Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
-
Size
344KB
-
MD5
7af93560dfe168c250f011a545317e9f
-
SHA1
c96d46a02263c00dd052444d1fa0f47eab85fa1c
-
SHA256
566a6f94c75b8bcb4432c6964fa94f373e7e9b059c9b49ef9cef6b4068537d7d
-
SHA512
9982863b97db4fa25481724641cca1e0b93516cc3fc8c411df39bc2321542edc582d06ec7fe40360b7912172d530e504a2e11bb8085dea8fa955fe6b610022fb
-
SSDEEP
3072:mEGh0oblEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000015c46-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c67-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000015c46-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015ce6-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a5a-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c46-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a5a-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000015c46-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a5a-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000015c46-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a5a-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80021C7D-2660-427a-B889-939F82C277F4}\stubpath = "C:\\Windows\\{80021C7D-2660-427a-B889-939F82C277F4}.exe" {90736CBB-0974-4217-9452-C043D7A83EAA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34CE4996-A829-40e3-A3A0-742D4638C1AB}\stubpath = "C:\\Windows\\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe" {80021C7D-2660-427a-B889-939F82C277F4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86081BB-AE97-44ef-A816-FF961EC2AC36}\stubpath = "C:\\Windows\\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe" {34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}\stubpath = "C:\\Windows\\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe" 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC} {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}\stubpath = "C:\\Windows\\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe" {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}\stubpath = "C:\\Windows\\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe" {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80021C7D-2660-427a-B889-939F82C277F4} {90736CBB-0974-4217-9452-C043D7A83EAA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138} {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C} {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}\stubpath = "C:\\Windows\\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe" {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}\stubpath = "C:\\Windows\\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe" {A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E} 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B} {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34CE4996-A829-40e3-A3A0-742D4638C1AB} {80021C7D-2660-427a-B889-939F82C277F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86081BB-AE97-44ef-A816-FF961EC2AC36} {34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C71314-1DDA-46cc-8F32-B6547E2B5602} {A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}\stubpath = "C:\\Windows\\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe" {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DF338F3-6F65-48b2-9B9D-0F04C6396414} {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}\stubpath = "C:\\Windows\\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe" {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90736CBB-0974-4217-9452-C043D7A83EAA} {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90736CBB-0974-4217-9452-C043D7A83EAA}\stubpath = "C:\\Windows\\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe" {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe -
Deletes itself 1 IoCs
pid Process 1628 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 2944 {80021C7D-2660-427a-B889-939F82C277F4}.exe 864 {34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe 612 {A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe 1124 {B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe File created C:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe File created C:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe File created C:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe File created C:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe File created C:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exe {90736CBB-0974-4217-9452-C043D7A83EAA}.exe File created C:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe {34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe File created C:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe File created C:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe File created C:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe {80021C7D-2660-427a-B889-939F82C277F4}.exe File created C:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe {A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe Token: SeIncBasePriorityPrivilege 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe Token: SeIncBasePriorityPrivilege 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe Token: SeIncBasePriorityPrivilege 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe Token: SeIncBasePriorityPrivilege 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe Token: SeIncBasePriorityPrivilege 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe Token: SeIncBasePriorityPrivilege 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe Token: SeIncBasePriorityPrivilege 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe Token: SeIncBasePriorityPrivilege 2944 {80021C7D-2660-427a-B889-939F82C277F4}.exe Token: SeIncBasePriorityPrivilege 864 {34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe Token: SeIncBasePriorityPrivilege 612 {A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 3052 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 28 PID 2928 wrote to memory of 3052 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 28 PID 2928 wrote to memory of 3052 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 28 PID 2928 wrote to memory of 3052 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 28 PID 2928 wrote to memory of 1628 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 29 PID 2928 wrote to memory of 1628 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 29 PID 2928 wrote to memory of 1628 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 29 PID 2928 wrote to memory of 1628 2928 2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe 29 PID 3052 wrote to memory of 2676 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 30 PID 3052 wrote to memory of 2676 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 30 PID 3052 wrote to memory of 2676 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 30 PID 3052 wrote to memory of 2676 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 30 PID 3052 wrote to memory of 2660 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 31 PID 3052 wrote to memory of 2660 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 31 PID 3052 wrote to memory of 2660 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 31 PID 3052 wrote to memory of 2660 3052 {3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe 31 PID 2676 wrote to memory of 2808 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 32 PID 2676 wrote to memory of 2808 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 32 PID 2676 wrote to memory of 2808 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 32 PID 2676 wrote to memory of 2808 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 32 PID 2676 wrote to memory of 2304 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 33 PID 2676 wrote to memory of 2304 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 33 PID 2676 wrote to memory of 2304 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 33 PID 2676 wrote to memory of 2304 2676 {F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe 33 PID 2808 wrote to memory of 2244 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 36 PID 2808 wrote to memory of 2244 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 36 PID 2808 wrote to memory of 2244 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 36 PID 2808 wrote to memory of 2244 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 36 PID 2808 wrote to memory of 2172 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 37 PID 2808 wrote to memory of 2172 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 37 PID 2808 wrote to memory of 2172 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 37 PID 2808 wrote to memory of 2172 2808 {EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe 37 PID 2244 wrote to memory of 2528 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 38 PID 2244 wrote to memory of 2528 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 38 PID 2244 wrote to memory of 2528 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 38 PID 2244 wrote to memory of 2528 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 38 PID 2244 wrote to memory of 2576 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 39 PID 2244 wrote to memory of 2576 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 39 PID 2244 wrote to memory of 2576 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 39 PID 2244 wrote to memory of 2576 2244 {7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe 39 PID 2528 wrote to memory of 1592 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 40 PID 2528 wrote to memory of 1592 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 40 PID 2528 wrote to memory of 1592 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 40 PID 2528 wrote to memory of 1592 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 40 PID 2528 wrote to memory of 812 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 41 PID 2528 wrote to memory of 812 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 41 PID 2528 wrote to memory of 812 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 41 PID 2528 wrote to memory of 812 2528 {6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe 41 PID 1592 wrote to memory of 2208 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 42 PID 1592 wrote to memory of 2208 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 42 PID 1592 wrote to memory of 2208 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 42 PID 1592 wrote to memory of 2208 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 42 PID 1592 wrote to memory of 2720 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 43 PID 1592 wrote to memory of 2720 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 43 PID 1592 wrote to memory of 2720 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 43 PID 1592 wrote to memory of 2720 1592 {28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe 43 PID 2208 wrote to memory of 2944 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 45 PID 2208 wrote to memory of 2944 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 45 PID 2208 wrote to memory of 2944 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 45 PID 2208 wrote to memory of 2944 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 45 PID 2208 wrote to memory of 1416 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 44 PID 2208 wrote to memory of 1416 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 44 PID 2208 wrote to memory of 1416 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 44 PID 2208 wrote to memory of 1416 2208 {90736CBB-0974-4217-9452-C043D7A83EAA}.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exeC:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exeC:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exeC:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exeC:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exeC:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exeC:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exeC:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90736~1.EXE > nul9⤵PID:1416
-
-
C:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exeC:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80021~1.EXE > nul10⤵PID:2892
-
-
C:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exeC:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34CE4~1.EXE > nul11⤵PID:384
-
-
C:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exeC:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exeC:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe12⤵
- Executes dropped EXE
PID:1124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8608~1.EXE > nul12⤵PID:1872
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{28C1E~1.EXE > nul8⤵PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C2DF~1.EXE > nul7⤵PID:812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7DF33~1.EXE > nul6⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EE3FD~1.EXE > nul5⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0566~1.EXE > nul4⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B693~1.EXE > nul3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD53501cf9f69e83c77b6dca7005a83b236
SHA1593ebf1463906cc9c305c073f42b3c4d34f9e174
SHA256d1f7872d63e40709d57baff18af6035ea72c4ab4cf4a2d3a026f607094d084d7
SHA512c490cdb2788278bfcdfb6ad876b6deb33f0042dfb687afae84192aeb5fde177042a02877db50a71f3ee035f3dd89eb638f31ad9079ccb1054225873946c229e1
-
Filesize
344KB
MD545b510dbe6f2ad6aa46daee6dbb9d9ad
SHA1836bbc8e4b48999573f06b4fd515b85a3341e0ec
SHA256082c880e833db3e66b5c50e1157bd07b5dd6d374799c4ae46a8cb13959c4f0f3
SHA512b91e475e35c17019697bd63967003b0c9e345132260e5497254194e1ace19ce53183c0b77f8cf72af751dcd2ac1815430338cdd11cfdd97f8f50429e14588e0a
-
Filesize
344KB
MD5b144fe36a1fb665cc4323f32ad245ff1
SHA16481622ca59e04f6dfd46b8bb585212ae72cfa5a
SHA25603fdcf414801d3c288304ceef5ff8016ed6425fa77767d7603a13a14b617f268
SHA51214d644292ad9e129de0885326de78d751e35236e9780e9a94f5aff0d3c077bd5679e8a882565d3a8965dc90b5fe2687cbe4434740d59d95482087fa1d41eda98
-
Filesize
344KB
MD5877e1445199664b578179d7f57ee98b3
SHA1c985dbb67a58108002c5bd16fe8b60698c7625ac
SHA2563ad5a5d2f331e1fa9872d4a859b414dec1d374caffdcf7355b2551cb08d40be3
SHA512df9f8d08345961f3307d19b40db1db5e4c222851878c8efb7471aa134bd57d49220064981119dd84fc1e95bab9e7d00d000f0caa7d387060727473539f23a3f6
-
Filesize
344KB
MD59bc83038d67df79de96e375839a2494c
SHA102b36607d1414c8688fa17d4598be12d666ea2c6
SHA256ced2fb23ac8bf1d145f6ca5d92f5c3fc22d8b70a0b4cde34c4864e79b6953f70
SHA5122de8827c2152a3ddbe7c517e3b6b62895a1f7bfa279a0e893cc6c35b9e793e24f32959dae2f00a13a0ad8ee935fdfd0eb2f52d10624c48a75e9d1e0dd72ef622
-
Filesize
344KB
MD568ac5739302f1c62a0853b29f4faadbf
SHA1064ec68b76f46dfe341e06d783a7146311004923
SHA25603b2c4e8f1ec47392086c20c1d72fd390416b8af69648f15ed8ba5b29825814d
SHA51211b5a539dabd5411d29a306429d3d84d83ea0ed70f416dee86bf0c42fd21f55bb953d15ed70c0ab5dddcb7292db103372930c87106a1caeeebfd81505ae72383
-
Filesize
344KB
MD57995aa25d4c432936bcc09eb9358834b
SHA1ec8df7546f8bdfb508ee1bfa5b13b31cb0ecc49c
SHA2569d76b41d21daa7651161338fb9a39cd48479a09d327bd2e13efdba8a4ae20c19
SHA512c5979bd5515c67b18fae31b2621ddeab277ee16ac46ded2f5a786eff99e11e6997dfee8d3241291005fa40908d5c80a96173b3c6fda7590a18f87b125ea1f7ad
-
Filesize
344KB
MD564c7135a2180214eed0faae0ffb8119f
SHA1b333c9a643bebd40e285271d0a6ed1637715c77c
SHA256b0f44ce57367af40e80e5133c84be333afb13d1450dd447cb33a9b30ddfb7cca
SHA5120f6f4de2cfc874e2f965417c8aaffa4812af42de219af423d867df1a25bf03e38123379852e2629fbd1d0c65dc338dea3d92d8aca37b6de7dc36134e8de486d9
-
Filesize
344KB
MD52ea123e9e531ad76bf0bda5b3b08c50a
SHA1174aa087af8191ce92eb1dc99c3a6ce6efc4bdeb
SHA256b3f233c964012d1c4ed64bf9b7c870af704eea8256e2e9e36ed27d4793c4b26a
SHA512cfd619bab6e69d1ea3f822037e8f5188d01b5369e89048bd25ee07b75af7e49691994b343cedc7df52a539f911a23cfd64c2b891b3c239d0b7946b07aeae25c5
-
Filesize
344KB
MD50fc6edf74f8138b60112b457b209039f
SHA1a194d3ae02e579ccac8c507824dd88c9b792636a
SHA25644b205ba1d77ec847d54687a7f049f15f6955baa43b131f034c9c4ec0a27d772
SHA5128e873b339e1b1026bd949a963cfaac9af93556b85386b6448e37e8f3088fe4063160dd3b86a28d9d4f97068092da621e06ad003a2498673fc040d15177d4ed66
-
Filesize
344KB
MD52b3ffc5e8ec284bcec64d8350a90cb3f
SHA1b12efbc07a1b6b7e6946f007272c440d9833fb04
SHA256fddc91e54cf4eada2a235df2cd85010dfbd4d0df0acdf27756cbc83a550e1943
SHA51239d44fe49660a455a1343567d752c10eb4e0b24ee550af2ed23cbdcd9f70d3b18eb69251dc18d636d22bf2b32b2c013537d2351267b17a088cda7f823fb24bbe