Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
-
Size
408KB
-
MD5
5563717ece795b8d9bcdf32e23573d0e
-
SHA1
64560ef9cb7b54b3c16a5cebbf8a79e68ddf4b32
-
SHA256
07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615
-
SHA512
51b34fd5a59962732707f669897a6c8ab3c15e8103b8f223caae38e568b439c19de8508e3d01928e82bf280fbbadf6334019faf593aa9201df29bcc251c62874
-
SSDEEP
3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x0009000000016d24-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d24-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d24-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000016d84-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016d24-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000016d84-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016d24-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d84-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000016d89-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016d84-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000700000001704f-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016d84-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B} {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081A041-FB51-4b83-A4F2-DB029A990789}\stubpath = "C:\\Windows\\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe" {73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D442DA56-6D21-4011-9C2A-9A090EDD21E7} 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}\stubpath = "C:\\Windows\\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe" {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}\stubpath = "C:\\Windows\\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe" {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467F62E4-A9F6-4496-8D3A-12761792D9FE} {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081A041-FB51-4b83-A4F2-DB029A990789} {73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6B544-9626-4129-85B6-66F9CFA910A8} {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}\stubpath = "C:\\Windows\\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe" {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433668F4-6242-4c2e-A412-0D1760A89D27}\stubpath = "C:\\Windows\\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe" {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}\stubpath = "C:\\Windows\\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe" 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD} {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C} {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}\stubpath = "C:\\Windows\\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe" {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6B544-9626-4129-85B6-66F9CFA910A8}\stubpath = "C:\\Windows\\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe" {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467F62E4-A9F6-4496-8D3A-12761792D9FE}\stubpath = "C:\\Windows\\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe" {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318} {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433668F4-6242-4c2e-A412-0D1760A89D27} {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BE235A-C140-4c57-82F5-4A2B196B5C95} {433668F4-6242-4c2e-A412-0D1760A89D27}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BE235A-C140-4c57-82F5-4A2B196B5C95}\stubpath = "C:\\Windows\\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe" {433668F4-6242-4c2e-A412-0D1760A89D27}.exe -
Deletes itself 1 IoCs
pid Process 1252 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 2700 {433668F4-6242-4c2e-A412-0D1760A89D27}.exe 1600 {73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe 3024 {A081A041-FB51-4b83-A4F2-DB029A990789}.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe File created C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe File created C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe File created C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe {73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe File created C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe File created C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe File created C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe File created C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe File created C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe File created C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe {433668F4-6242-4c2e-A412-0D1760A89D27}.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Token: SeIncBasePriorityPrivilege 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe Token: SeIncBasePriorityPrivilege 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe Token: SeIncBasePriorityPrivilege 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe Token: SeIncBasePriorityPrivilege 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe Token: SeIncBasePriorityPrivilege 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe Token: SeIncBasePriorityPrivilege 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe Token: SeIncBasePriorityPrivilege 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe Token: SeIncBasePriorityPrivilege 2700 {433668F4-6242-4c2e-A412-0D1760A89D27}.exe Token: SeIncBasePriorityPrivilege 1600 {73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1296 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 30 PID 2240 wrote to memory of 1296 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 30 PID 2240 wrote to memory of 1296 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 30 PID 2240 wrote to memory of 1296 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 30 PID 2240 wrote to memory of 1252 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 31 PID 2240 wrote to memory of 1252 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 31 PID 2240 wrote to memory of 1252 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 31 PID 2240 wrote to memory of 1252 2240 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 31 PID 1296 wrote to memory of 2324 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 32 PID 1296 wrote to memory of 2324 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 32 PID 1296 wrote to memory of 2324 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 32 PID 1296 wrote to memory of 2324 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 32 PID 1296 wrote to memory of 1992 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 33 PID 1296 wrote to memory of 1992 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 33 PID 1296 wrote to memory of 1992 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 33 PID 1296 wrote to memory of 1992 1296 {D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe 33 PID 2324 wrote to memory of 576 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 34 PID 2324 wrote to memory of 576 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 34 PID 2324 wrote to memory of 576 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 34 PID 2324 wrote to memory of 576 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 34 PID 2324 wrote to memory of 704 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 35 PID 2324 wrote to memory of 704 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 35 PID 2324 wrote to memory of 704 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 35 PID 2324 wrote to memory of 704 2324 {D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe 35 PID 576 wrote to memory of 1736 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 36 PID 576 wrote to memory of 1736 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 36 PID 576 wrote to memory of 1736 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 36 PID 576 wrote to memory of 1736 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 36 PID 576 wrote to memory of 564 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 37 PID 576 wrote to memory of 564 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 37 PID 576 wrote to memory of 564 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 37 PID 576 wrote to memory of 564 576 {A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe 37 PID 1736 wrote to memory of 1772 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 38 PID 1736 wrote to memory of 1772 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 38 PID 1736 wrote to memory of 1772 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 38 PID 1736 wrote to memory of 1772 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 38 PID 1736 wrote to memory of 2616 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 39 PID 1736 wrote to memory of 2616 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 39 PID 1736 wrote to memory of 2616 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 39 PID 1736 wrote to memory of 2616 1736 {4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe 39 PID 1772 wrote to memory of 2452 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 40 PID 1772 wrote to memory of 2452 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 40 PID 1772 wrote to memory of 2452 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 40 PID 1772 wrote to memory of 2452 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 40 PID 1772 wrote to memory of 2552 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 41 PID 1772 wrote to memory of 2552 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 41 PID 1772 wrote to memory of 2552 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 41 PID 1772 wrote to memory of 2552 1772 {4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe 41 PID 2452 wrote to memory of 2628 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 42 PID 2452 wrote to memory of 2628 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 42 PID 2452 wrote to memory of 2628 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 42 PID 2452 wrote to memory of 2628 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 42 PID 2452 wrote to memory of 2856 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 43 PID 2452 wrote to memory of 2856 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 43 PID 2452 wrote to memory of 2856 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 43 PID 2452 wrote to memory of 2856 2452 {467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe 43 PID 2628 wrote to memory of 2700 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 44 PID 2628 wrote to memory of 2700 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 44 PID 2628 wrote to memory of 2700 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 44 PID 2628 wrote to memory of 2700 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 44 PID 2628 wrote to memory of 1868 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 45 PID 2628 wrote to memory of 1868 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 45 PID 2628 wrote to memory of 1868 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 45 PID 2628 wrote to memory of 1868 2628 {ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exeC:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exeC:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exeC:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exeC:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exeC:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exeC:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exeC:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exeC:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exeC:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exeC:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe11⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73BE2~1.EXE > nul11⤵PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{43366~1.EXE > nul10⤵PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ADC1D~1.EXE > nul9⤵PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{467F6~1.EXE > nul8⤵PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4AE6B~1.EXE > nul7⤵PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4ADE3~1.EXE > nul6⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A845F~1.EXE > nul5⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D7D9C~1.EXE > nul4⤵PID:704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D442D~1.EXE > nul3⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD56e8d91f8ec471520e97c8fca40c26afa
SHA1e0c94df57408cf42667c5f1c5814138de90f2386
SHA256d59ad072aab0e1bb5a539f540dbf2838b76086784dc5936859cdbec33cce83ea
SHA512712fa21dbb9b5f4957b00fba12689fad495d5aba1a6bf93d20cb40405916eee27d8ccc74c30e27b9257043bf13ee5f4f121426b3cf1b1408b8454ab0c122960e
-
Filesize
408KB
MD58b8e854f32b8d27f81972379dda156dc
SHA1250a2d041b6ddf6e1716b96ed36f111a454fe028
SHA256b6903abd071477d67f89a97e7520cbdae6c5127a92863c3df1c0dd243c3d58e4
SHA512165f3a87f2eef26837201f719d8585772f6e7151cbd59db5f3f6bfbac7a03efa1ce75c437bd98991a4b8eb1822bb1a707982fde8034eacd7b49d2ea399f873a4
-
Filesize
408KB
MD5f0c49411699a6322532563223601d959
SHA11a2e2e57808141909bbe3157a4f48a7ab31d78c1
SHA2564aad20ac973aad8128a05439926c7f446e6e5744594a349d47bb851daa472e28
SHA512f45d98e1fcd2ba4fffb16ad03a1f0a2ba7cce3c8a24b1920843d08a606c791cd80e4567ff94fd88a7348a3b18a94f26c8cef7ad9be4b388e72d9eadd5b44041d
-
Filesize
408KB
MD5dd4645c9aeb2b0966587bdb8f27f5646
SHA14fc98d2eb8850f3707816927c8826275eaebe184
SHA256f95a4b55b4aa6eddceeb58b5efb9412ca223aa4b89105a46000d7f3192031302
SHA51219d1815041ea4d2d98b8f30572c8ea7f3ba3c6deb300eaf34147a1a19336b2add464d11d06b5317ca687928b9a56a9a660d49d1d4d5db9ee1a94cb8f604bc3d4
-
Filesize
408KB
MD58a8a9e54ab5f3e9ef5e571e3697d2450
SHA1b41ecbd632760f9a88cae67941c8718e4b5f06fb
SHA2565d54f9f7df2225f2502013e11e5f6c99ea8471a6bec9938db8c8a691b39d19b1
SHA5127af4510303f4f9b954ac27623e02968106769d004c98484612b122a35defb464b44bd03d81e8e5a0e36d01abce5dbeb8d12d571a4412b5bdf65d8bbd672b05a3
-
Filesize
408KB
MD5934822e66a124a591ef45fbc90a70da0
SHA1b0e6ed8f13f9eebb72b901566710eb463f35d3dc
SHA256065e9a0767f62e53846da57f017aff07b4ed58b78755dc61c466c4c7550b3940
SHA512e5f8965202a65f3892e4872f480d08f136c16ec79f618fca5259ffcfe0a0533c5a34c4e1d96b415208b0fde7ae657754bfe51604816be4e34dbb366c158194d3
-
Filesize
408KB
MD50f736fdecc7a78c09c5767e7dd375d4b
SHA1c0335e4fe82e3b82989af7ef7b1d0b03e121b472
SHA2566c378c3cf2a88ddceb778fd1b645ebdfdb18775fc1429ba40e09c00ca54ae844
SHA5129d463dc532374c629e954f84b1b76fb570046f966821fcd3ccacf48ec4bb6bc8acab2ef80d3b3e20451001002738a3b7ed6194c4db847d3840d3234bd81e82db
-
Filesize
408KB
MD598063389c3f8bd8f2f95c1d313b0e7f3
SHA1fa28e9808d48b2b26d91ee2eac369d0d2aaeee6f
SHA256b0098d332c4c5bb6adae0b3bc8ead451bbf49035c417b1aced56e4299e6dd120
SHA51220d3430e54a5138b1479f24ee9b82437b4493f6c0f85c1f552c36829f5d808e1abc53f64afda44da24b7828c0da8a95539808aa425a1f6a793c104cf36d02bca
-
Filesize
64KB
MD52ce0b4053f2e21485822e3f3b2384418
SHA1e5eab5b79aa8aaca244b2ea18cdd2f0bfdf21780
SHA2560f5630f8d3f48aa9a3edb9b2d8151e5717fd3a5337540ee7cac53098dba8acdf
SHA51286163ad58b73ba8fbcf7183e87b7d5d02630049a7ee59f0397fa13dc7e418dd1b069aa37ed3ba99080dd1782673fd3b6b6bfd3422fbca92c5fbc28d5a1c08291
-
Filesize
5KB
MD5dced0a3c1d041f2fcb706e6f962b402a
SHA16797bc1f4a8baed184c85735ddad0a23090eb837
SHA256e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4
SHA512c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544
-
Filesize
408KB
MD507f48b6695face04080bcf29eb53f18d
SHA1fa23341aa93bbf220603c133cb478ba5585bcffd
SHA25614beea22ce46f1c5041f82e3a0f38e47722b2f4dcbcdb2c3a456621ac095c640
SHA51242ffd741bb4f3b3fb944d48fff5ca9f1f805ca9e395dd3528c82c6faacf4f995b7ccc04ad7d6c5fc29aae5624f9a08c4b2ed5ff17d4297cb70a98846cfce0488
-
Filesize
408KB
MD53857a898f9e9e2fc078f13e00414eb2d
SHA10ad990dff042eeb4846367c468036f10ad7e6d3e
SHA256d58f5cddac02ed231266560fe9b0c14138542184623c61c773be8285328de63a
SHA512535f816deec5472cd49ec2da6d0d4bd57cf92d4a6298300af73a645399134f358cd7db1fb2f63193ce1465c041fab0bf2d3047cdc5572108033b37b4dffe7056