Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
-
Size
192KB
-
MD5
41a3bfd84351468cb374b10e6bc69476
-
SHA1
251255420d7c9a4f63a904db85c1df31f5464c11
-
SHA256
a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e
-
SHA512
d9da1e919e6c09cee37c34ad6c19232790d46651bc9b92f79514718dd7eee04c7ab2f945ebdb20b4fdeb0da13575addc8d942ed9c18fa9bae017227e93823d5b
-
SSDEEP
1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000900000001223d-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000001223d-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b00000001223d-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001223d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001223d-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001300000000f680-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001223d-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8} {78179858-76B0-4561-B5D9-EE443E5194FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2} {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}\stubpath = "C:\\Windows\\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe" {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91E18E1-095A-467c-9F8A-046DB187A3D0} {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}\stubpath = "C:\\Windows\\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe" {CBC65423-244C-4824-BE8D-F58C174D51E2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}\stubpath = "C:\\Windows\\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe" {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78179858-76B0-4561-B5D9-EE443E5194FC}\stubpath = "C:\\Windows\\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe" {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}\stubpath = "C:\\Windows\\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe" {78179858-76B0-4561-B5D9-EE443E5194FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810C727B-A546-4c18-A4B5-EC623A04E23B} {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810C727B-A546-4c18-A4B5-EC623A04E23B}\stubpath = "C:\\Windows\\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe" {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49} {E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC65423-244C-4824-BE8D-F58C174D51E2} {328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93} 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}\stubpath = "C:\\Windows\\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe" 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91E18E1-095A-467c-9F8A-046DB187A3D0}\stubpath = "C:\\Windows\\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe" {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037} {CBC65423-244C-4824-BE8D-F58C174D51E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78179858-76B0-4561-B5D9-EE443E5194FC} {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}\stubpath = "C:\\Windows\\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe" {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}\stubpath = "C:\\Windows\\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe" {E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC65423-244C-4824-BE8D-F58C174D51E2}\stubpath = "C:\\Windows\\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe" {328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D} {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8} {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe -
Deletes itself 1 IoCs
pid Process 2824 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 1656 {E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe 660 {328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe 2472 {CBC65423-244C-4824-BE8D-F58C174D51E2}.exe 2708 {499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe File created C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe File created C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe {CBC65423-244C-4824-BE8D-F58C174D51E2}.exe File created C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe File created C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe {78179858-76B0-4561-B5D9-EE443E5194FC}.exe File created C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe File created C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe File created C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe {E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe File created C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe {328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe File created C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe File created C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Token: SeIncBasePriorityPrivilege 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe Token: SeIncBasePriorityPrivilege 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe Token: SeIncBasePriorityPrivilege 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe Token: SeIncBasePriorityPrivilege 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe Token: SeIncBasePriorityPrivilege 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe Token: SeIncBasePriorityPrivilege 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe Token: SeIncBasePriorityPrivilege 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe Token: SeIncBasePriorityPrivilege 1656 {E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe Token: SeIncBasePriorityPrivilege 660 {328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe Token: SeIncBasePriorityPrivilege 2472 {CBC65423-244C-4824-BE8D-F58C174D51E2}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2304 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 28 PID 2236 wrote to memory of 2304 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 28 PID 2236 wrote to memory of 2304 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 28 PID 2236 wrote to memory of 2304 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 28 PID 2236 wrote to memory of 2824 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 29 PID 2236 wrote to memory of 2824 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 29 PID 2236 wrote to memory of 2824 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 29 PID 2236 wrote to memory of 2824 2236 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 29 PID 2304 wrote to memory of 2988 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 32 PID 2304 wrote to memory of 2988 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 32 PID 2304 wrote to memory of 2988 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 32 PID 2304 wrote to memory of 2988 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 32 PID 2304 wrote to memory of 2488 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 33 PID 2304 wrote to memory of 2488 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 33 PID 2304 wrote to memory of 2488 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 33 PID 2304 wrote to memory of 2488 2304 {C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe 33 PID 2988 wrote to memory of 2772 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 34 PID 2988 wrote to memory of 2772 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 34 PID 2988 wrote to memory of 2772 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 34 PID 2988 wrote to memory of 2772 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 34 PID 2988 wrote to memory of 2028 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 35 PID 2988 wrote to memory of 2028 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 35 PID 2988 wrote to memory of 2028 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 35 PID 2988 wrote to memory of 2028 2988 {09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe 35 PID 2772 wrote to memory of 2408 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 36 PID 2772 wrote to memory of 2408 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 36 PID 2772 wrote to memory of 2408 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 36 PID 2772 wrote to memory of 2408 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 36 PID 2772 wrote to memory of 2520 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 37 PID 2772 wrote to memory of 2520 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 37 PID 2772 wrote to memory of 2520 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 37 PID 2772 wrote to memory of 2520 2772 {78179858-76B0-4561-B5D9-EE443E5194FC}.exe 37 PID 2408 wrote to memory of 2412 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 38 PID 2408 wrote to memory of 2412 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 38 PID 2408 wrote to memory of 2412 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 38 PID 2408 wrote to memory of 2412 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 38 PID 2408 wrote to memory of 2504 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 39 PID 2408 wrote to memory of 2504 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 39 PID 2408 wrote to memory of 2504 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 39 PID 2408 wrote to memory of 2504 2408 {C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe 39 PID 2412 wrote to memory of 828 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 40 PID 2412 wrote to memory of 828 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 40 PID 2412 wrote to memory of 828 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 40 PID 2412 wrote to memory of 828 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 40 PID 2412 wrote to memory of 1888 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 41 PID 2412 wrote to memory of 1888 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 41 PID 2412 wrote to memory of 1888 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 41 PID 2412 wrote to memory of 1888 2412 {8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe 41 PID 828 wrote to memory of 1340 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 42 PID 828 wrote to memory of 1340 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 42 PID 828 wrote to memory of 1340 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 42 PID 828 wrote to memory of 1340 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 42 PID 828 wrote to memory of 1876 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 43 PID 828 wrote to memory of 1876 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 43 PID 828 wrote to memory of 1876 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 43 PID 828 wrote to memory of 1876 828 {810C727B-A546-4c18-A4B5-EC623A04E23B}.exe 43 PID 1340 wrote to memory of 1656 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 44 PID 1340 wrote to memory of 1656 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 44 PID 1340 wrote to memory of 1656 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 44 PID 1340 wrote to memory of 1656 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 44 PID 1340 wrote to memory of 1708 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 45 PID 1340 wrote to memory of 1708 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 45 PID 1340 wrote to memory of 1708 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 45 PID 1340 wrote to memory of 1708 1340 {E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exeC:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exeC:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exeC:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exeC:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exeC:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exeC:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exeC:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exeC:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exeC:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exeC:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exeC:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe12⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CBC65~1.EXE > nul12⤵PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{328C2~1.EXE > nul11⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E91E1~1.EXE > nul10⤵PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E83EE~1.EXE > nul9⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{810C7~1.EXE > nul8⤵PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F7AE~1.EXE > nul7⤵PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6356~1.EXE > nul6⤵PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{78179~1.EXE > nul5⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{09FC1~1.EXE > nul4⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C7E60~1.EXE > nul3⤵PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5c24450c3cbe3dcdff588f34388295f42
SHA15614c01e2fab10f52b0a79654c33f595468234a2
SHA256f72c415acac63a4463108008560a171d231def02994ceb37f0d535320416ee90
SHA5125795634cea623c68567076c6c25b4d69ce0608bda18e2dda9f656d923f12b5b4b0981c82bbde0765d2739353d151c0e123b7696e5b8e3079d0f02d4acca41dcb
-
Filesize
192KB
MD57e12a616238cb8367b5e35a1dcfa90c7
SHA1369421451944bd67f3eec5f8a67bba1c7614cc30
SHA2564b53bf0c1f73dc6628cbe3dc09a48d6572b15fc5972718861961461846ab93ce
SHA5129ca46155913eecf3d39099934f6fe8c331b7e1bed6d31b748a7369fb9b9f8c7b94882571bd56ddbc889039a874be083ff32cfdd3c5e505aac89bfd3b8158e878
-
Filesize
192KB
MD56fc6b7f217a919982e5a37099e28aeb7
SHA1bac97f57bfa1bf19b1c2fed4e469a4255db53624
SHA25674610157bfc034535da76f72140bbe7df255a2dbf03395f129cfaad3990e3a99
SHA5125c88828e49b1fcf191af056168b27a6193ddb39cc0042964843c87c18b78141acc71e8daa676a8e413b932f71d9213abbcad5297b40cfe91900ffb788eab1975
-
Filesize
192KB
MD59fb341ddcbf48db9e37f5d63c2084705
SHA19f4e7485c81d41ddcc31548f98d9267e538d21dc
SHA2566a41faca498c812cd0831ccd7e378257de28ac5d5cb25e9e86e769bfd28353ce
SHA5129d8861a88d8e757cfa68681d06c28386c17997d18fc1707ab48f9ad9506561e313da38d31a5cfc290a4348bac494cfc5d5aed83b027f2aef2687bb52dd8f1a49
-
Filesize
192KB
MD509d4c2912afea1e0a3dcfdae9cd7b868
SHA11bcb2ad4992c6c3075b03082c50a70a46b3db7de
SHA256a59861623c732b41d00c8e8b54487c9e039640a805bf26c63ffc9a640916804b
SHA512143ac9b238efb498d81e316b6218ce46cb92828b10139ff09bfc35e868f41d970c67e9ddfb026d802c9bb08afce6eda7a7d9b336990903811c47063a0dbf12f3
-
Filesize
192KB
MD55b90109b4ab119b9a6b25816f3bdc064
SHA15502751862aa4166fe7dfef1b286950e322a9233
SHA2565d2c0927c15835ae346e3eb7731a898101853fad40cce77014d2c5c2b76677b1
SHA5129921de11a102f0f555b348426a5622716650aa63ff5b97a06247e60d4bd3d3c501cd2b1f5460dadf48c0fc6e4e6f188182413e94d82a7d800ce349eb60446733
-
Filesize
192KB
MD5f2c35d9944e0643dc0b588fa3a3380e6
SHA1b66fb0f757c1ec58908a8c6049c000adfccb517b
SHA256fb6dbdf50b91af1a8079cbcdb44af16dea0aa581eee4752c3c771ebe31f3d269
SHA5123690ee889d5d08f92753e1a0b746389141603b371b022fb493b0de44dfbf70fbf88d335cdfd4b387771ddbb561141ee4a424dd0c13d75b2895a5d4178ed63fdb
-
Filesize
192KB
MD540685e5a3a90c2911e4a99c7f638caec
SHA134474e02f0657ef7e29f59160ff08ecc1a2f0e9b
SHA2561178f9eb98acdb79ac1f95c47a59593337d1a21f1c24fbeb30009df96fcd9a29
SHA512e7256555c902e4bd0627ab091c2c200c45314351fd90b7124d9a0788a934c8d4c7d08601d186023564eb2b4aee58d1a3d766e98fba3a77e7d553dd457c83833b
-
Filesize
192KB
MD5faeda5aa22db9084a7c12512c4669596
SHA13d63b84feedb1e22693c11ca2ff1de1435d21d11
SHA2566ec3f8bf128b36e40e018ee4e908a3b650b7299446af6d30664e34d078fe8814
SHA5127a2f83fc5b9a3d0177c9ca3347d7034fa93cfb4983186130772d4656096754321d8b95566812976fff3f082050e1be0fa3b3edee98e481f4d88778f777c67b40
-
Filesize
192KB
MD5290f954bcf0f9b0167146ce3171b829f
SHA173574d377d512a6dd99228bf9449cb2605670429
SHA25664600a71c67e74025063dd732e157e80bfec2c15ee141d70251cf2b248cd02ec
SHA5126643c6c994060199b97b9f95c03059fcbf19c9984e9a492bcc86de1b90b2b9b29df74797516d22b49a797d3dfbaae64f52a9a305e9d20c7610366e53d2457631
-
Filesize
192KB
MD5a9c7c1bcdfc14394fe703ba14883d28a
SHA1adeba02744da21681be854b68b6d1618dd43c2f6
SHA2567874c96707f7c87f633ec0529c73b3fcce37dc1485bb345e7a79effe8be1b0fa
SHA512e08cb170f3754ae4824b6f4cf623e6161616a6961f17109a28083a3a9d9c52ca49df98dea4573ccd76a3ee52eb432bf5c7a284f1298dfe3c252d0426d03fe79d