Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
-
Size
408KB
-
MD5
5264be32e86275d2fbdda6a68bc09148
-
SHA1
bd73f0431bae5e161f6c51b23d8ecb479e4105f1
-
SHA256
83be2346e78cbcf6e06dc63789dcbfcfb87fecabc7b49f354fb6bcee7706c54e
-
SHA512
deb386b08978fbe23c46b93b774440ffc767d6bd8a3f5faeaf696c812b7e94992cb13ef5a157457aa249c499b3e785968a4d53582759f097d51d2e60a5df0f16
-
SSDEEP
3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012240-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001445e-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001445e-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001445e-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000014a94-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000014b6d-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000014a94-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000014b6d-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000014a94-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}\stubpath = "C:\\Windows\\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe" {D066109B-3839-4e70-AE65-57F51B4909EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D0518C9-C498-4069-AEB3-707DE9566E4C} {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6} {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159} {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B} {D066109B-3839-4e70-AE65-57F51B4909EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754F45FB-7D04-4bf9-A437-2C5387617E6A} {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754F45FB-7D04-4bf9-A437-2C5387617E6A}\stubpath = "C:\\Windows\\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe" {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}\stubpath = "C:\\Windows\\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe" {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D066109B-3839-4e70-AE65-57F51B4909EA}\stubpath = "C:\\Windows\\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe" {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA} {8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45545256-78E1-4cec-8C7F-EE66914D6709}\stubpath = "C:\\Windows\\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe" 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1D5380-4249-4d9b-84B3-099DE7E080CD} {45545256-78E1-4cec-8C7F-EE66914D6709}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}\stubpath = "C:\\Windows\\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe" {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}\stubpath = "C:\\Windows\\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe" {B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54} {B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2} {E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}\stubpath = "C:\\Windows\\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe" {E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D066109B-3839-4e70-AE65-57F51B4909EA} {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D0518C9-C498-4069-AEB3-707DE9566E4C}\stubpath = "C:\\Windows\\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe" {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}\stubpath = "C:\\Windows\\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe" {8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45545256-78E1-4cec-8C7F-EE66914D6709} 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}\stubpath = "C:\\Windows\\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe" {45545256-78E1-4cec-8C7F-EE66914D6709}.exe -
Deletes itself 1 IoCs
pid Process 1072 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 1540 {8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe 1460 {B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe 2776 {E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe 2076 {FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe File created C:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe {B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe File created C:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe File created C:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe File created C:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe File created C:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe {D066109B-3839-4e70-AE65-57F51B4909EA}.exe File created C:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe {8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe File created C:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe {E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe File created C:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe {45545256-78E1-4cec-8C7F-EE66914D6709}.exe File created C:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe File created C:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Token: SeIncBasePriorityPrivilege 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe Token: SeIncBasePriorityPrivilege 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe Token: SeIncBasePriorityPrivilege 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe Token: SeIncBasePriorityPrivilege 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe Token: SeIncBasePriorityPrivilege 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe Token: SeIncBasePriorityPrivilege 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe Token: SeIncBasePriorityPrivilege 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe Token: SeIncBasePriorityPrivilege 1540 {8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe Token: SeIncBasePriorityPrivilege 1460 {B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe Token: SeIncBasePriorityPrivilege 2776 {E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2908 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 28 PID 2184 wrote to memory of 2908 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 28 PID 2184 wrote to memory of 2908 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 28 PID 2184 wrote to memory of 2908 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 28 PID 2184 wrote to memory of 1072 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 29 PID 2184 wrote to memory of 1072 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 29 PID 2184 wrote to memory of 1072 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 29 PID 2184 wrote to memory of 1072 2184 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 29 PID 2908 wrote to memory of 2748 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 30 PID 2908 wrote to memory of 2748 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 30 PID 2908 wrote to memory of 2748 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 30 PID 2908 wrote to memory of 2748 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 30 PID 2908 wrote to memory of 2624 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 31 PID 2908 wrote to memory of 2624 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 31 PID 2908 wrote to memory of 2624 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 31 PID 2908 wrote to memory of 2624 2908 {45545256-78E1-4cec-8C7F-EE66914D6709}.exe 31 PID 2748 wrote to memory of 2444 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 34 PID 2748 wrote to memory of 2444 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 34 PID 2748 wrote to memory of 2444 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 34 PID 2748 wrote to memory of 2444 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 34 PID 2748 wrote to memory of 2820 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 35 PID 2748 wrote to memory of 2820 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 35 PID 2748 wrote to memory of 2820 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 35 PID 2748 wrote to memory of 2820 2748 {1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe 35 PID 2444 wrote to memory of 2364 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 36 PID 2444 wrote to memory of 2364 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 36 PID 2444 wrote to memory of 2364 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 36 PID 2444 wrote to memory of 2364 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 36 PID 2444 wrote to memory of 556 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 37 PID 2444 wrote to memory of 556 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 37 PID 2444 wrote to memory of 556 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 37 PID 2444 wrote to memory of 556 2444 {0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe 37 PID 2364 wrote to memory of 564 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 38 PID 2364 wrote to memory of 564 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 38 PID 2364 wrote to memory of 564 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 38 PID 2364 wrote to memory of 564 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 38 PID 2364 wrote to memory of 2596 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 39 PID 2364 wrote to memory of 2596 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 39 PID 2364 wrote to memory of 2596 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 39 PID 2364 wrote to memory of 2596 2364 {754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe 39 PID 564 wrote to memory of 2724 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 40 PID 564 wrote to memory of 2724 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 40 PID 564 wrote to memory of 2724 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 40 PID 564 wrote to memory of 2724 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 40 PID 564 wrote to memory of 1408 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 41 PID 564 wrote to memory of 1408 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 41 PID 564 wrote to memory of 1408 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 41 PID 564 wrote to memory of 1408 564 {7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe 41 PID 2724 wrote to memory of 916 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 42 PID 2724 wrote to memory of 916 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 42 PID 2724 wrote to memory of 916 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 42 PID 2724 wrote to memory of 916 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 42 PID 2724 wrote to memory of 2204 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 43 PID 2724 wrote to memory of 2204 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 43 PID 2724 wrote to memory of 2204 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 43 PID 2724 wrote to memory of 2204 2724 {D066109B-3839-4e70-AE65-57F51B4909EA}.exe 43 PID 916 wrote to memory of 1540 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 44 PID 916 wrote to memory of 1540 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 44 PID 916 wrote to memory of 1540 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 44 PID 916 wrote to memory of 1540 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 44 PID 916 wrote to memory of 2352 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 45 PID 916 wrote to memory of 2352 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 45 PID 916 wrote to memory of 2352 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 45 PID 916 wrote to memory of 2352 916 {A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exeC:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exeC:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exeC:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exeC:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exeC:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exeC:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exeC:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exeC:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exeC:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exeC:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exeC:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe12⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3CA6~1.EXE > nul12⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1708~1.EXE > nul11⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D051~1.EXE > nul10⤵PID:820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A7C6F~1.EXE > nul9⤵PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0661~1.EXE > nul8⤵PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7702B~1.EXE > nul7⤵PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{754F4~1.EXE > nul6⤵PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0EBBC~1.EXE > nul5⤵PID:556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1F1D5~1.EXE > nul4⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45545~1.EXE > nul3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD50cb7faf44fd1e224eecfa72981397be6
SHA1c60124666fe6dc7ab51b926b72fc5adc2d3c9b50
SHA25628857e1c689c77b07bb49ab0365fe4b6916c31d9db047405c93b87c7f3a8a409
SHA512db6e85571ba9564f2454ef7b2dc6236ff35e5cef45851fe9b489f53ba72090a3d49966bed8737fec747ecbea26dda98d06e3d721fa35f92b59335dc1dcafce48
-
Filesize
408KB
MD505f98110f48164aeeff06f3477efc596
SHA177c32c85d6fa432dd46cdc4e0373d4cc52a5112f
SHA2564e2b108fe4815dd357d50e04803fdacaf1724739fd3d0139ab4b89484694b9b0
SHA512172f8bb8e0ff250f0cd05a117559ee767f277034126ecc54de6d6b3365e19782136bdbd09785ff2d7cddbffbb0cde29a759852c9677a950e5c142946820d049c
-
Filesize
408KB
MD5d7ccccc35a9d71e61b8399f11bcd901e
SHA1a7ae1225c316ae772fed6e92aaff5e795295c22d
SHA2569c3010aef39f5e8e5176c7bdf383d2ac0461f9a70287c72d3dd6aad5f2d89333
SHA51208468f65e8262e9becd29f35b62995fbca36f80790919acf933c201d341e0ee07fbcf12b041eb3d397ee3b01185c5dc48633c70cea03cb54ba944db5ec15dccc
-
Filesize
408KB
MD5d3be2b51f2ab92d124926aad488c168c
SHA189c8f66de553e7631a0315d41b7327b955154b2b
SHA256002a30cc81b0a763da791a114e3dd3f893c825c2aed2e98188b7900c7b9c902a
SHA512b0586ad1e3876d93cfd8b3ffe522794d63bf619bbc1c8afa9d6af3daf4a5af0631057d53162b6e35e2fc4cb19aa29b6b6a9b2ea3aa0586ef8801338b674aa50e
-
Filesize
408KB
MD5907f40b6a894bd0106532fa6c96bbbe0
SHA16f59c01e62c5516fd0a0640f4b3cbf19ee020c91
SHA25654bf8e767fe59a50fbd41abc35dbc2afb6f39e9ccaaaaa0697e005aa935dd6e6
SHA5127488bfa26c4dc073f4cc594b65efab747555f186355950e041bd0fbfd5c3001206cc6f462df647067aa528847ea2d87db79cbd3e96234bb319533bf61da8eab0
-
Filesize
408KB
MD5be08561e998ca9fe6f9a4cf777c905e9
SHA17ba05a9d361bc986f4bd4198aec008a9ea3ee333
SHA2567d5738259ed07aa77514d029b4b82050446c39dff5528df738d81a9c238ccc43
SHA5128554393f5ed41db56335a90c64b26e8c6836423826224e4bb64369c7dcadd14e445657027304a49fc15621994b274dcfab3929dbc0a7811b3468b2532e0cab61
-
Filesize
408KB
MD57fbf8053c02d832980fc65f9ccf5e6d7
SHA1da223729b4e777b10ca5141e7f887f5580bd5d48
SHA256658677cb75b3e90b658e056d9becd7d47f2c2faca7914c38935592731b11235b
SHA512309467f994d3360ad3bce3c5d0b9ac84b3a108bfb09ee2d3c9f1f7f17744f89a40b3100ea67e4b91291e0317378d344b4c4502fe28a54092d98e8b4fb86310f2
-
Filesize
408KB
MD5c2498f5f2a9e7734fdf0e74c7ef25079
SHA14b45c5e97ee9630241eb465d06392c01d8a2a156
SHA2560738f91bf24b56dd57246b755fb52b7e71f06e4017737dd3d0e20ebf71029428
SHA512e187a3d9acd3e65ba275265f558b6ddf9180c7a6858322affc7b166c42af0bc8c1986cdb92ead6be2a3a570075b5e45af2d09febc9ce045d5df7d060feabee8c
-
Filesize
408KB
MD5255d063443e28979bbf79e15df2cd98f
SHA1f8fd35f0c65d910820868996cd228fe7d058a1ab
SHA2564c1925f4bb9f7d226d745c84b7de464a2c25add9fe23366443ae6f40234f67e4
SHA512066b290dd3ca1ae8cb3e7d40094051321aa1d6decf43b174e9c792c0032169d31fddf844841de3e4214d0f56166987adf7e711bb7e41895e4fa827d34bc63609
-
Filesize
408KB
MD5eac2eff686ba1c7a41db696aa6de0376
SHA12a3027690e2cb1b18222785e4a64070f69789ae8
SHA25621267c7a674f891aa5815051e6278b5999a3ee3b163b6bfd66855446105e17cd
SHA512f7ea42a90ddd0f343d161209ac1e5be9d7dbc1c0bf98a4393d2c326d16ca2cc2b51bbc3f76c31c8e0e4d82f050f83620f911b38b4bb1ae87cb129f3653974ea0
-
Filesize
408KB
MD572d2073bf625dbcbfa5d11aedbcf3c5f
SHA19d4744b2adb1fad1601b496625fc689a9cde356b
SHA2560bb310248486906a90d1d51815d3dbb9dae7458c59ea4532c03b6d71e7b48ea2
SHA5129de8ae962a11412f38f66e7449b734208cab0132aa1c71f44c9305a78cc1c9ce3513cbbeb00dbcab798bc9c6330549a1852b29a977cb8e0a1bbd307ea9e67192