Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
-
Size
168KB
-
MD5
6f7eefc4dcc19cf96d504a8d70f186ec
-
SHA1
7f401dcbab81163ca78f4126cde960da282c3e34
-
SHA256
2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb
-
SHA512
271dee908d308300a63dd805bc6a74868552df15d176d9526ab20a4db67c07534c035b97bb168f0a4cbc8de8085cfbf2c582999f17a4ac4c20c484d0ee8a256c
-
SSDEEP
1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012251-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000015653-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012251-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015cae-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012251-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012251-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012251-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E} {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729A74C-CE76-42bf-8133-64095F4D1408}\stubpath = "C:\\Windows\\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe" {3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA} {F729A74C-CE76-42bf-8133-64095F4D1408}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}\stubpath = "C:\\Windows\\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe" {47FFF679-D305-4e81-921B-46B1BF473518}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B34DD3-3981-4fde-BF93-04F022FB8A36}\stubpath = "C:\\Windows\\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe" {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}\stubpath = "C:\\Windows\\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe" {F729A74C-CE76-42bf-8133-64095F4D1408}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{096C2CE5-078E-4ab5-8108-63C14835295F} 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729A74C-CE76-42bf-8133-64095F4D1408} {3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2307504F-A577-4294-991D-2D5167107C7D} {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2307504F-A577-4294-991D-2D5167107C7D}\stubpath = "C:\\Windows\\{2307504F-A577-4294-991D-2D5167107C7D}.exe" {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B34DD3-3981-4fde-BF93-04F022FB8A36} {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}\stubpath = "C:\\Windows\\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe" {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D515D68B-A213-4574-8B90-6E8AC15AFA1F} {76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}\stubpath = "C:\\Windows\\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe" {76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FFF679-D305-4e81-921B-46B1BF473518}\stubpath = "C:\\Windows\\{47FFF679-D305-4e81-921B-46B1BF473518}.exe" {096C2CE5-078E-4ab5-8108-63C14835295F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6} {47FFF679-D305-4e81-921B-46B1BF473518}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27768E8-A198-413d-9656-A6E89BDEFA6C} {2307504F-A577-4294-991D-2D5167107C7D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27768E8-A198-413d-9656-A6E89BDEFA6C}\stubpath = "C:\\Windows\\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe" {2307504F-A577-4294-991D-2D5167107C7D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E7AEEF-E853-4415-9076-31F6E421E2E3} {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}\stubpath = "C:\\Windows\\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe" {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{096C2CE5-078E-4ab5-8108-63C14835295F}\stubpath = "C:\\Windows\\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe" 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FFF679-D305-4e81-921B-46B1BF473518} {096C2CE5-078E-4ab5-8108-63C14835295F}.exe -
Deletes itself 1 IoCs
pid Process 2148 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 1556 {3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe 2140 {F729A74C-CE76-42bf-8133-64095F4D1408}.exe 2840 {76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe 1496 {D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe {2307504F-A577-4294-991D-2D5167107C7D}.exe File created C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe File created C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe {F729A74C-CE76-42bf-8133-64095F4D1408}.exe File created C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe {76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe File created C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe File created C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe {096C2CE5-078E-4ab5-8108-63C14835295F}.exe File created C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe {47FFF679-D305-4e81-921B-46B1BF473518}.exe File created C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe {3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe File created C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe File created C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe File created C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Token: SeIncBasePriorityPrivilege 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe Token: SeIncBasePriorityPrivilege 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe Token: SeIncBasePriorityPrivilege 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe Token: SeIncBasePriorityPrivilege 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe Token: SeIncBasePriorityPrivilege 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe Token: SeIncBasePriorityPrivilege 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe Token: SeIncBasePriorityPrivilege 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe Token: SeIncBasePriorityPrivilege 1556 {3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe Token: SeIncBasePriorityPrivilege 2140 {F729A74C-CE76-42bf-8133-64095F4D1408}.exe Token: SeIncBasePriorityPrivilege 2840 {76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2000 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 28 PID 2876 wrote to memory of 2000 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 28 PID 2876 wrote to memory of 2000 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 28 PID 2876 wrote to memory of 2000 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 28 PID 2876 wrote to memory of 2148 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 29 PID 2876 wrote to memory of 2148 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 29 PID 2876 wrote to memory of 2148 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 29 PID 2876 wrote to memory of 2148 2876 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 29 PID 2000 wrote to memory of 2640 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 30 PID 2000 wrote to memory of 2640 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 30 PID 2000 wrote to memory of 2640 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 30 PID 2000 wrote to memory of 2640 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 30 PID 2000 wrote to memory of 2576 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 31 PID 2000 wrote to memory of 2576 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 31 PID 2000 wrote to memory of 2576 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 31 PID 2000 wrote to memory of 2576 2000 {096C2CE5-078E-4ab5-8108-63C14835295F}.exe 31 PID 2640 wrote to memory of 2168 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 32 PID 2640 wrote to memory of 2168 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 32 PID 2640 wrote to memory of 2168 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 32 PID 2640 wrote to memory of 2168 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 32 PID 2640 wrote to memory of 2932 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 33 PID 2640 wrote to memory of 2932 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 33 PID 2640 wrote to memory of 2932 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 33 PID 2640 wrote to memory of 2932 2640 {47FFF679-D305-4e81-921B-46B1BF473518}.exe 33 PID 2168 wrote to memory of 2020 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 36 PID 2168 wrote to memory of 2020 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 36 PID 2168 wrote to memory of 2020 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 36 PID 2168 wrote to memory of 2020 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 36 PID 2168 wrote to memory of 1028 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 37 PID 2168 wrote to memory of 1028 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 37 PID 2168 wrote to memory of 1028 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 37 PID 2168 wrote to memory of 1028 2168 {2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe 37 PID 2020 wrote to memory of 2732 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 38 PID 2020 wrote to memory of 2732 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 38 PID 2020 wrote to memory of 2732 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 38 PID 2020 wrote to memory of 2732 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 38 PID 2020 wrote to memory of 2792 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 39 PID 2020 wrote to memory of 2792 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 39 PID 2020 wrote to memory of 2792 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 39 PID 2020 wrote to memory of 2792 2020 {2307504F-A577-4294-991D-2D5167107C7D}.exe 39 PID 2732 wrote to memory of 2248 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 40 PID 2732 wrote to memory of 2248 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 40 PID 2732 wrote to memory of 2248 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 40 PID 2732 wrote to memory of 2248 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 40 PID 2732 wrote to memory of 1656 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 41 PID 2732 wrote to memory of 1656 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 41 PID 2732 wrote to memory of 1656 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 41 PID 2732 wrote to memory of 1656 2732 {C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe 41 PID 2248 wrote to memory of 1732 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 42 PID 2248 wrote to memory of 1732 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 42 PID 2248 wrote to memory of 1732 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 42 PID 2248 wrote to memory of 1732 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 42 PID 2248 wrote to memory of 2260 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 43 PID 2248 wrote to memory of 2260 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 43 PID 2248 wrote to memory of 2260 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 43 PID 2248 wrote to memory of 2260 2248 {C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe 43 PID 1732 wrote to memory of 1556 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 44 PID 1732 wrote to memory of 1556 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 44 PID 1732 wrote to memory of 1556 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 44 PID 1732 wrote to memory of 1556 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 44 PID 1732 wrote to memory of 2296 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 45 PID 1732 wrote to memory of 2296 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 45 PID 1732 wrote to memory of 2296 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 45 PID 1732 wrote to memory of 2296 1732 {72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exeC:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exeC:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exeC:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exeC:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exeC:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exeC:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exeC:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exeC:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exeC:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exeC:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exeC:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe12⤵
- Executes dropped EXE
PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76E4D~1.EXE > nul12⤵PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F729A~1.EXE > nul11⤵PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BAB2~1.EXE > nul10⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{72B34~1.EXE > nul9⤵PID:2296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9E7A~1.EXE > nul8⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2776~1.EXE > nul7⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23075~1.EXE > nul6⤵PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DC5C~1.EXE > nul5⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47FFF~1.EXE > nul4⤵PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{096C2~1.EXE > nul3⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5390c55ee0511099e04793ae981379888
SHA175ed6d878afa9b03ef114b89b0ccc013d02651b5
SHA256f9d2e5d639e990bd98e05d0a5497c20d067c21f64080877a381fa4c9a398a7c5
SHA51296762b4d1f1239ee9b4780152fe4bfe0b45847c157ec98f0f84a9f916c430b3cdb6582b88e6e2d99126f6d077266c382b87545976203ee7195b8ca09033daeee
-
Filesize
168KB
MD5fb4ed78d30e1c05b6708f72ae907af2e
SHA1f35d3c787dcaeceb7cd5d5f84eca33389f5b22cc
SHA2566c6104a0805c3d1161e895ac00699e22823a6789f12934c23a3ff7777835e6a4
SHA512eab8cb6fc4ee5fd1dac8a310a72474911e660f29054ceeecdfd1c572c184fcfac4c65d7d3c1d6225afa4f42c3d9f5ff7c2b6ad66fb9aca3bef027f14e68c1c81
-
Filesize
168KB
MD568e970621a0b1749cbfdb6a330f3a9ec
SHA1b3c3c03f2da00206fe650311f1f9c0cbc7307701
SHA256a86a207316b09004046001584543e036149d11c650e44bd4bf88b800aff21539
SHA51233dc6301924ebbf5a7ad277a379cc70f16c59734e7240aa4681f3fc0ac4a481c7bc6a63bd91cdc3632ea75f0a2a3218838cc774a1ef9f2d1b54b80684f7d39bc
-
Filesize
168KB
MD52a2f6f4f3f464d8d48c7530ff2b50793
SHA10cf16e6b9075f74b87f628fb2eb360de7ac6c63b
SHA25637d2708b17c3472a1da270fce99fcddcc9b1013b91683ea415055ed6235d3c81
SHA51215da7985db99aba74ba6a4e0c6bfafc061391d2c745c3ae248f6fe68cb6af128512e20bd02c59d18958c79415775069484ddc337a790aa7820dc30d0686308e5
-
Filesize
168KB
MD50b122aeba2289aa68765b8c086c26956
SHA14ae982a3844b145b5291c8fb89dc68b99ee75d17
SHA25699e52d0c25c2e1f21cfa1cfb8c1c9a271a5ccc892a78c8378d91dd034c0c5e14
SHA512f1295767a0b9905dd3079f26abe30d334c7f24edc99685cee0b539df6f2645328d1011dbf28d224cabc8ea02f6709bc3d98f8a3449ca405e2ea4d12f62d1aa8b
-
Filesize
168KB
MD5e28bbf67be1dda490cb2ba2ab2c98a1a
SHA144ba096787de53d56fee869b311537ced7a7d131
SHA256710c96a2288a543dbb76332b796c16cf4af76d3a6779a95db4471808cc77a5c4
SHA512ad3a249ce4f4557746f1f7a620c1a0876b8b14c705ca9c15fae2f7ebd1cfe1df96ad21dbc1637e1097244fc2107d3db0ae586c55d9840cb55ca9f4cd3338b38e
-
Filesize
168KB
MD5d02898c4cd0cb0e4ea21e91cf478649f
SHA12d375d28672be069c5e271665ae21da9018c9a55
SHA256c4520bd43438daa2de7df765d96476e00d16d38ad7e52dcf9c240490302f9aa1
SHA512215a674ed280ae67036fd2bf43bd91f748ed99b76a4ec00d2b2f5b984a250ada3e2e42efbf28bdf9143a0a2ce8d7557b6e5aee1ec061969965e2dfb3deaaca8b
-
Filesize
168KB
MD5def19c364ba04e14c7adcf121ccee287
SHA1ce072c658498784ddf8fc7f3147d02b6290bad44
SHA2566554e12264aff64eaeeb35f18a520e2569b08befe01d620c13543ea79811ef1f
SHA512fe4d11585e6a0b3271ee94ddfc230d6dd942022f7ec80d4559412836487190c413a5d460f6f7caf1113b12115b860b4e6d0fed483a42d704e7ddbf22932c53d3
-
Filesize
168KB
MD5262a8824af97263fcfc4ecaddd5d196e
SHA175a8ad134b466bad9eaaa73f1cd83339a5f894e0
SHA256dcb64cdce056e17c43af3aa9ead868175bad4f363b4b76e2813b2cc3ba7eff2d
SHA5125a4b083abc98eeed509044730d16d0b33310a96b4792f1d2ebcfb40aefcc10bbe44757ec7994ab48539a6fa7193d7322e11e23bca48ade6f7de12492808a9904
-
Filesize
168KB
MD5612b6b96bcd5a76e7acee8288e5dc76d
SHA19a44636d7852d5c5cf2a1234b77f701640349542
SHA25630b5641ae34c4063450513675a8e1422e26d1182dbcb42afef01e22d34f26304
SHA512ca94e93d549b08e78589b692efc6716427cb19e3cea56dfb54403792b14a9a70c724f539bf8138586c77c0758975cdb3b91cab07954f88dcf30274837fcd6edb
-
Filesize
168KB
MD54ff33fb26b61da49e83fe406d51a8982
SHA107604d582437ac09de6aeae0e1ecd156de5febfd
SHA256614b933bd78930ae1d838fe41b6726ffc274d68cefd722f54013a3ea0670aaeb
SHA512e1a68f50daee46f9db7ee7b8bfc14268f368229c542efdec965d0a42462a1793f1c57a617caec49c0242c6a8cff42066053bed54152221c2b163cff47600d83e