Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
-
Size
197KB
-
MD5
1b79f7a7b43252a50deeee1b37920bc6
-
SHA1
e5158a59de2e0641125a7dcf7583c63ce1ffca12
-
SHA256
f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5
-
SHA512
a5de5791da9c8448776fe315199155221c358472bb0388d052c056b15f25c4c1eb8167ddc21671f85f70b35a218b0ba0d960401425765ffc1b9140f141ef2947
-
SSDEEP
3072:jEGh0oYZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGWlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 10 IoCs
resource yara_rule behavioral1/files/0x000900000001224c-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d24-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000016d84-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016d24-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000016d89-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016d24-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000700000001704f-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00020000000180e5-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000001868c-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00030000000180e5-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5598CEB-C6DF-433a-937E-4E31CB358AD8} {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372C5E36-A21F-401d-ABC9-C9A3CB892D44} {DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}\stubpath = "C:\\Windows\\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe" {372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1876614C-7669-4144-A331-81E143FB8CB7}\stubpath = "C:\\Windows\\{1876614C-7669-4144-A331-81E143FB8CB7}.exe" 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA} {1876614C-7669-4144-A331-81E143FB8CB7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAED611D-5084-417d-8664-AFFFB6E502AF} {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F024A393-9B71-4bf1-8E82-79D123AE1293}\stubpath = "C:\\Windows\\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe" {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}\stubpath = "C:\\Windows\\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe" {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA954FBD-7CD3-42e0-B684-26CA2184E798} {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA954FBD-7CD3-42e0-B684-26CA2184E798}\stubpath = "C:\\Windows\\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe" {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}\stubpath = "C:\\Windows\\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe" {DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}\stubpath = "C:\\Windows\\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe" {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAED611D-5084-417d-8664-AFFFB6E502AF}\stubpath = "C:\\Windows\\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe" {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F024A393-9B71-4bf1-8E82-79D123AE1293} {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911} {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}\stubpath = "C:\\Windows\\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe" {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1876614C-7669-4144-A331-81E143FB8CB7} 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}\stubpath = "C:\\Windows\\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe" {1876614C-7669-4144-A331-81E143FB8CB7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF} {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A} {372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe -
Deletes itself 1 IoCs
pid Process 1636 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 2708 {DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe 1836 {372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe 3048 {E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe File created C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe {DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe File created C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe {1876614C-7669-4144-A331-81E143FB8CB7}.exe File created C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe File created C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe File created C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe File created C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe File created C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe File created C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe File created C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe {372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Token: SeIncBasePriorityPrivilege 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe Token: SeIncBasePriorityPrivilege 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe Token: SeIncBasePriorityPrivilege 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe Token: SeIncBasePriorityPrivilege 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe Token: SeIncBasePriorityPrivilege 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe Token: SeIncBasePriorityPrivilege 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe Token: SeIncBasePriorityPrivilege 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe Token: SeIncBasePriorityPrivilege 2708 {DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe Token: SeIncBasePriorityPrivilege 1836 {372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1316 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 30 PID 2336 wrote to memory of 1316 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 30 PID 2336 wrote to memory of 1316 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 30 PID 2336 wrote to memory of 1316 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 30 PID 2336 wrote to memory of 1636 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 31 PID 2336 wrote to memory of 1636 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 31 PID 2336 wrote to memory of 1636 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 31 PID 2336 wrote to memory of 1636 2336 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 31 PID 1316 wrote to memory of 1964 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 32 PID 1316 wrote to memory of 1964 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 32 PID 1316 wrote to memory of 1964 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 32 PID 1316 wrote to memory of 1964 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 32 PID 1316 wrote to memory of 2032 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 33 PID 1316 wrote to memory of 2032 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 33 PID 1316 wrote to memory of 2032 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 33 PID 1316 wrote to memory of 2032 1316 {1876614C-7669-4144-A331-81E143FB8CB7}.exe 33 PID 1964 wrote to memory of 592 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 34 PID 1964 wrote to memory of 592 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 34 PID 1964 wrote to memory of 592 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 34 PID 1964 wrote to memory of 592 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 34 PID 1964 wrote to memory of 268 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 35 PID 1964 wrote to memory of 268 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 35 PID 1964 wrote to memory of 268 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 35 PID 1964 wrote to memory of 268 1964 {D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe 35 PID 592 wrote to memory of 1736 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 36 PID 592 wrote to memory of 1736 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 36 PID 592 wrote to memory of 1736 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 36 PID 592 wrote to memory of 1736 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 36 PID 592 wrote to memory of 564 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 37 PID 592 wrote to memory of 564 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 37 PID 592 wrote to memory of 564 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 37 PID 592 wrote to memory of 564 592 {D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe 37 PID 1736 wrote to memory of 696 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 38 PID 1736 wrote to memory of 696 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 38 PID 1736 wrote to memory of 696 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 38 PID 1736 wrote to memory of 696 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 38 PID 1736 wrote to memory of 2660 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 39 PID 1736 wrote to memory of 2660 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 39 PID 1736 wrote to memory of 2660 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 39 PID 1736 wrote to memory of 2660 1736 {AAED611D-5084-417d-8664-AFFFB6E502AF}.exe 39 PID 696 wrote to memory of 2396 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 40 PID 696 wrote to memory of 2396 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 40 PID 696 wrote to memory of 2396 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 40 PID 696 wrote to memory of 2396 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 40 PID 696 wrote to memory of 2884 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 41 PID 696 wrote to memory of 2884 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 41 PID 696 wrote to memory of 2884 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 41 PID 696 wrote to memory of 2884 696 {F024A393-9B71-4bf1-8E82-79D123AE1293}.exe 41 PID 2396 wrote to memory of 2556 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 42 PID 2396 wrote to memory of 2556 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 42 PID 2396 wrote to memory of 2556 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 42 PID 2396 wrote to memory of 2556 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 42 PID 2396 wrote to memory of 2840 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 43 PID 2396 wrote to memory of 2840 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 43 PID 2396 wrote to memory of 2840 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 43 PID 2396 wrote to memory of 2840 2396 {AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe 43 PID 2556 wrote to memory of 2708 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 44 PID 2556 wrote to memory of 2708 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 44 PID 2556 wrote to memory of 2708 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 44 PID 2556 wrote to memory of 2708 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 44 PID 2556 wrote to memory of 1792 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 45 PID 2556 wrote to memory of 1792 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 45 PID 2556 wrote to memory of 1792 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 45 PID 2556 wrote to memory of 1792 2556 {EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exeC:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exeC:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exeC:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exeC:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exeC:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exeC:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exeC:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exeC:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exeC:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exeC:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe11⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{372C5~1.EXE > nul11⤵PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA954~1.EXE > nul10⤵PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA7DF~1.EXE > nul9⤵PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AEAC3~1.EXE > nul8⤵PID:2840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F024A~1.EXE > nul7⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AAED6~1.EXE > nul6⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5598~1.EXE > nul5⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D40ED~1.EXE > nul4⤵PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18766~1.EXE > nul3⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD549dfb7e96385145f6e1e447582806c08
SHA1219aab2ac1b5ca966f6b03ffe6a839dbb9fee0a0
SHA256fb2946cd7fa9b8d72ed2c7a1431efbc185f9c71c544835a01392f778523b5ffd
SHA5121c329ddb2c9dddde1ea6166cd830cee6ac5e660451f5753f7270604d72f3be14c020448d775d9353adb5951f605f70efeeadeaf4e12be29e2ed3a77a371476ea
-
Filesize
197KB
MD50ebcd8c95897bb0e7ea042bcc69e0bb8
SHA18fbb3bd6f6f084130fec320c948d0366c2b83f2d
SHA256fd6eb326f56d7f908e6eeb69d1965e135f293f828a7cdba87ee6c3c3ecf24d5c
SHA51284821a26a2e7c9b5335cce05aabc171ca150b3017c84a6022902fb1cd599521a02e0c00dfd3400b709573719bc9933fcabde223fe04ffa36bea8420576d4299c
-
Filesize
197KB
MD5d3294ac02cb45d61b0302912bcc27ed8
SHA1f7c1af37f4dd27ca2790a4c3758af518feca145f
SHA256d080182dd80ad639a86ba945f545ad6a4ac52c234087a12ce0b92e1f659ab812
SHA512db5f85c05785c6147016b71a51d6af8f0efe99dc372d0dbfb51a0ddcbd3075adee71feae7dec2fa582022c54a1a7393d95e48f5aa6f9c823791b3a7132139be1
-
Filesize
197KB
MD52bd31cb8e2006bd1fd6ad76cbd48bdd6
SHA1778023fb0f2caac2273c2327233b685133675970
SHA256ee53567553ccc2ea919a894866a4e782ef7191cfa3664fab8229f1f6111a97c4
SHA512cd043116126c238e2e988b2afe89d99f50d21a6330c10fe287c705cd508be0cf6645412614d9cca9cd0ff68867ffaeca89ba91c4c2bcd4772712fa4c4bbd2951
-
Filesize
197KB
MD5f6f8d2511aee421c8685fbe3ce24359d
SHA17beb9417f11423f25d4f911ebe769c7efd3958c0
SHA25658aaeeb46791d8bdf3688b8ac92fd0a5abed6c38ebe6336a023fedcee9f0ac8c
SHA512fa67a703000f6c2dc89da4e9a9442a3e8fefd5e2079934ba15b5e781a71a0166112f5baf9f631592d71a8cdca1b5165e73df80baa495581189685fa18ce2e842
-
Filesize
197KB
MD5fe002134e4747e06d5ab3e884154fc39
SHA1d560c23c7c45a3e4f9821ae96ebad1f1ce9a352a
SHA2560c322116fd015e5c3573d7ee054557b7533dcd91d610f406b4af310eace8e2f0
SHA512e3482f5e0557a729222bca5e8b57668267afa28d6e2a596cedbd33e9aea9c2ac187b3111f65ec60629cd8f26e6f1fa66bf06a8d8a5f1b8bc39b9fb56e859c603
-
Filesize
197KB
MD5b753931bc1fa56bd061b91ec0a4aa2b2
SHA1293efa10b26e52f7b3f452e7bf7c8d0f5449d4d8
SHA25683fdbee2ead73a48588455a654dc618b237bb5e4f558bf06fe6b5c889cabdc56
SHA512239c9a38cc6028555b6cb618394c5c53a0ce6b8900becce022e813017dd7b994da62d46e2b475be2c508ba731e5336581f53ca73b689ff82c45b9bbfc35d4c21
-
Filesize
197KB
MD580c4a35fa6dd315ee65abe522bfe91ba
SHA101572e552da3a525d4a2a0347929a11bbcbd9ab8
SHA2565e80d7bb4ee22a8a704337cbccc979dad30d757b05f2c047079c165ae8db5496
SHA5124e1c08ecb69edad66729b4ddee583a52f72e522c238d8a561f4e6ed50039b0d7d2d5fcaf383796e7711c74840971a5d306844fd1de5339d0d3d4ebda54271dc2
-
Filesize
197KB
MD580ed4bf39e39a2b91f8c29377637e079
SHA101e4fde850e2cb109ba1a3eb4ae4578041d89f89
SHA256fc5b51a90731f9ec76a359cae3b518749332970482cb35d6fd09fd74c86d3777
SHA5124bbd5834fde5280e29cc79f032ec0c0157172874cf4427c24f9b6c0b506172641f3ba3a2afc9e85ec0d4c0c2c01d07420d6e6d91cf3349e68e815e78be50c12d
-
Filesize
197KB
MD5079ac69f9705a4ef7f4c5ca220d1800a
SHA13f0530dbc6bcf86e1d517f41153cb0f3bc866bba
SHA256478615967619e87c9f6981aa415a573d03376d62fad923c30cd3f59ce9b3d603
SHA512a002c6863d534165080042b672e183fedd85c0798d93af7dacd59d7471e3ffb9f91431ab1393c066379f7f2e7e6515599f8527cae15e3f6745f416e30d1d6e78