Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
-
Size
197KB
-
MD5
43198fa1c0eff6a701988f839ed3aea5
-
SHA1
6e6f835d17aae182ac0e3e06d0177ec0193fc4d4
-
SHA256
818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8
-
SHA512
e1b4c4473010928aafb3f8082e5259e218ad66b1178a528a15ef1c9e1fadf0a9e4805b44ee02a46347954fdae3f36f2519ef3c4de41e66d8d2f4d079d455803b
-
SSDEEP
3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGslEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000012256-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c0000000131a1-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000016270-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f3-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000b1f3-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000b1f3-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F} {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E} {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E}\stubpath = "C:\\Windows\\{597C775A-3953-4c21-B557-DAD3D246475E}.exe" {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809} {597C775A-3953-4c21-B557-DAD3D246475E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97} {CFC6E6B0-F2FC-4592-8563-97854B726809}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE} {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}\stubpath = "C:\\Windows\\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe" {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4} {56E9F424-F572-41d6-A41B-302837EABF97}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C} {2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}\stubpath = "C:\\Windows\\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe" {2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A} 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F}\stubpath = "C:\\Windows\\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe" {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE}\stubpath = "C:\\Windows\\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe" {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E}\stubpath = "C:\\Windows\\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe" {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14} {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97}\stubpath = "C:\\Windows\\{56E9F424-F572-41d6-A41B-302837EABF97}.exe" {CFC6E6B0-F2FC-4592-8563-97854B726809}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4}\stubpath = "C:\\Windows\\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe" {56E9F424-F572-41d6-A41B-302837EABF97}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A}\stubpath = "C:\\Windows\\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe" 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC} {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}\stubpath = "C:\\Windows\\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe" {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E} {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809}\stubpath = "C:\\Windows\\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe" {597C775A-3953-4c21-B557-DAD3D246475E}.exe -
Deletes itself 1 IoCs
pid Process 2676 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 1100 {CFC6E6B0-F2FC-4592-8563-97854B726809}.exe 1832 {56E9F424-F572-41d6-A41B-302837EABF97}.exe 2288 {2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe 1724 {DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe File created C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe File created C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe File created C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe File created C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe {56E9F424-F572-41d6-A41B-302837EABF97}.exe File created C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe File created C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe File created C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe {597C775A-3953-4c21-B557-DAD3D246475E}.exe File created C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe {CFC6E6B0-F2FC-4592-8563-97854B726809}.exe File created C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe {2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe File created C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Token: SeIncBasePriorityPrivilege 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe Token: SeIncBasePriorityPrivilege 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe Token: SeIncBasePriorityPrivilege 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe Token: SeIncBasePriorityPrivilege 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe Token: SeIncBasePriorityPrivilege 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe Token: SeIncBasePriorityPrivilege 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe Token: SeIncBasePriorityPrivilege 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe Token: SeIncBasePriorityPrivilege 1100 {CFC6E6B0-F2FC-4592-8563-97854B726809}.exe Token: SeIncBasePriorityPrivilege 1832 {56E9F424-F572-41d6-A41B-302837EABF97}.exe Token: SeIncBasePriorityPrivilege 2288 {2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2068 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 28 PID 2200 wrote to memory of 2068 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 28 PID 2200 wrote to memory of 2068 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 28 PID 2200 wrote to memory of 2068 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 28 PID 2200 wrote to memory of 2676 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 29 PID 2200 wrote to memory of 2676 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 29 PID 2200 wrote to memory of 2676 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 29 PID 2200 wrote to memory of 2676 2200 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 29 PID 2068 wrote to memory of 2548 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 30 PID 2068 wrote to memory of 2548 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 30 PID 2068 wrote to memory of 2548 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 30 PID 2068 wrote to memory of 2548 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 30 PID 2068 wrote to memory of 2532 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 31 PID 2068 wrote to memory of 2532 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 31 PID 2068 wrote to memory of 2532 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 31 PID 2068 wrote to memory of 2532 2068 {E78D6739-C881-4b15-B6B0-E31883FD204A}.exe 31 PID 2548 wrote to memory of 2940 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 34 PID 2548 wrote to memory of 2940 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 34 PID 2548 wrote to memory of 2940 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 34 PID 2548 wrote to memory of 2940 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 34 PID 2548 wrote to memory of 2980 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 35 PID 2548 wrote to memory of 2980 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 35 PID 2548 wrote to memory of 2980 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 35 PID 2548 wrote to memory of 2980 2548 {DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe 35 PID 2940 wrote to memory of 2664 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 36 PID 2940 wrote to memory of 2664 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 36 PID 2940 wrote to memory of 2664 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 36 PID 2940 wrote to memory of 2664 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 36 PID 2940 wrote to memory of 2600 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 37 PID 2940 wrote to memory of 2600 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 37 PID 2940 wrote to memory of 2600 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 37 PID 2940 wrote to memory of 2600 2940 {B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe 37 PID 2664 wrote to memory of 524 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 38 PID 2664 wrote to memory of 524 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 38 PID 2664 wrote to memory of 524 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 38 PID 2664 wrote to memory of 524 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 38 PID 2664 wrote to memory of 268 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 39 PID 2664 wrote to memory of 268 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 39 PID 2664 wrote to memory of 268 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 39 PID 2664 wrote to memory of 268 2664 {EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe 39 PID 524 wrote to memory of 1652 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 40 PID 524 wrote to memory of 1652 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 40 PID 524 wrote to memory of 1652 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 40 PID 524 wrote to memory of 1652 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 40 PID 524 wrote to memory of 2164 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 41 PID 524 wrote to memory of 2164 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 41 PID 524 wrote to memory of 2164 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 41 PID 524 wrote to memory of 2164 524 {E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe 41 PID 1652 wrote to memory of 848 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 42 PID 1652 wrote to memory of 848 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 42 PID 1652 wrote to memory of 848 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 42 PID 1652 wrote to memory of 848 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 42 PID 1652 wrote to memory of 1976 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 43 PID 1652 wrote to memory of 1976 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 43 PID 1652 wrote to memory of 1976 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 43 PID 1652 wrote to memory of 1976 1652 {3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe 43 PID 848 wrote to memory of 1100 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 44 PID 848 wrote to memory of 1100 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 44 PID 848 wrote to memory of 1100 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 44 PID 848 wrote to memory of 1100 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 44 PID 848 wrote to memory of 2644 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 45 PID 848 wrote to memory of 2644 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 45 PID 848 wrote to memory of 2644 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 45 PID 848 wrote to memory of 2644 848 {597C775A-3953-4c21-B557-DAD3D246475E}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exeC:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exeC:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exeC:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exeC:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exeC:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exeC:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exeC:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exeC:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exeC:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exeC:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exeC:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe12⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E641~1.EXE > nul12⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56E9F~1.EXE > nul11⤵PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFC6E~1.EXE > nul10⤵PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{597C7~1.EXE > nul9⤵PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C120~1.EXE > nul8⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9ACF~1.EXE > nul7⤵PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA995~1.EXE > nul6⤵PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9621~1.EXE > nul5⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA269~1.EXE > nul4⤵PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E78D6~1.EXE > nul3⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5f993395b3f6da2a276d12e182a725929
SHA110e9ab5071f13928ecdc427380f4a966a4bd00bb
SHA256d706667e5473358f7731b83c4c673a37717c7090e58cf379664fb581ebffedc6
SHA512eea0ef975538c6cfefc542455d24f3c69b1c96350570b969693d11c3847f09bc1fcec9f8e5c24078c8d01971527937c9d6dce64a47b51b03b6f736b01494c2ed
-
Filesize
197KB
MD59ff40a19f749adeaa0869b382f22b9d2
SHA1a28a07fa272e5a5122ddb66d39eed578a6765ffb
SHA256c5b58708eafc12e6ab53032829f305367894d69ce635d76eb279f30ef41e1f5f
SHA51212dd512d956f174ffe61ce10c77abffba51186470702d66976023b8b707852b163028f6b6dd9309029e4167cc2a5aebc0c3fff7afbd82bda423db62563d4ef68
-
Filesize
197KB
MD5ae08bfeae7d4432f95830bceb7b46f04
SHA1d5543728bbb8802350b4e5f09a8a9f42a50d6d46
SHA2564fe120ecd98afb6766f318b0b84d891e50e2a724f08b45561b6eaa4431fa35b0
SHA5122fca97612c45e0c5da7af946cf561620007c3796d929bc278f9528d433b903e57d4a8f8c42d837b5402451fee3b3a64772d57cb726129689c2e271d278e37298
-
Filesize
197KB
MD5fe8a3f275834f30c70169b2d7349caad
SHA1a109aecb01f7bbfcef8544753a494b1e0dbf2a3e
SHA256de5a1df0423384976f6d811ab51a3158df5f71e65de77458a19d02ef6c19e394
SHA5129079b98ae23ef15213b14cd14b0a134a76d10d6411024ca48c788e9dbe94016976a7f052a20e34c14f9890c3b33ac430fdbdb8cdfe698819e043c6ae4ccfcda3
-
Filesize
197KB
MD5582820ac45214e67b85b03cc72b1515b
SHA128572f7cb3b9501a1318627a811bcd99ff8c24bb
SHA2561b101072b7239803e5ce07428a156bd60b8ea1434e08207fd3e4536d8ad1c371
SHA512e738fc39df7cf2a983682e03a066e01ef219e02cb4a6b0631c27e22171fd94651dc33e5b9ea3bdbbec2d170cd0101bbeca8a9bff44eee3e6b096132730f71aae
-
Filesize
197KB
MD5b98d232b25a8d58bf4c0474aad6ea9a0
SHA1b75826c242f09288d333046b16b99297784c5191
SHA256c5b93ce35edd7e881e3d4879cd208e96293c9ec6ea7b1e5f8716af7df342a0a1
SHA512cc47769e14f80328a37fbcff6c5b76645c8e068b2ea969f68e4f398f624227fad031d617cd93032990057aa823638ccf50c0476ff6c889e273fa52fe0e2d38bf
-
Filesize
197KB
MD53eae0282abd018b2239c8c3e6449f4ce
SHA1e38c6e196dd5819e0207abc64348741625090141
SHA256163f6d475075cb930bf9b99bebcf0cc3bcaecd0fc5ead30dc09670945e0a3a49
SHA5125ed537a35e45e5c6ab8b0091bb3a503c95ac5114fa6f07c22ea3b30507a6bdb65cb51b9c5bbcea686cf9f9d5f6e0a852b98bd12cb7487fa0bca27b848c2d8aa4
-
Filesize
197KB
MD5d582459d75c8b00df3d9c0d1bfa39e44
SHA18c26f2969372212aacf92ab9159a50947cda8666
SHA256c38b529a398651c99b561e5a106aef72e5473339751a5f72e1ae6ad362eb2d56
SHA512f7990ed248c0ee694dfca2154c8db8e4df99f8aa1b2c9d6b72f3fba0a9b991c3bb843f2a076146da38f5d0c4431963a5b25c586a64a1692fc153ebe90f500bcf
-
Filesize
197KB
MD51af8d243e85a1166fda3e18c475edbfe
SHA13eb3c2f47b5ab5339b324fe07bece1c6f87351bc
SHA2561c69f1665f599ea7c84f5d3dfae7187d2a99b6be65e2443471548a72a747be31
SHA512eadade69cfc62f2d7f979e39d51948f21256d92e39faba9b01ec00da40c95f55d86c6ec428d085358dec200a56f980ea4e636c28cd23d871b0a8611d58f78dfa
-
Filesize
197KB
MD5f85ddaadabfcc79a6d51bdc5236e71d0
SHA18583d679b82b87161f3df2a907ab2998ecb2efd8
SHA2561510edcff34d80fd3dc6ff45069fd825af3067ed9e463d1204d6e917ff375dbb
SHA512d846b9e009efee7c3e555721572fb5d3623c974022a77ee1b78553cee202e6a4d5c04c990659ce362e8910fed9fc70243133773a140771e7a7f5b99bafd09014
-
Filesize
197KB
MD50125484002fd1cc31d79d1074092e92f
SHA1ff9ba070583e9132d2116ac41f742e230db077ff
SHA256178d4a984edf6bd5e87499b22863b2c11d4569783248746a3f4609f5367f62cd
SHA51277bb2061a809879e8f8801fa08b83cbb0e275f294cf06ad5923f509330c421cbbb4f904790c2d02912bd294cc78d35aea9f43855383edc06928c005a711dcc7d