Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
-
Size
408KB
-
MD5
164de08d5920bce67bd0075809e6beb7
-
SHA1
c840578699cf5038dc4093f890e17c19c8bad8a8
-
SHA256
a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605
-
SHA512
271a1af102f7877dfab8b99ce1295c4125b8743c092d7710b2b2b181a9023a286639b9a919998d4c5d2d0ea662860159f1fb7fb36ed8dfe3bc64a19f215b2c4b
-
SSDEEP
3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGdldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000122bf-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012252-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000014b10-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012252-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012252-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012252-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}\stubpath = "C:\\Windows\\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe" {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}\stubpath = "C:\\Windows\\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe" {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6AA90D-493B-4314-8541-88CD700166E2} {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}\stubpath = "C:\\Windows\\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe" {0D6AA90D-493B-4314-8541-88CD700166E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71E79-0AA5-472f-BA94-B4E662969B5D} {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90692767-9AA5-44ba-ADF0-C1B781FA909B} {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6AA90D-493B-4314-8541-88CD700166E2}\stubpath = "C:\\Windows\\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe" {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB} {0D6AA90D-493B-4314-8541-88CD700166E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2} {CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}\stubpath = "C:\\Windows\\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe" {FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E906994-9BD7-4aa7-8A86-D14E1598567C} 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E906994-9BD7-4aa7-8A86-D14E1598567C}\stubpath = "C:\\Windows\\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe" 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22EFBAC-3677-47a0-BB2D-2B557CE10031} {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39A3723-EFCF-43d2-BE6C-63C8AB327401} {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}\stubpath = "C:\\Windows\\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe" {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}\stubpath = "C:\\Windows\\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe" {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90692767-9AA5-44ba-ADF0-C1B781FA909B}\stubpath = "C:\\Windows\\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe" {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7BE827-BA83-4855-8117-6FA863AE8BA9} {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41FE860-1F41-4e02-982F-F300D9204BBE} {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41FE860-1F41-4e02-982F-F300D9204BBE}\stubpath = "C:\\Windows\\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe" {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}\stubpath = "C:\\Windows\\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe" {CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E99404B-06D2-48bc-AB6C-09C642A09FD7} {FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe -
Deletes itself 1 IoCs
pid Process 2056 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 1376 {0D6AA90D-493B-4314-8541-88CD700166E2}.exe 2508 {CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe 600 {FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe 1812 {6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe File created C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe File created C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe {CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe File created C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe {FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe File created C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe File created C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe File created C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe File created C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe File created C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe File created C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe File created C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe {0D6AA90D-493B-4314-8541-88CD700166E2}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Token: SeIncBasePriorityPrivilege 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe Token: SeIncBasePriorityPrivilege 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe Token: SeIncBasePriorityPrivilege 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe Token: SeIncBasePriorityPrivilege 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe Token: SeIncBasePriorityPrivilege 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe Token: SeIncBasePriorityPrivilege 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe Token: SeIncBasePriorityPrivilege 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe Token: SeIncBasePriorityPrivilege 1376 {0D6AA90D-493B-4314-8541-88CD700166E2}.exe Token: SeIncBasePriorityPrivilege 2508 {CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe Token: SeIncBasePriorityPrivilege 600 {FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2960 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 28 PID 1644 wrote to memory of 2960 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 28 PID 1644 wrote to memory of 2960 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 28 PID 1644 wrote to memory of 2960 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 28 PID 1644 wrote to memory of 2056 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 29 PID 1644 wrote to memory of 2056 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 29 PID 1644 wrote to memory of 2056 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 29 PID 1644 wrote to memory of 2056 1644 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 29 PID 2960 wrote to memory of 2528 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 30 PID 2960 wrote to memory of 2528 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 30 PID 2960 wrote to memory of 2528 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 30 PID 2960 wrote to memory of 2528 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 30 PID 2960 wrote to memory of 2604 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 31 PID 2960 wrote to memory of 2604 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 31 PID 2960 wrote to memory of 2604 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 31 PID 2960 wrote to memory of 2604 2960 {1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe 31 PID 2528 wrote to memory of 1588 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 32 PID 2528 wrote to memory of 1588 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 32 PID 2528 wrote to memory of 1588 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 32 PID 2528 wrote to memory of 1588 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 32 PID 2528 wrote to memory of 2408 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 33 PID 2528 wrote to memory of 2408 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 33 PID 2528 wrote to memory of 2408 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 33 PID 2528 wrote to memory of 2408 2528 {F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe 33 PID 1588 wrote to memory of 1564 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 36 PID 1588 wrote to memory of 1564 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 36 PID 1588 wrote to memory of 1564 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 36 PID 1588 wrote to memory of 1564 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 36 PID 1588 wrote to memory of 1536 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 37 PID 1588 wrote to memory of 1536 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 37 PID 1588 wrote to memory of 1536 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 37 PID 1588 wrote to memory of 1536 1588 {F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe 37 PID 1564 wrote to memory of 2316 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 38 PID 1564 wrote to memory of 2316 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 38 PID 1564 wrote to memory of 2316 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 38 PID 1564 wrote to memory of 2316 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 38 PID 1564 wrote to memory of 2332 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 39 PID 1564 wrote to memory of 2332 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 39 PID 1564 wrote to memory of 2332 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 39 PID 1564 wrote to memory of 2332 1564 {C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe 39 PID 2316 wrote to memory of 1640 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 40 PID 2316 wrote to memory of 1640 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 40 PID 2316 wrote to memory of 1640 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 40 PID 2316 wrote to memory of 1640 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 40 PID 2316 wrote to memory of 1628 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 41 PID 2316 wrote to memory of 1628 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 41 PID 2316 wrote to memory of 1628 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 41 PID 2316 wrote to memory of 1628 2316 {7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe 41 PID 1640 wrote to memory of 2292 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 42 PID 1640 wrote to memory of 2292 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 42 PID 1640 wrote to memory of 2292 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 42 PID 1640 wrote to memory of 2292 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 42 PID 1640 wrote to memory of 1676 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 43 PID 1640 wrote to memory of 1676 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 43 PID 1640 wrote to memory of 1676 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 43 PID 1640 wrote to memory of 1676 1640 {C41FE860-1F41-4e02-982F-F300D9204BBE}.exe 43 PID 2292 wrote to memory of 1376 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 44 PID 2292 wrote to memory of 1376 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 44 PID 2292 wrote to memory of 1376 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 44 PID 2292 wrote to memory of 1376 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 44 PID 2292 wrote to memory of 1708 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 45 PID 2292 wrote to memory of 1708 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 45 PID 2292 wrote to memory of 1708 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 45 PID 2292 wrote to memory of 1708 2292 {90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exeC:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exeC:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exeC:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exeC:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exeC:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exeC:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exeC:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exeC:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exeC:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exeC:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exeC:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe12⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE43B~1.EXE > nul12⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC5D2~1.EXE > nul11⤵PID:816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D6AA~1.EXE > nul10⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90692~1.EXE > nul9⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C41FE~1.EXE > nul8⤵PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A7BE~1.EXE > nul7⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8F71~1.EXE > nul6⤵PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F39A3~1.EXE > nul5⤵PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F22EF~1.EXE > nul4⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E906~1.EXE > nul3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD519ea88ec3a9f3491dd6f19db450666b4
SHA1648b6030d7669524917130177b06b6dfee5735cc
SHA256a43542185a91d908ee6c1fc33ad264913d9336eb011e3f5f55bb2a928e07e54b
SHA512a84857d3ecdeabbc22386ec246d769a781391d91c3b5e502672018cbfd9c310dbd7058eb09feaa3d86a651814442b9d30e54beb54516d976cc0b38aba91c7897
-
Filesize
408KB
MD528cc4bee2a1bb57f74817b4ede0525f6
SHA13fe8f36b9fdf13dd2cadad6ab0ab876dd3a7b134
SHA2565361d7536654046c9f8ff7f31cceedbb195a3e87f456f3a3e83ea3604a0127a1
SHA5121a34649e86b4efc14cf92dc400da181d13417ec9487be6f11ba4e54ffadd94e3cd47751d30f7b65757c1f8c2ced7931aa22efd35a15197f5909779ed4446f40c
-
Filesize
408KB
MD5a15ec99267fafde4ae25bc0acc8a9347
SHA119ee8309788a9d97ac4db0325e71fe67c57944df
SHA256f6bea61c1db195d4a84996bf48761760ddc7dbdc00a5171fc57f3f14f4f90767
SHA51275704bf69d2031063cf8fbd8c69d9617d941343a3ab7b05d976bae6b917e183e874ca8c03d853592830b7c778636a2c1071a63e2121731f361ca416bb7cd3989
-
Filesize
408KB
MD57f142d279f6d769736b4637e779645f4
SHA1b719e52470b665f23c724a35c7be0de56cdb7726
SHA256dee4ff6e58f4a737c7121974841ca59d9cd28cf07031b8af4aae24c57110251f
SHA512a735091db4295ed55beb4b113554d690ce86fe6d6c7c60ba2c49ce569a648e082d2a9a874f99a794d0cdb786db204557483686ccee04e503653ac60c3438b5dd
-
Filesize
408KB
MD57a6a15e142979fd8b684a635786682d4
SHA1f248eece4c4a98869139850f3635732dbb50ec36
SHA2564a502d181500cbf021140f1f1bb7461486881f5ae4585f973c72b0477bbcf2b5
SHA5121217beafa66581f6e8b5d0087f054475144c0817e052348ec9c04d569f47b724949e3b880fcb97804b86f87196ceda9060f3e2fa902eac54b0e02f969b39be28
-
Filesize
408KB
MD569b8e53fd9afbf4d79ddcfab3eaad3df
SHA153418e9f7a56cc1b815eca0a4929d40b7a2660df
SHA256e6c80ac166730aade6ac3a93c72e74f5fbf947ca916c71aa5eaef4c1dd3d9864
SHA512b29406f8abbda9b17f19af3e20f06e6461c69bff4051575bdc39d6cafbc5a4982808b4cf86b280f14734890cba7a37893da4cd5c28bb5e331f6ceb8d7416d2b9
-
Filesize
408KB
MD50cf3d8bb15620e0884daf89c2acdd4ef
SHA14b302208c9c9aa2b8f957d141866a53e2bb7d97d
SHA2569cd98971906a2ade31a76d2c6704b543705c36aaeb8ddfc6cf5f24dc5d8c7f74
SHA51260100985d02d80ede80ea6afc30bd99137374b61d97b7f0941f4ca6f3fd91f7e0070b688440fdccfa89dbb9d6293ff617242dafe5178e2cf5f5abddf61005920
-
Filesize
408KB
MD5a664c2de655404a12a34aebfe331bdff
SHA18f956574b8cf3a50dd538a67abbce9d3ee68d192
SHA256aa70dd3a0fcda38efeea6e77493dc5625ee18b0f8e0c34e6310387ee32814dc2
SHA512d87f73c19a8e417b8e60917fe3634a1926caa0441eb28631e1de2192d6350d8f520c1110db584db4d11f764c98bf947616c4418e70a3b5ece67910f9eb0f32cb
-
Filesize
408KB
MD59526767791aa1a7994e1b550353c340c
SHA1e63534cf0bfc88984732a4927fa8779e474e745a
SHA2568a610c3ef02b6e91790a7cd0f840819bc00f36588cd465ba0f00e4c2f8f37752
SHA5129fe1def048ec62256beb2addddcc9f97ab30ae6cc4c31e97f187025b77710dfef6674e272433088a17d98a662dd2285270f5f23269e6e15b30a6385373966909
-
Filesize
408KB
MD5e8e7596e171ef9cfaa34c3bd218dcab9
SHA188ab1aab3687e1412bb670e6057858a88cc47046
SHA256c78af638d7fb0b0a59cf18924d9fa7210f91a1cc7cd2f0ea75d39288e4ecd23e
SHA512c666a2e3f02782ee2bd26f18af841715f61437d1b6b4ff2cf1c8973c39ce2ca67c02c3a2bd635e154a2796dbb31986d99063a6ac096cf5e54e197bfe77ffa9b1
-
Filesize
408KB
MD58edbeb5b7e476176b745fc6fb0f2a00f
SHA13b5e7470c0616613115aeb924669ac0201997281
SHA256b42f2a55fa9e6a64f36fc76220c5a244663432017083873e03aa9b4446832b8f
SHA512d73e2f7796d5ebd6731e216c0d6952791589b6b849d81c229a53cd774b3d4bf22e6688765056090bf66585646ac5822dfdc1874114aaf9c8fea8f45daa469f68