Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
-
Size
408KB
-
MD5
011e13009db147c44f349d7df4be4eb4
-
SHA1
f84399f6e29ddcbefc34d19c70a78b7fe4dd4dfa
-
SHA256
e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a
-
SHA512
8863b3d7391d1ef1550da7dcf666542cc4e239fd0d0bc623933658ea43f622ad706b87a3bffead1c7fb083870a260823c985e1c62f0e6a7117658054e8f2f679
-
SSDEEP
3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c000000012258-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000012272-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0032000000015c54-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000900000000f6f2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0033000000015c54-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000000f6f2-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000015c73-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b00000000f6f2-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015c95-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015c9b-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015c95-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308} {C20C4325-2996-4700-AEC3-821F53CEE382}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}\stubpath = "C:\\Windows\\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe" {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B} {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1} {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1}\stubpath = "C:\\Windows\\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe" {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72} {FACE45D8-5F84-4db7-AD74-E32551C13331}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED} {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}\stubpath = "C:\\Windows\\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe" {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}\stubpath = "C:\\Windows\\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe" {5968B87B-5080-44c2-888C-687D0CAA5029}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382} {B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308}\stubpath = "C:\\Windows\\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe" {C20C4325-2996-4700-AEC3-821F53CEE382}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B} 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF} {9D783760-B970-436c-83E5-2508D1D9E36B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF}\stubpath = "C:\\Windows\\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe" {9D783760-B970-436c-83E5-2508D1D9E36B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029} {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331}\stubpath = "C:\\Windows\\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe" {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382}\stubpath = "C:\\Windows\\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe" {B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B}\stubpath = "C:\\Windows\\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe" 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029}\stubpath = "C:\\Windows\\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe" {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058} {5968B87B-5080-44c2-888C-687D0CAA5029}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331} {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}\stubpath = "C:\\Windows\\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe" {FACE45D8-5F84-4db7-AD74-E32551C13331}.exe -
Deletes itself 1 IoCs
pid Process 2272 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 2788 {FACE45D8-5F84-4db7-AD74-E32551C13331}.exe 1240 {B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe 1464 {C20C4325-2996-4700-AEC3-821F53CEE382}.exe 2112 {96605775-AC2A-4368-BB05-B38F1B6E9308}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe File created C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe File created C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe File created C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe {5968B87B-5080-44c2-888C-687D0CAA5029}.exe File created C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe {B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe File created C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe {9D783760-B970-436c-83E5-2508D1D9E36B}.exe File created C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe File created C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe File created C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe File created C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe {FACE45D8-5F84-4db7-AD74-E32551C13331}.exe File created C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe {C20C4325-2996-4700-AEC3-821F53CEE382}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Token: SeIncBasePriorityPrivilege 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe Token: SeIncBasePriorityPrivilege 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe Token: SeIncBasePriorityPrivilege 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe Token: SeIncBasePriorityPrivilege 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe Token: SeIncBasePriorityPrivilege 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe Token: SeIncBasePriorityPrivilege 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe Token: SeIncBasePriorityPrivilege 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe Token: SeIncBasePriorityPrivilege 2788 {FACE45D8-5F84-4db7-AD74-E32551C13331}.exe Token: SeIncBasePriorityPrivilege 1240 {B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe Token: SeIncBasePriorityPrivilege 1464 {C20C4325-2996-4700-AEC3-821F53CEE382}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 3052 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 28 PID 2148 wrote to memory of 3052 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 28 PID 2148 wrote to memory of 3052 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 28 PID 2148 wrote to memory of 3052 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 28 PID 2148 wrote to memory of 2272 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 29 PID 2148 wrote to memory of 2272 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 29 PID 2148 wrote to memory of 2272 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 29 PID 2148 wrote to memory of 2272 2148 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 29 PID 3052 wrote to memory of 2568 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 30 PID 3052 wrote to memory of 2568 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 30 PID 3052 wrote to memory of 2568 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 30 PID 3052 wrote to memory of 2568 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 30 PID 3052 wrote to memory of 2552 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 31 PID 3052 wrote to memory of 2552 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 31 PID 3052 wrote to memory of 2552 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 31 PID 3052 wrote to memory of 2552 3052 {9D783760-B970-436c-83E5-2508D1D9E36B}.exe 31 PID 2568 wrote to memory of 1992 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 34 PID 2568 wrote to memory of 1992 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 34 PID 2568 wrote to memory of 1992 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 34 PID 2568 wrote to memory of 1992 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 34 PID 2568 wrote to memory of 2092 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 35 PID 2568 wrote to memory of 2092 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 35 PID 2568 wrote to memory of 2092 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 35 PID 2568 wrote to memory of 2092 2568 {E80E0958-075A-499c-89F5-6315C24AE0AF}.exe 35 PID 1992 wrote to memory of 684 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 36 PID 1992 wrote to memory of 684 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 36 PID 1992 wrote to memory of 684 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 36 PID 1992 wrote to memory of 684 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 36 PID 1992 wrote to memory of 2812 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 37 PID 1992 wrote to memory of 2812 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 37 PID 1992 wrote to memory of 2812 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 37 PID 1992 wrote to memory of 2812 1992 {9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe 37 PID 684 wrote to memory of 2860 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 38 PID 684 wrote to memory of 2860 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 38 PID 684 wrote to memory of 2860 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 38 PID 684 wrote to memory of 2860 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 38 PID 684 wrote to memory of 2096 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 39 PID 684 wrote to memory of 2096 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 39 PID 684 wrote to memory of 2096 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 39 PID 684 wrote to memory of 2096 684 {E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe 39 PID 2860 wrote to memory of 840 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 40 PID 2860 wrote to memory of 840 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 40 PID 2860 wrote to memory of 840 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 40 PID 2860 wrote to memory of 840 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 40 PID 2860 wrote to memory of 1620 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 41 PID 2860 wrote to memory of 1620 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 41 PID 2860 wrote to memory of 1620 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 41 PID 2860 wrote to memory of 1620 2860 {AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe 41 PID 840 wrote to memory of 872 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 42 PID 840 wrote to memory of 872 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 42 PID 840 wrote to memory of 872 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 42 PID 840 wrote to memory of 872 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 42 PID 840 wrote to memory of 2640 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 43 PID 840 wrote to memory of 2640 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 43 PID 840 wrote to memory of 2640 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 43 PID 840 wrote to memory of 2640 840 {5968B87B-5080-44c2-888C-687D0CAA5029}.exe 43 PID 872 wrote to memory of 2788 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 44 PID 872 wrote to memory of 2788 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 44 PID 872 wrote to memory of 2788 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 44 PID 872 wrote to memory of 2788 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 44 PID 872 wrote to memory of 2800 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 45 PID 872 wrote to memory of 2800 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 45 PID 872 wrote to memory of 2800 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 45 PID 872 wrote to memory of 2800 872 {9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exeC:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exeC:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exeC:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exeC:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exeC:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exeC:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exeC:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exeC:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exeC:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exeC:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exeC:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe12⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C20C4~1.EXE > nul12⤵PID:824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B781B~1.EXE > nul11⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FACE4~1.EXE > nul10⤵PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9FA3E~1.EXE > nul9⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5968B~1.EXE > nul8⤵PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFB23~1.EXE > nul7⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E2B1A~1.EXE > nul6⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9BF0D~1.EXE > nul5⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E80E0~1.EXE > nul4⤵PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D783~1.EXE > nul3⤵PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5a5411af724a5e4be182f3149716ff5c5
SHA1f24612c1eb97f1f0543c16ff4e48e53649a7c52e
SHA256aeedeb19e293ee0f7c3ae62bc33950b47738de939590cd8f434090fc3f5104c9
SHA5125c4fcd1eeee7cc6bfe04c3adfe69a0707f2a7376bec73ce766414a2a0176a39a3dc0acc96ac3ab53462f567b603219063abf457028a643bfdad152af965ae9a5
-
Filesize
408KB
MD524b2a49d3a4e8315791b85d5916a0a16
SHA1b1630e2fe86002eb07952fce33add4334d1c8359
SHA256e21798e1eca4a0df775ae5e68a9290ba6c45a63f62f3d547b84bd8a9b2a50638
SHA512de87bc496a6f4596c70a1b2be686a29ded4a11582cc9acb166e4ea34189c98eabb87c68f599c4c1fa3b3f65058a43807d6b8f9b414701aa34669b2b26761b5fc
-
Filesize
408KB
MD5d32fd6dbc830e6e551d8e65545e725fb
SHA1a740bae30157a11d94da31870d099083cdeddd2e
SHA256ff222733f14727a891d7547df8181af53e9c1b9a4af2419a8f869c46df7cb4d9
SHA512fbacdfc30573276f24247a2d90e6c83e6c883f551e3a073d01eb5e0f82f763de0b26a995e8c86f1b428574438e24c1f45d2d7ee69acac749803bafbcb0d6683e
-
Filesize
408KB
MD563393dc5f2d8462fed30e99a982145b9
SHA11ea90a41924e78400f9a812baf11c962d23abcad
SHA25609018fcce6c99670d23f2dab37e7df97df099d1798194a748682ea21c95a8483
SHA5121eb2bd904dd1666760a1402f5a999899981050cdc1be7ed38d75e6dabb803902a7d473f3cfb4a4d2d66b7c2ad8d17af355be4e7a9aa09be69d55ab26e737d836
-
Filesize
408KB
MD5e4ad3f270657b214c7d89032e9f9852c
SHA1049de04d0257b8fda57ed1ea2cf6de4032f7a6bb
SHA256b9963407feb3f39fc92c26f05f866e6e12816ddedd3a214941a86ef96e0a24c6
SHA512703cf6e511ea15cf7fafe8b194d08c9521b2217329fdd6ad436a39a7bb46279a4b7e0808aff270621956edf299b3ab602775f01a2d4f79809a1e6df26aa8fcec
-
Filesize
408KB
MD5c3fb4cc8cdcadd622ab6e94d2aebb776
SHA1d4a240951216d46fa281b8c72ea91e4cbc2fb7a6
SHA2563096852ed8cfd3cea8b076e534cc19c7297b81f8ee99d97d773e325c207f75ed
SHA512502d8ead7a1212e4f51c168fd2fc61fee4b564a22fe538c3657fb8e955a6df8752fd2a4941bbfb0671df86eeaedf538015dd978f4a04a751fcd504ba3f979820
-
Filesize
408KB
MD54beca00462435f975d09579144fde3d5
SHA10bd96603aeb6448c5b07804d0edc59ac88adb9af
SHA256ff6663be3a55473abcbe7e44a5f38fa8c9fa40be9538da4c8589580538df4e7f
SHA512fdf8a68949a422aaaf0cb220ee956dc4eec8343a2fa0331b39e0d9b2e7d9c512bc548c67dff1ad1046202ee0edefa3ce1053f350418aa8aec99bf4de1314ba53
-
Filesize
408KB
MD5754d24c398a62e079e27eac9ee566eef
SHA106aebdea23c9b616cbbb86a0f11b83f100627867
SHA2561610bc5cc5bb8b418e2a5542757cd870dce47c1e510d99ca69d9bd8654c8dadb
SHA51238b0faf1d80f30e095b843ffde89b87f80b18f8fdbd17b51e84587f6c06f0d075495bf1aa8a0965252a17001fed78ada1921cf77c65ecf52d177b9cbbf8e11ad
-
Filesize
408KB
MD58ac47d31ea4ff4fbf83d61e6880cdde0
SHA15b3640a7ee8b2dcda35de24cfc9c6b740abd5352
SHA256be9262ec02966d881aa897a907fba6adc58a79a2bea5607cc7bc41dc6c3a3d4c
SHA5121326fe53ecf98b8bba721906e9a80373e63ff23cececabd2b2dc0cc0b36093a8df645096f99e0f2d89007a99817ce97d93ff420d838bcb80e108ce0983a44825
-
Filesize
408KB
MD5b795287c559170a3c78b914a78446eb8
SHA1ba94c6b5a62083f661de4f9380d92cb7b2efc42a
SHA2565ebbb616b06d61d3a53fe3a8af49322319a28967c9fd23a590dea006497c87cf
SHA512e573355a58f4537eb7e54a09edf29d469ffe16093bc9f47b91d3a7e627d7c524f4e16ee35fc301033c4c35bb0f08eb6e4b775fa819ed3f178ac901dc7072a48c
-
Filesize
408KB
MD549f60d68550465e426559cb2c5393c65
SHA109fd34158dabfd6b1955c452184577a642f467e9
SHA256d637e59a73b98735644a614b2d3033088c9d48760c97e6dd706af35b7b2ea57b
SHA5128bcdeb055a37e1ebfabb1bdcc4422c7dc147d4d3d4d965f1412b29dda8e07ae974c37c47e2d0b8f77a31672e288f55086c0137b0fcf89520afe649f3ca8dca38