Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
-
Size
408KB
-
MD5
60519da15958b25e42df8453c8d8608d
-
SHA1
bd54a40bdff07aef1ce2c870492368b064982458
-
SHA256
620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671
-
SHA512
badebc03c40bb371ec5748115c4dfd8ebbaa639034d524fbc1a631e3bd756ebfb380873957281c6443d97ddefed8bf77a935ce07dee37f35d578b96c95359c06
-
SSDEEP
3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c000000012320-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000144e0-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012320-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x003600000001480e-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012320-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012320-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012320-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6} 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE45463-3B10-498a-85C2-E94266581A59} {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6} {0FE45463-3B10-498a-85C2-E94266581A59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}\stubpath = "C:\\Windows\\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe" {0FE45463-3B10-498a-85C2-E94266581A59}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2} {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3799C4-2489-4948-A95C-CF8AFB117F51} {4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407A3AE2-0B21-43b7-9A61-B748D5619F08}\stubpath = "C:\\Windows\\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe" {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161} {BAA3AC43-A49C-490d-8B96-E30880475306}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8249BCF6-A546-4459-A6A5-CF77F0495C2B} {7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16} {8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}\stubpath = "C:\\Windows\\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe" {8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}\stubpath = "C:\\Windows\\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe" 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407A3AE2-0B21-43b7-9A61-B748D5619F08} {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5} {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}\stubpath = "C:\\Windows\\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe" {BAA3AC43-A49C-490d-8B96-E30880475306}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}\stubpath = "C:\\Windows\\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe" {7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE45463-3B10-498a-85C2-E94266581A59}\stubpath = "C:\\Windows\\{0FE45463-3B10-498a-85C2-E94266581A59}.exe" {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}\stubpath = "C:\\Windows\\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe" {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}\stubpath = "C:\\Windows\\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe" {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA3AC43-A49C-490d-8B96-E30880475306} {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA3AC43-A49C-490d-8B96-E30880475306}\stubpath = "C:\\Windows\\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe" {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3799C4-2489-4948-A95C-CF8AFB117F51}\stubpath = "C:\\Windows\\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe" {4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe -
Deletes itself 1 IoCs
pid Process 2176 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 1968 {4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe 2192 {7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe 1724 {8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe 308 {9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe File created C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe File created C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe {0FE45463-3B10-498a-85C2-E94266581A59}.exe File created C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe File created C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe {BAA3AC43-A49C-490d-8B96-E30880475306}.exe File created C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe {7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe File created C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe File created C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe File created C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe {4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe File created C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe {8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe File created C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Token: SeIncBasePriorityPrivilege 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe Token: SeIncBasePriorityPrivilege 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe Token: SeIncBasePriorityPrivilege 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe Token: SeIncBasePriorityPrivilege 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe Token: SeIncBasePriorityPrivilege 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe Token: SeIncBasePriorityPrivilege 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe Token: SeIncBasePriorityPrivilege 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe Token: SeIncBasePriorityPrivilege 1968 {4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe Token: SeIncBasePriorityPrivilege 2192 {7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe Token: SeIncBasePriorityPrivilege 1724 {8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1204 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 28 PID 1996 wrote to memory of 1204 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 28 PID 1996 wrote to memory of 1204 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 28 PID 1996 wrote to memory of 1204 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 28 PID 1996 wrote to memory of 2176 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 29 PID 1996 wrote to memory of 2176 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 29 PID 1996 wrote to memory of 2176 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 29 PID 1996 wrote to memory of 2176 1996 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 29 PID 1204 wrote to memory of 2576 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 30 PID 1204 wrote to memory of 2576 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 30 PID 1204 wrote to memory of 2576 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 30 PID 1204 wrote to memory of 2576 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 30 PID 1204 wrote to memory of 2748 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 31 PID 1204 wrote to memory of 2748 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 31 PID 1204 wrote to memory of 2748 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 31 PID 1204 wrote to memory of 2748 1204 {45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe 31 PID 2576 wrote to memory of 2808 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 32 PID 2576 wrote to memory of 2808 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 32 PID 2576 wrote to memory of 2808 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 32 PID 2576 wrote to memory of 2808 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 32 PID 2576 wrote to memory of 2616 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 33 PID 2576 wrote to memory of 2616 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 33 PID 2576 wrote to memory of 2616 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 33 PID 2576 wrote to memory of 2616 2576 {407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe 33 PID 2808 wrote to memory of 1732 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 36 PID 2808 wrote to memory of 1732 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 36 PID 2808 wrote to memory of 1732 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 36 PID 2808 wrote to memory of 1732 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 36 PID 2808 wrote to memory of 2836 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 37 PID 2808 wrote to memory of 2836 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 37 PID 2808 wrote to memory of 2836 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 37 PID 2808 wrote to memory of 2836 2808 {0FE45463-3B10-498a-85C2-E94266581A59}.exe 37 PID 1732 wrote to memory of 2992 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 38 PID 1732 wrote to memory of 2992 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 38 PID 1732 wrote to memory of 2992 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 38 PID 1732 wrote to memory of 2992 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 38 PID 1732 wrote to memory of 2996 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 39 PID 1732 wrote to memory of 2996 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 39 PID 1732 wrote to memory of 2996 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 39 PID 1732 wrote to memory of 2996 1732 {75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe 39 PID 2992 wrote to memory of 868 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 40 PID 2992 wrote to memory of 868 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 40 PID 2992 wrote to memory of 868 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 40 PID 2992 wrote to memory of 868 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 40 PID 2992 wrote to memory of 2664 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 41 PID 2992 wrote to memory of 2664 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 41 PID 2992 wrote to memory of 2664 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 41 PID 2992 wrote to memory of 2664 2992 {EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe 41 PID 868 wrote to memory of 768 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 42 PID 868 wrote to memory of 768 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 42 PID 868 wrote to memory of 768 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 42 PID 868 wrote to memory of 768 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 42 PID 868 wrote to memory of 2680 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 43 PID 868 wrote to memory of 2680 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 43 PID 868 wrote to memory of 2680 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 43 PID 868 wrote to memory of 2680 868 {EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe 43 PID 768 wrote to memory of 1968 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 44 PID 768 wrote to memory of 1968 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 44 PID 768 wrote to memory of 1968 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 44 PID 768 wrote to memory of 1968 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 44 PID 768 wrote to memory of 348 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 45 PID 768 wrote to memory of 348 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 45 PID 768 wrote to memory of 348 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 45 PID 768 wrote to memory of 348 768 {BAA3AC43-A49C-490d-8B96-E30880475306}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exeC:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exeC:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exeC:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exeC:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exeC:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exeC:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exeC:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exeC:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exeC:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exeC:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exeC:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe12⤵
- Executes dropped EXE
PID:308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8249B~1.EXE > nul12⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7C379~1.EXE > nul11⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D189~1.EXE > nul10⤵PID:2132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BAA3A~1.EXE > nul9⤵PID:348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA1E6~1.EXE > nul8⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFCF6~1.EXE > nul7⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75BB0~1.EXE > nul6⤵PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0FE45~1.EXE > nul5⤵PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{407A3~1.EXE > nul4⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45B6E~1.EXE > nul3⤵PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD514e74bd59edcd4a68e26d47740a12da9
SHA135c89dfbf00ae2781881b86d9beb0efcce5da2cb
SHA25602e6bd1ecd2f52fd12f9bd9afde63a8c451e0d40910a101a8920449dc837dbbe
SHA5128c69c1be6d24ea85e3c29944e11570c7d778e75a465b9d6b1ea0c66ce78380117f96105e4c8c3ee327309938a1701122ccad4145cb3f28bd7bbb8c645a0c3996
-
Filesize
408KB
MD5847feb87c39ac1c593f8ebb5394d64f2
SHA1190e028778d53a4a7dc5e568368a48ebe2491f3d
SHA256cc582374bb32c622b1d4d72cfd3f17a1d55294cb1515092ea24fb3e35983bfce
SHA512c83d7658ea3eb071148343724d2828f830f33b3ebad735a35ae267dec8dc958ab2997835c1fc95dc1793e2da9f4b20e3311c9217e28efb5655aa8f1a1f6839d3
-
Filesize
408KB
MD591e20bd9cef3885fbc44677ce9be2dcf
SHA184025b167d64805331963b5bd5a8e18519cf075a
SHA256f0ed22c86aa12039a142ddd022bec4979476e5b7883315e5cca6566a6918b138
SHA512ea1e852a7bbbaeef560e85648b8093d1e358fcf3995eb6c9146f0ba18f8e57c5770d109699273f553a42c6db0e9f64306856e414261a6d76de850cc83be4ba4a
-
Filesize
408KB
MD537e61ec242d9c0c8dc80d4590f11a792
SHA11c405746c041bcc95e585b74e4bab8eda19cf459
SHA256f3ace24592a0b3cbe3ca0441354b4ee0556243759b956077518249bace59ca6a
SHA512426c3207ffa179b2f0725fb3415b48b5c8f3981980ca15689db761d3acf957f0da4d0653d124ee2e20d204675eae0a711402a940c24b884107113b56e5ab65a4
-
Filesize
408KB
MD58f7fc3441b85910da7ce2bb0176475f4
SHA135ecad29debfcf35855dd724e21df2a80bf8a24c
SHA2561e24a12d41345d812c440e7d4febec8c4f4cdf6279654e4bf6370287caefe08f
SHA512ddc88c551d80dc68ccf87396d20500e944b5338c3bf6fade8e74a1b9894e48a88a35bee142ebf608272bde88140c013402bf21287cc37cc3c0b9f61aeb4aca69
-
Filesize
408KB
MD5bf394358745e130a73277c8627275149
SHA1e8268281fe29e50cc9635c54534d4738ab04f483
SHA256634d555153b95ae032eecf74fc26c1b827d2a769a1d2b2b4460c24bb5536f84e
SHA51265cb06dc34e85325fc2fa8561ce7604d5975ed574db18d1adec70795155c50f809b3238f8e3fd3d6b1ffeb3bc680b956ba47bca2fe6cbb65a2ffff2dd425e3d9
-
Filesize
408KB
MD5d106ea958f98b9ab2f15bb0dcf23c19d
SHA144982e47143f396e3036c591d90ff7fe77868a65
SHA256903fccdef9188d0e47801f5b23f3bcd8ee8d004693941f85cf2bb8e9be88fa2e
SHA5124856a3a4ae3bd51e63f879225532c9a14c2c62ecff22e54467246c5cffe455d5016997e29ee19f037879c4adc8f3e504a72da452ef83bbf2041f5a2875fe815e
-
Filesize
408KB
MD5fe3a358292020d362b7f8420ff8286a4
SHA1cc181405503b56bd931c7d947e5804c84117853c
SHA256e7319833a24d0ad618b134e0830b7f186c2a348b6a4f388b64c6ff2fa3508157
SHA512a53f4138387782c9bff2004e4843cfdfc8ef692ac2b96b8abab9b14e8d9fe290bbd8a118282c835193a11043e9cd5ae984905229ccf96a464f888cc7ccdf87b8
-
Filesize
408KB
MD54a34e622d36db1196c79887b301f8441
SHA18392bc74952f7e4fc2199dea72c2b294c28399dc
SHA256f60c45726cc136900c041c333a216f78c38db1d572d80709a74e3cbb7b62d918
SHA51286f2b9b2554ff1f2fc5e35d28d215db3238061b86a6501ecb265ae241bb264afed5cde1cca8b6f93dee820432df3e23bb27088101ceb085d76afad2fff06ab70
-
Filesize
408KB
MD5a9c9bac13fb70541f39017f8f8d199d7
SHA1e7f091d84c6759890c2c5b8d1252636a1599410d
SHA256ac8bd60150c4d5d4a8270454c7e324326dc594ba2583723c69a45ffd336d259c
SHA5129c265c068a6858d82d66a9425a85dc3c38f5333b6cb11c8c4e884462f3ef7e110d762e14b6f6deddd09adbfb9514237b7e78e3bc62eec12e4363207a44da90ae
-
Filesize
408KB
MD54e7143ad2ab66f105d2b43a95ab5cf4a
SHA10f45aeb483c444ebd0b8de91542ef0497f9c2d96
SHA2568f7d1c2fb4bc6ef09f9533dc8d9827a47622861ab091ef60d3dd3b1f663708fe
SHA51273f247689308558e90b2d6d0a5cdd1cf7e994e29c8f3ff0ba61473734a6f0b65984e904f38ccb128bf45b0a76cfe20ceadc6ce62b03d2fa6e43edc461e842875