = "C:\\Windows\\{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe"	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}\stubpath = "C:\\Windows\\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe"	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}\stubpath = "C:\\Windows\\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe"	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}\stubpath = "C:\\Windows\\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe"	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87B4232-167D-41fb-BA80-330A3396C20F}	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87B4232-167D-41fb-BA80-330A3396C20F}\stubpath = "C:\\Windows\\{B87B4232-167D-41fb-BA80-330A3396C20F}.exe"	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}\stubpath = "C:\\Windows\\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe"	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}\stubpath = "C:\\Windows\\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe"	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}\stubpath = "C:\\Windows\\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe"	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe

Executes dropped EXE 11 IoCs

pid	Process
3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe
324	{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
File created	C:\Windows\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
File created	C:\Windows\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
File created	C:\Windows\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
File created	C:\Windows\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
File created	C:\Windows\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe
File created	C:\Windows\{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
File created	C:\Windows\{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
File created	C:\Windows\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
File created	C:\Windows\{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
File created	C:\Windows\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
Token: SeIncBasePriorityPrivilege	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
Token: SeIncBasePriorityPrivilege	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
Token: SeIncBasePriorityPrivilege	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
Token: SeIncBasePriorityPrivilege	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
Token: SeIncBasePriorityPrivilege	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
Token: SeIncBasePriorityPrivilege	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
Token: SeIncBasePriorityPrivilege	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
Token: SeIncBasePriorityPrivilege	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
Token: SeIncBasePriorityPrivilege	4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3688	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	90
PID 228 wrote to memory of 3688	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	90
PID 228 wrote to memory of 3688	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	90
PID 228 wrote to memory of 5116	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	91
PID 228 wrote to memory of 5116	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	91
PID 228 wrote to memory of 5116	228	2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe	91
PID 3688 wrote to memory of 2432	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	100
PID 3688 wrote to memory of 2432	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	100
PID 3688 wrote to memory of 2432	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	100
PID 3688 wrote to memory of 2900	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	101
PID 3688 wrote to memory of 2900	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	101
PID 3688 wrote to memory of 2900	3688	{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe	101
PID 2432 wrote to memory of 3412	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	103
PID 2432 wrote to memory of 3412	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	103
PID 2432 wrote to memory of 3412	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	103
PID 2432 wrote to memory of 4004	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	104
PID 2432 wrote to memory of 4004	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	104
PID 2432 wrote to memory of 4004	2432	{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe	104
PID 3412 wrote to memory of 348	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	106
PID 3412 wrote to memory of 348	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	106
PID 3412 wrote to memory of 348	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	106
PID 3412 wrote to memory of 3012	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	107
PID 3412 wrote to memory of 3012	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	107
PID 3412 wrote to memory of 3012	3412	{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe	107
PID 348 wrote to memory of 2248	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	108
PID 348 wrote to memory of 2248	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	108
PID 348 wrote to memory of 2248	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	108
PID 348 wrote to memory of 4920	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	109
PID 348 wrote to memory of 4920	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	109
PID 348 wrote to memory of 4920	348	{B87B4232-167D-41fb-BA80-330A3396C20F}.exe	109
PID 2248 wrote to memory of 4256	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	110
PID 2248 wrote to memory of 4256	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	110
PID 2248 wrote to memory of 4256	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	110
PID 2248 wrote to memory of 4972	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	111
PID 2248 wrote to memory of 4972	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	111
PID 2248 wrote to memory of 4972	2248	{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe	111
PID 4256 wrote to memory of 4216	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	112
PID 4256 wrote to memory of 4216	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	112
PID 4256 wrote to memory of 4216	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	112
PID 4256 wrote to memory of 3952	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	113
PID 4256 wrote to memory of 3952	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	113
PID 4256 wrote to memory of 3952	4256	{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe	113
PID 4216 wrote to memory of 664	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	114
PID 4216 wrote to memory of 664	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	114
PID 4216 wrote to memory of 664	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	114
PID 4216 wrote to memory of 2224	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	115
PID 4216 wrote to memory of 2224	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	115
PID 4216 wrote to memory of 2224	4216	{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe	115
PID 664 wrote to memory of 2492	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	116
PID 664 wrote to memory of 2492	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	116
PID 664 wrote to memory of 2492	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	116
PID 664 wrote to memory of 2160	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	117
PID 664 wrote to memory of 2160	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	117
PID 664 wrote to memory of 2160	664	{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe	117
PID 2492 wrote to memory of 4636	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	118
PID 2492 wrote to memory of 4636	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	118
PID 2492 wrote to memory of 4636	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	118
PID 2492 wrote to memory of 232	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	119
PID 2492 wrote to memory of 232	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	119
PID 2492 wrote to memory of 232	2492	{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe	119
PID 4636 wrote to memory of 324	4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe	120
PID 4636 wrote to memory of 324	4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe	120
PID 4636 wrote to memory of 324	4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe	120
PID 4636 wrote to memory of 568	4636	{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_3ef7fbb7c3226131fe89452e12df0bb5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
  C:\Windows\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
    C:\Windows\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
      C:\Windows\{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
        
        C:\Windows\{B87B4232-167D-41fb-BA80-330A3396C20F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
        
        C:\Windows\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
        
        C:\Windows\{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
        
        C:\Windows\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
        
        C:\Windows\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
        
        C:\Windows\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe
        
        C:\Windows\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe
        
        C:\Windows\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe
        12⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5B7~1.EXE > nul
        12⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E337F~1.EXE > nul
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC2B5~1.EXE > nul
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3290D~1.EXE > nul
        9⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D5C~1.EXE > nul
        8⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE66E~1.EXE > nul
        7⤵
        
        PID:4972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B87B4~1.EXE > nul
        6⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B01~1.EXE > nul
        5⤵
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3970D~1.EXE > nul
      4⤵
      PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{66FFF~1.EXE > nul
    3⤵
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D5B7ED0-04FA-4cdb-B3E8-36D141E1340A}.exe

Filesize
216KB

MD5
687e07b38589840e9b038910e5b3308a

SHA1
9a82e0cadd8a4f78dbed3b54b8a6bad5a33ae3f6

SHA256
c73173d4076fcaa0e87a56eb9e55b0c86b9689f45a9ad1f1194306f28ef7d99d

SHA512
98f5b07ecceba205b68d583ef91b1595549e6a739a8635c59d341db42da426afea9685cfe969eeb863e66663e3f354cd0e24a6b8435c208b4604976a88ae9533

Download Submit
C:\Windows\{25B016EE-1267-4323-82FB-7F1BDA3095C1}.exe

Filesize
216KB

MD5
ce03fd0137fcb5304b95af756a6a889b

SHA1
fb38a54e6d1d3b00a70d1697db565417b64ab98e

SHA256
2696fe3d307ecafe40ac953fcf883e01fca1cb943e1233d7c2754c2730400bef

SHA512
d9deca17800b11956139ba1a6adc8b4ba15bf97738c543b01c6865c74aea4f20d82bb2b6784bc95927a0fed91690384db96e3d0de907fda80c5d371f80a495a8

Download Submit
C:\Windows\{3290D42F-3EF0-4b9e-A64A-9529496B0C72}.exe

Filesize
216KB

MD5
2a2e0a7fd167ee0160b16e8d2e995baf

SHA1
045e155129d490c558707157c081686e9f20a078

SHA256
0ab00075780751d0cc0507fc3bf86d951c557db0334461a0c8da87292f674c3d

SHA512
e74cb08f0a7e59a092b3e209f05c44ff62282a4b562b0a011d715813efaea3a85c550bf9f42baf30ed254e16c5b1bfc10ec31bdfb8921e2a45eb284c312be489

Download Submit
C:\Windows\{3970DAEC-58EB-4213-9B4E-9B0CB95C3832}.exe

Filesize
216KB

MD5
f6ed22b43f09ba6c8d40d6659b94f59b

SHA1
fcc839e730e8555ca3447216fe53799324ac43ce

SHA256
b1aeee0387a9a951a64071a9ccd640db3c5d336b996350f73b6abc6323a34b00

SHA512
d834abb61273eead681896fb60768e5b0e6cdfb285e40813edb73f294236772e708f983d3ad02286755198814e4676de68a523ff5f9a797f854397c210331ae0

Download Submit
C:\Windows\{66FFF8A2-1CA6-4b3e-9269-899DC23A36B4}.exe

Filesize
216KB

MD5
85dcb5f4c017cf6641392753f4b75a44

SHA1
0a285f2936f17f3f675e4fd08d9eb71ce20c8a9e

SHA256
43724386b14a4b70c7d62ec90ebcfb5dd8e78acef59696f6b95a115b62ccff0d

SHA512
d3bf1285e150d62d5d711c52089c50d2239172c0baea83c3e51093589f13195c3bee1f7414c768b121b3d5897b7177803882c463a57445aedb5fe82a859d4338

Download Submit
C:\Windows\{96D5CC95-518D-4417-977F-2B2ED61A1A52}.exe

Filesize
216KB

MD5
358db358dc02faede89bd725926ecf57

SHA1
7220c532875932dddd315d2ec588b68b98c14f9f

SHA256
399d5c01624db37d42f298210b1b62457198992db6ddcf0d1c27e15d768f6033

SHA512
9dab31f80c55e4b4772c60c02183976f532049b48ecbaa51c54ed29a6db1865ce09ed6d59179c3a2848d80a51e10f93ec3b51e353446356a32ab375ce9214889

Download Submit
C:\Windows\{AE66EA1E-975F-4ac6-82F3-5EDCB6C69E3E}.exe

Filesize
216KB

MD5
d630ce759a1ed23fd9a2cfba6fd3a066

SHA1
83e60729984ebe9387b0c59997dff52e23bcf0f1

SHA256
8d6b8bec713b5e7afe81e420bfc2d98645ed251977ed83f981f835a5328922a9

SHA512
c087f98ac4e53f037d82ecb8d877db27171df914e57dd31b538be6a77451acc60b2017266078585b134f4be6c793ee02059ce15887c698bf066fe83faa6537e2

Download Submit
C:\Windows\{B87B4232-167D-41fb-BA80-330A3396C20F}.exe

Filesize
216KB

MD5
260985ba983b42c1312e98376943feb1

SHA1
71668f690b0d6f4790f1aefc936ed2fc62900e13

SHA256
606582bbae1a5953da1c8dc614e5319586113b9a34146614e742c79173d11535

SHA512
f2aa4106b4756456d99945e4856b21535550b27391068e2297e3253f6f29ebcdad2645e5b6f402893cd6461282eb8e413bae110eb081083359de268fd32a1b0d

Download Submit
C:\Windows\{CC2B5DCA-B1ED-4305-AF21-0E02EF9088B3}.exe

Filesize
216KB

MD5
828c9afa0b23897373ec9eefe0e9779b

SHA1
b3b04a65a7dce58e653808a544bba2b3e3d4af38

SHA256
b3e07ba6df2c6a9f9f3c9df9e254a81a540870ce21800e2e59b91c5254f94faa

SHA512
54c17120642ca05c2c1384ef53ee74522f05820cc54f6e6ffcf0023e7e9d06d1c0644f1379f20f3cb2899cf24aaf5eab6c8658e7e74a03774eb232aa965d6150

Download Submit
C:\Windows\{E337F182-088A-4b5c-9176-C73EFDDFC7B2}.exe

Filesize
216KB

MD5
b91b3b0728c3be6db193e79c54ffb7ca

SHA1
cb91accc435c75c71b25b02cfb0941f5278707a6

SHA256
b83a260ff22f64a695d1029cea5360f90421cd039d9323d8d865b6f714e87c64

SHA512
b9494fcd9d77c4427c798396a263fad1ffe3d1fe1f8727c28b15c8edb1c408ccf0f41c6d68c0611abe18be519feab3691cdb4c8fda83fd7b1be2c889ef710801

Download Submit
C:\Windows\{F5A844F3-C2F1-4d0d-9821-41E71B551FF3}.exe

Filesize
216KB

MD5
1d35a1c895e2a92d64c476d5c45056fc

SHA1
b57085445d2ce02ee75ffa9cfe7cdb61364e4228

SHA256
e1752e1820037e48d07a02c43022604d6777decccae2cd37201be147ecedb33a

SHA512
f4d4e8cf1fa1e844ed083adbfde1f80a1a53d95028a3fac5e9453ec9dda9bbdfd9859add63a93cc3238e0d882203ef359709d334576b190c8307f7010a0e4c86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads