Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
-
Size
197KB
-
MD5
07df5cc6838f279930c33904c850e1db
-
SHA1
db9fad254bcead8c4c6d5c66633b4ed7ef9d46d4
-
SHA256
20c1f5b05d5cb43caee71a2c91870af3415c008102ab0f54d480f1df4f615b1e
-
SHA512
3c706f99aac39d42683dc38e62f9b9e251f5811d6c0fcdc5e50647a73c2bae1dc26e06bdaf973ebd9c4d108e5c531fd5a03728b43d9fa5387abadf998c45b9b1
-
SSDEEP
3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG8lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x00070000000122be-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016813-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000122be-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000016ce4-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000122be-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0031000000016ce4-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a0000000122be-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0032000000016ce4-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000122be-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e000000016cf5-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7093274-1777-4ac4-B969-E6BE00326EBC} {C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349BF865-E6B3-476e-92E2-7DEFAB157E09}\stubpath = "C:\\Windows\\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe" 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}\stubpath = "C:\\Windows\\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe" {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}\stubpath = "C:\\Windows\\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe" {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55759448-FCFD-491b-8029-1400D52CA454} {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55759448-FCFD-491b-8029-1400D52CA454}\stubpath = "C:\\Windows\\{55759448-FCFD-491b-8029-1400D52CA454}.exe" {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C3D896-65C9-4269-B2E0-68CF526001C5} {55759448-FCFD-491b-8029-1400D52CA454}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0356565-AC7A-46b8-B37E-B4E01826C914} {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37} {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}\stubpath = "C:\\Windows\\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe" {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0} {F7093274-1777-4ac4-B969-E6BE00326EBC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0356565-AC7A-46b8-B37E-B4E01826C914}\stubpath = "C:\\Windows\\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe" {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}\stubpath = "C:\\Windows\\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe" {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A3C94-099A-4550-90D4-FEF732FE301E}\stubpath = "C:\\Windows\\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe" {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD} {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C3D896-65C9-4269-B2E0-68CF526001C5}\stubpath = "C:\\Windows\\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe" {55759448-FCFD-491b-8029-1400D52CA454}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}\stubpath = "C:\\Windows\\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe" {F7093274-1777-4ac4-B969-E6BE00326EBC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349BF865-E6B3-476e-92E2-7DEFAB157E09} 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7} {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694} {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A3C94-099A-4550-90D4-FEF732FE301E} {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7093274-1777-4ac4-B969-E6BE00326EBC}\stubpath = "C:\\Windows\\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe" {C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe -
Deletes itself 1 IoCs
pid Process 2580 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 2032 {55759448-FCFD-491b-8029-1400D52CA454}.exe 1912 {C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe 336 {F7093274-1777-4ac4-B969-E6BE00326EBC}.exe 568 {6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe File created C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe File created C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe File created C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe {55759448-FCFD-491b-8029-1400D52CA454}.exe File created C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe File created C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe File created C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe File created C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe File created C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe File created C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe {C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe File created C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe {F7093274-1777-4ac4-B969-E6BE00326EBC}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Token: SeIncBasePriorityPrivilege 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe Token: SeIncBasePriorityPrivilege 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe Token: SeIncBasePriorityPrivilege 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe Token: SeIncBasePriorityPrivilege 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe Token: SeIncBasePriorityPrivilege 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe Token: SeIncBasePriorityPrivilege 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe Token: SeIncBasePriorityPrivilege 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe Token: SeIncBasePriorityPrivilege 2032 {55759448-FCFD-491b-8029-1400D52CA454}.exe Token: SeIncBasePriorityPrivilege 1912 {C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe Token: SeIncBasePriorityPrivilege 336 {F7093274-1777-4ac4-B969-E6BE00326EBC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 3016 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 28 PID 2908 wrote to memory of 3016 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 28 PID 2908 wrote to memory of 3016 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 28 PID 2908 wrote to memory of 3016 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 28 PID 2908 wrote to memory of 2580 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 29 PID 2908 wrote to memory of 2580 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 29 PID 2908 wrote to memory of 2580 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 29 PID 2908 wrote to memory of 2580 2908 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 29 PID 3016 wrote to memory of 2396 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 30 PID 3016 wrote to memory of 2396 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 30 PID 3016 wrote to memory of 2396 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 30 PID 3016 wrote to memory of 2396 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 30 PID 3016 wrote to memory of 2508 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 31 PID 3016 wrote to memory of 2508 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 31 PID 3016 wrote to memory of 2508 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 31 PID 3016 wrote to memory of 2508 3016 {349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe 31 PID 2396 wrote to memory of 2284 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 32 PID 2396 wrote to memory of 2284 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 32 PID 2396 wrote to memory of 2284 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 32 PID 2396 wrote to memory of 2284 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 32 PID 2396 wrote to memory of 2188 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 33 PID 2396 wrote to memory of 2188 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 33 PID 2396 wrote to memory of 2188 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 33 PID 2396 wrote to memory of 2188 2396 {E0356565-AC7A-46b8-B37E-B4E01826C914}.exe 33 PID 2284 wrote to memory of 2456 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 36 PID 2284 wrote to memory of 2456 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 36 PID 2284 wrote to memory of 2456 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 36 PID 2284 wrote to memory of 2456 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 36 PID 2284 wrote to memory of 2664 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 37 PID 2284 wrote to memory of 2664 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 37 PID 2284 wrote to memory of 2664 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 37 PID 2284 wrote to memory of 2664 2284 {5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe 37 PID 2456 wrote to memory of 2660 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 38 PID 2456 wrote to memory of 2660 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 38 PID 2456 wrote to memory of 2660 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 38 PID 2456 wrote to memory of 2660 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 38 PID 2456 wrote to memory of 1276 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 39 PID 2456 wrote to memory of 1276 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 39 PID 2456 wrote to memory of 1276 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 39 PID 2456 wrote to memory of 1276 2456 {4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe 39 PID 2660 wrote to memory of 2208 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 40 PID 2660 wrote to memory of 2208 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 40 PID 2660 wrote to memory of 2208 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 40 PID 2660 wrote to memory of 2208 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 40 PID 2660 wrote to memory of 832 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 41 PID 2660 wrote to memory of 832 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 41 PID 2660 wrote to memory of 832 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 41 PID 2660 wrote to memory of 832 2660 {D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe 41 PID 2208 wrote to memory of 1244 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 42 PID 2208 wrote to memory of 1244 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 42 PID 2208 wrote to memory of 1244 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 42 PID 2208 wrote to memory of 1244 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 42 PID 2208 wrote to memory of 2448 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 43 PID 2208 wrote to memory of 2448 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 43 PID 2208 wrote to memory of 2448 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 43 PID 2208 wrote to memory of 2448 2208 {C84A3C94-099A-4550-90D4-FEF732FE301E}.exe 43 PID 1244 wrote to memory of 2032 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 44 PID 1244 wrote to memory of 2032 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 44 PID 1244 wrote to memory of 2032 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 44 PID 1244 wrote to memory of 2032 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 44 PID 1244 wrote to memory of 1688 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 45 PID 1244 wrote to memory of 1688 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 45 PID 1244 wrote to memory of 1688 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 45 PID 1244 wrote to memory of 1688 1244 {4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exeC:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exeC:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exeC:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exeC:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exeC:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exeC:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exeC:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exeC:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exeC:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exeC:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exeC:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe12⤵
- Executes dropped EXE
PID:568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F7093~1.EXE > nul12⤵PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3C3D~1.EXE > nul11⤵PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{55759~1.EXE > nul10⤵PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4ACB5~1.EXE > nul9⤵PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C84A3~1.EXE > nul8⤵PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0067~1.EXE > nul7⤵PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FF2C~1.EXE > nul6⤵PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F6A3~1.EXE > nul5⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E0356~1.EXE > nul4⤵PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{349BF~1.EXE > nul3⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5cb25b0cfcbce8417a444a1818549e343
SHA13e15d11255b914c0f258733deb2608e44fbd6333
SHA256a5a11e872ecc6f0c0e2a9956f7bdad13bb8cb475be309178ed671937bd37ac55
SHA5121543034484d568b647b776e9969aac6dd3d0303255937d1719d8d1532feb20382761598c12a33f2501217437fbae1b4f7426f1620dcfebb4b71922e326d7945a
-
Filesize
197KB
MD5a403e45f00c7ee093696e1840e57f63c
SHA16bc43aabaa9c5caa9a00dd6fbd11000d05c70dbb
SHA256cd8abe234389dfcb3f196b1a745065510e39c886f220ad3de941bcde527a5de8
SHA5123dfba8762375a6bcfaaa247ce9ab623d8121e8168d04556b46371e71d852e949a14f7a76e31ea9817881740da5a0cfee0b48674bbadb19f5eaf1ad9112b0d8c4
-
Filesize
197KB
MD5a3f5b5235fc3b8118941866068d937a0
SHA1afce5bac60e6a86368e39b28b9f2a5e3e458712b
SHA2567b4de28c1827e8656f98b49c248acfcab3aea4b281de37e08a3c7054c9bc0abb
SHA512fdff73845cceeecbf882d72d33786352297347a5dd318ca4325062c19a6044320550c3dcf197002a05ad5539c0de2542a0ad60996a1c00d3dbf2225bb2e38d92
-
Filesize
197KB
MD5cbfdf45502c266e02a7bd3d996d32a2e
SHA122db723ef20d8d55271f362036cc27782cd2314b
SHA2564188e718c8054ce771cdee46c18697fa3fc7a55ace15a93a5abf793b84575474
SHA5127425d850c173802db952584ff1623526a2cdb0ac5592a7cb0c732cc2821a7e47b05579dc0e4c14b5b9a2c9dce9d02dd3a4f596de277042603cf15dd694800ce2
-
Filesize
197KB
MD55db3c689872e6469504b0f76a19e31ec
SHA16d98063c96b260568fe10aab43b65eb5351662e1
SHA25651d54906e7415d21e278aaad08ac053ecc4a6ee2216fa614977f9a0e2be0bf3f
SHA51284c98954a17a5d338086af1e5eb7575efe8249d497f625dec340c585633759f1f6e5fe9c2d813d550e41bb0bd1ace58a22dcdd45eaf4e5244ed7d49fb558753d
-
Filesize
197KB
MD55ba6854e805176daad8ec33cbbbb362f
SHA110249623952118c5b5ed62a77398da505a01a96f
SHA25683f81b1e659a665d2aec11335c40e6be18cc30d40349e3613b88106bddadef93
SHA5128792aa494af8959119ef04b6cc9644312a2abb885e763e75818e79df3d8f3e44c2050302ec5540ac5a36148757565ef6647f6f6e20d0f0e6df1abf4d7d8683f1
-
Filesize
197KB
MD5e434399788ed1d3a9f561850554d3882
SHA12ddb7b08107150f36b0479064f7d3ee3953b5cd1
SHA25695ad3dfabbe06a664113a2e3f5a2f9905209e9b6a3d15d42479815afcd4d4e2c
SHA51257f0628ef1319764cbaa3f0009067dbc94cc077269852fb8288e6e658afd2e9d71d62cbd8d55aa860a734d83f2dab4981114b3cde79e4391982ce62deacc3eed
-
Filesize
197KB
MD5c53cada65f0aae9ddf758daaa5613eaf
SHA19329dc931db3e747bbb69b752d6059f12e207e2a
SHA2565e5f086ebe80fb0b0483517f9cddd95737bcc4c60a246db2a8f880872085b81a
SHA512544093018bb11f4246ee241f462320bae53c2403ecc598ac63abf879e5a479aeb7d5a4c9e973670abc128fa3a57f7b5ff51f987d7a4b5fd8bdccd3e8ea7ec517
-
Filesize
197KB
MD518151b9edfa5d4de05afdbfc2c7e7524
SHA17543c574375f583c7a04215fbfdcb20cffe6fc75
SHA2562dd41b6f5f92528c6033d668d382b232c82e4b6835e6c142595788f8fd5c3714
SHA512521dd13cd30ae08768fdf3b12f299a329030512e474b602afe3f73db532d2db7c101f8231ce2693a568a6b96ac50f1f46dbfe52b8c28455b9f0f0c12d7f11f44
-
Filesize
197KB
MD59972b236f565d23a0129d52161547462
SHA19808ba32a2c84e8f6734afa641236c7ce11af06f
SHA2564a56bfec3eb1a099db22b3f1e2d48f0a3bbe368768fdb63812708d7e33646512
SHA512f2dea232b02786d161ab1ef98a68a002632f36406bb41bb2765d730be54ff07a16f069eb386d8ca50ddb5f3c486776cc558c7a65d7844f7341d66bbab783b853
-
Filesize
197KB
MD51cf7581d5a88697cccc4e18e87cc7bb9
SHA1b19a93894819855e59315924480436f518fcb46a
SHA256751d7f581e8ac21da26b76f1ef096d196c72fe2d539b6b35ff3e556e9b295932
SHA512307b2732ab4fa693b9a4c8c4638375930045e3c82bfb1f32787eb38bc090ec1079ece9561b4f1c9c29da19fc2b0cf80f536609a16c029ad1e9264b2e4f507ef0