Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
-
Size
216KB
-
MD5
1d83b5d5a996b10bd072a83df62b3ae2
-
SHA1
ebf526a1a66ebc4bf0b65b312c817c31274c2614
-
SHA256
ab47f60e736382aaea83ac449682a8908b0f8fbb644d20ff975d9e27f82025c8
-
SHA512
d06fa8d130a29711cdce26c8ec8b9a29dcb93d489b6d9e51399c9d8ae70efc2dd151644390b794e1eecd65d4213ba2c275f97d91ef1f0778612c9070a862b682
-
SSDEEP
3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012251-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000015cb6-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012251-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0035000000015d42-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012251-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012251-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012251-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}\stubpath = "C:\\Windows\\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe" {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{917EAE3E-966D-4dcb-B063-5EA3481E9237} {A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D} 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469} {84219630-A311-49de-80BA-A2883CB8BD37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}\stubpath = "C:\\Windows\\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe" {84219630-A311-49de-80BA-A2883CB8BD37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}\stubpath = "C:\\Windows\\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe" {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6F648C-31CC-43e2-A324-8E1B825038A7}\stubpath = "C:\\Windows\\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe" {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC} {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86067B87-74DD-473d-81AE-BF0AA1EC2608} {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB83913-5521-4194-8E69-C814617D12E3} {8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB83913-5521-4194-8E69-C814617D12E3}\stubpath = "C:\\Windows\\{1DB83913-5521-4194-8E69-C814617D12E3}.exe" {8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A675B80C-A2DB-4008-960E-A92467EDC6F0} {1DB83913-5521-4194-8E69-C814617D12E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{917EAE3E-966D-4dcb-B063-5EA3481E9237}\stubpath = "C:\\Windows\\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe" {A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84219630-A311-49de-80BA-A2883CB8BD37} {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}\stubpath = "C:\\Windows\\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe" {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A} {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86067B87-74DD-473d-81AE-BF0AA1EC2608}\stubpath = "C:\\Windows\\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe" {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2} {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A675B80C-A2DB-4008-960E-A92467EDC6F0}\stubpath = "C:\\Windows\\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe" {1DB83913-5521-4194-8E69-C814617D12E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}\stubpath = "C:\\Windows\\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe" 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6F648C-31CC-43e2-A324-8E1B825038A7} {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84219630-A311-49de-80BA-A2883CB8BD37}\stubpath = "C:\\Windows\\{84219630-A311-49de-80BA-A2883CB8BD37}.exe" {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe -
Deletes itself 1 IoCs
pid Process 2172 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 2160 {8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe 2928 {1DB83913-5521-4194-8E69-C814617D12E3}.exe 2400 {A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe 1480 {917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe File created C:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exe {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe File created C:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe File created C:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe {A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe File created C:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe {1DB83913-5521-4194-8E69-C814617D12E3}.exe File created C:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe File created C:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe {84219630-A311-49de-80BA-A2883CB8BD37}.exe File created C:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe File created C:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe File created C:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe File created C:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exe {8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Token: SeIncBasePriorityPrivilege 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe Token: SeIncBasePriorityPrivilege 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe Token: SeIncBasePriorityPrivilege 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe Token: SeIncBasePriorityPrivilege 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe Token: SeIncBasePriorityPrivilege 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe Token: SeIncBasePriorityPrivilege 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe Token: SeIncBasePriorityPrivilege 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe Token: SeIncBasePriorityPrivilege 2160 {8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe Token: SeIncBasePriorityPrivilege 2928 {1DB83913-5521-4194-8E69-C814617D12E3}.exe Token: SeIncBasePriorityPrivilege 2400 {A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2964 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 28 PID 2960 wrote to memory of 2964 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 28 PID 2960 wrote to memory of 2964 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 28 PID 2960 wrote to memory of 2964 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 28 PID 2960 wrote to memory of 2172 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 29 PID 2960 wrote to memory of 2172 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 29 PID 2960 wrote to memory of 2172 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 29 PID 2960 wrote to memory of 2172 2960 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 29 PID 2964 wrote to memory of 2624 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 30 PID 2964 wrote to memory of 2624 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 30 PID 2964 wrote to memory of 2624 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 30 PID 2964 wrote to memory of 2624 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 30 PID 2964 wrote to memory of 2672 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 31 PID 2964 wrote to memory of 2672 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 31 PID 2964 wrote to memory of 2672 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 31 PID 2964 wrote to memory of 2672 2964 {03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe 31 PID 2624 wrote to memory of 2248 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 32 PID 2624 wrote to memory of 2248 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 32 PID 2624 wrote to memory of 2248 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 32 PID 2624 wrote to memory of 2248 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 32 PID 2624 wrote to memory of 2580 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 33 PID 2624 wrote to memory of 2580 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 33 PID 2624 wrote to memory of 2580 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 33 PID 2624 wrote to memory of 2580 2624 {3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe 33 PID 2248 wrote to memory of 2540 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 36 PID 2248 wrote to memory of 2540 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 36 PID 2248 wrote to memory of 2540 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 36 PID 2248 wrote to memory of 2540 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 36 PID 2248 wrote to memory of 2896 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 37 PID 2248 wrote to memory of 2896 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 37 PID 2248 wrote to memory of 2896 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 37 PID 2248 wrote to memory of 2896 2248 {84219630-A311-49de-80BA-A2883CB8BD37}.exe 37 PID 2540 wrote to memory of 2480 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 38 PID 2540 wrote to memory of 2480 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 38 PID 2540 wrote to memory of 2480 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 38 PID 2540 wrote to memory of 2480 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 38 PID 2540 wrote to memory of 2508 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 39 PID 2540 wrote to memory of 2508 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 39 PID 2540 wrote to memory of 2508 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 39 PID 2540 wrote to memory of 2508 2540 {CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe 39 PID 2480 wrote to memory of 1776 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 40 PID 2480 wrote to memory of 1776 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 40 PID 2480 wrote to memory of 1776 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 40 PID 2480 wrote to memory of 1776 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 40 PID 2480 wrote to memory of 2308 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 41 PID 2480 wrote to memory of 2308 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 41 PID 2480 wrote to memory of 2308 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 41 PID 2480 wrote to memory of 2308 2480 {585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe 41 PID 1776 wrote to memory of 2304 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 42 PID 1776 wrote to memory of 2304 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 42 PID 1776 wrote to memory of 2304 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 42 PID 1776 wrote to memory of 2304 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 42 PID 1776 wrote to memory of 2148 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 43 PID 1776 wrote to memory of 2148 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 43 PID 1776 wrote to memory of 2148 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 43 PID 1776 wrote to memory of 2148 1776 {86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe 43 PID 2304 wrote to memory of 2160 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 44 PID 2304 wrote to memory of 2160 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 44 PID 2304 wrote to memory of 2160 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 44 PID 2304 wrote to memory of 2160 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 44 PID 2304 wrote to memory of 2340 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 45 PID 2304 wrote to memory of 2340 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 45 PID 2304 wrote to memory of 2340 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 45 PID 2304 wrote to memory of 2340 2304 {24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exeC:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exeC:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exeC:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exeC:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exeC:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exeC:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exeC:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exeC:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exeC:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exeC:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exeC:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe12⤵
- Executes dropped EXE
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A675B~1.EXE > nul12⤵PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DB83~1.EXE > nul11⤵PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F5AF~1.EXE > nul10⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{24731~1.EXE > nul9⤵PID:2340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86067~1.EXE > nul8⤵PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{585DE~1.EXE > nul7⤵PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA5D9~1.EXE > nul6⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{84219~1.EXE > nul5⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C6F6~1.EXE > nul4⤵PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03FD0~1.EXE > nul3⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5527c2ec66f152b1000345b6c5014840b
SHA1db58603eb6ff8fb4b192101b11ed56b997cb88b5
SHA25626e42ad71514d781b0f9a176b3da284560403cd264cfe2843e7dff8782d5bbc9
SHA5126bcd8b3cbd5bf16a79d92f5ad4931d0a8f53f675ec03a0936834439bf443fc040a242aefe4b208b1a163b65332c15111063393589231f0f473a63043cde0a87a
-
Filesize
216KB
MD55ed9cdfe9ed340b79d31c2108790c282
SHA1a27c1ce795350d6120efe605bd79ff7f5c42ec55
SHA2562dd1fa49d9fb6a555cd067ad8031a209f0e0969d3ec81803d382156c914ffa6a
SHA51212decf671123b205248b67d6ce7bebf91bd8075eea5a34afe58a97a7fbc63b893b422c7d49a3b36eb245e0acdd69e52727927ac09d02dac75956c6162a71b15a
-
Filesize
216KB
MD5d1085cb8d35cb97256ecfa340d11a979
SHA17851f687f550dfea2d6a868c85032098aaf32e65
SHA25692d05bace4193ed5a3292172548047a269a9236d16b0078b27de8bad8a33ae34
SHA5123dcac3312d457212e9ee27b39c73af92466c25c9d31819033851284b0d13077d8f98873c6a78ef72bf03967b04744fd8da0b7adedf14cf3ec43b26057b1cdcd8
-
Filesize
216KB
MD5079473632baee2085b0ac5d487d88b4a
SHA144ded19a1c03b45534862896d304b44dd4c4e1cf
SHA2568d8ad3a2df65fbfef3214dbced47241b7f2da1a781bfd360fcabeafb517413e6
SHA51214553b986aebe9c6197d71e6bea2fac3cb1a8857eb85f53288b2adb53ee0e1d261025bbb3004415c514033e8690750dcfd264ced7a60010d1e9de32b80b184e2
-
Filesize
216KB
MD5d2f4afde128d8f270c5ee3f24a51b654
SHA16eaa76137064359e5047c1eae2ca2189bc70669e
SHA25650b2c415946b265e2ead7fa1bd8c50dd683e3609db2c928421a307cd5610efdb
SHA5123a07f6205f5d18e3355dd5ce87338f3b2af1ce1a14f141d61f4bc1072f0bffdae4aa0f93c72096dcfa9e3ba7a449a7bb46459357efb212c130627161401ba545
-
Filesize
216KB
MD5c4c180291243cfc4112e8ef882356263
SHA19228114ff14843777c626f246642b6611b293450
SHA256e908fa7da17411de68094dd687f2f1627cd13a825a491f24a0f495701192b8bc
SHA512cef44f1536d1bf9e166f64c6b202e52e7f05a06e0b71c42fa9fdcd38f1375e5bcc164f16094874c6f9072d4c347b009a7eac5348dd5ae56e606bd4a40c2f617e
-
Filesize
216KB
MD5d38e717b3f1893d25a9f06ad8ae778cf
SHA1e3668d3830a2a0b6b052fac09769fbf374b8fa43
SHA256a81e0bff29e2ef71e2dffbbb9b64b2ef895ade76fc5bb81e49b76decb581d45b
SHA5121d8dee410456d398dbf8743f4b4512abf1ec6717438e43b7f1b78c7cc517a04e8858c8e0e883393003702ee2dfd63d0e7c92d0e97d037d26a8f26141d83c30c1
-
Filesize
216KB
MD5d570c47b496f7239ec19c4f8ac812d3b
SHA10d575e9ac9ff711a1a64a2e941c9bdc1b9c0da97
SHA256defb26ccc9f138585180c11e77f311361cfc5dee07c4b2086f5dbd8507bbad8e
SHA512f4e33dc8f3648558c39863da7a16958d569933b80217083c46ac7d4ca89477d8001e733d452726c0102aa90af0469c672007da429bc78145c8fb011a2419b84b
-
Filesize
216KB
MD536848ae2d61564b4c99f876128ed7b37
SHA129e5421c1f02689ad09f139d4dfb0dbe18179e76
SHA256f8cf520ec572ece46b73d11a605cacd64805e7d3ed6ec32bb2bd21da10ed5e6a
SHA512965762f458496c6cc83ac2992e9a463dd5c7b765759e8028af10c69c0ff55e0066610001a98e5e8edfa7c6403f8c89ad30101d399ac5928e90f0668c8fecb8e1
-
Filesize
216KB
MD55399846bcd4dccb5657459e9594598f6
SHA16f82a830991888afda8b240995d3319f0d0cd13e
SHA2569dfb0a1d7f76fef716a05200d5cde97c7aaa6d5380c5addb254f9ab228fb4842
SHA5124265daaf2a80f17378e0bec96a9fe7acddd44ff0ee37956b1cdc4653739f162131826b5cb996453c6132b0526e539df8da261c15d5ad0e8e1a49d12fa7eb0f63
-
Filesize
216KB
MD59279aad4a439505a537b9088f541e6d2
SHA1f7088df996d96263ba792e78ddc4e39b633da945
SHA25679f450836900e5f6a78b3b2381f10a07f639250d0b2d9be23bf6b7408324998a
SHA5122f2b054775b39ee256667a3766108b9302b7363039e588163235c92f0d33232058c8c2cf326611f1b91f1cc7f732c418c81e1d9b2da1c1501ff31a2ede8d1086