Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
-
Size
344KB
-
MD5
02df46e8c5329e63f5ec9bf636f35022
-
SHA1
39c38efbaf16218991bc24267b70355f90731b9a
-
SHA256
81a487f5327b4005b040996fbcdc64b9d9e70023f47d3bfcf57f93d762a55a47
-
SHA512
6e1211682b49f5de51952eb5f0545b80a33210e32b0ad1dd09f88d2ad0c3d45d88fe9b5e287a09dedc9cf1e33f96a9c89e1d90f96344e83415b9e76e4ce45cb2
-
SSDEEP
3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x00070000000122cd-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c0000000144e4-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000122cd-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000122cd-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a0000000122cd-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000122cd-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c0000000122cd-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}\stubpath = "C:\\Windows\\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe" 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D8197D-251E-40d7-AF3B-8F0782EF9870} {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}\stubpath = "C:\\Windows\\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe" {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}\stubpath = "C:\\Windows\\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe" {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B027FFF6-2ACD-48cd-8A62-C295D915022E} {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFF02C56-7136-4c0c-917C-5D2983F7746D}\stubpath = "C:\\Windows\\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe" {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F570F08C-9E71-4362-BCC1-A5B9761F6285} {F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEDB4307-1DDE-45b2-9B8E-8311924F767B} 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D} {FA15A97A-1836-453e-9D75-FF0425E25087}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B027FFF6-2ACD-48cd-8A62-C295D915022E}\stubpath = "C:\\Windows\\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe" {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8} {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}\stubpath = "C:\\Windows\\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe" {FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}\stubpath = "C:\\Windows\\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe" {FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F570F08C-9E71-4362-BCC1-A5B9761F6285}\stubpath = "C:\\Windows\\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe" {F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA15A97A-1836-453e-9D75-FF0425E25087} {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}\stubpath = "C:\\Windows\\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe" {FA15A97A-1836-453e-9D75-FF0425E25087}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4} {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}\stubpath = "C:\\Windows\\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe" {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFF02C56-7136-4c0c-917C-5D2983F7746D} {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACC182A-310B-4d08-BBFA-690EDBAA01DA} {FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8EB0A63-238A-4f14-9C36-E062A27D36ED} {FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA15A97A-1836-453e-9D75-FF0425E25087}\stubpath = "C:\\Windows\\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe" {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe -
Deletes itself 1 IoCs
pid Process 2044 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 2832 {FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe 2248 {FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe 2420 {F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe 2864 {F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe File created C:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe File created C:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe {FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe File created C:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe File created C:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe File created C:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe {FA15A97A-1836-453e-9D75-FF0425E25087}.exe File created C:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe {FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe File created C:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe {F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe File created C:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe File created C:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe File created C:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Token: SeIncBasePriorityPrivilege 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe Token: SeIncBasePriorityPrivilege 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe Token: SeIncBasePriorityPrivilege 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe Token: SeIncBasePriorityPrivilege 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe Token: SeIncBasePriorityPrivilege 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe Token: SeIncBasePriorityPrivilege 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe Token: SeIncBasePriorityPrivilege 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe Token: SeIncBasePriorityPrivilege 2832 {FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe Token: SeIncBasePriorityPrivilege 2248 {FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe Token: SeIncBasePriorityPrivilege 2420 {F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2308 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 28 PID 2104 wrote to memory of 2308 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 28 PID 2104 wrote to memory of 2308 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 28 PID 2104 wrote to memory of 2308 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 28 PID 2104 wrote to memory of 2044 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 29 PID 2104 wrote to memory of 2044 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 29 PID 2104 wrote to memory of 2044 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 29 PID 2104 wrote to memory of 2044 2104 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 29 PID 2308 wrote to memory of 2664 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 30 PID 2308 wrote to memory of 2664 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 30 PID 2308 wrote to memory of 2664 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 30 PID 2308 wrote to memory of 2664 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 30 PID 2308 wrote to memory of 2596 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 31 PID 2308 wrote to memory of 2596 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 31 PID 2308 wrote to memory of 2596 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 31 PID 2308 wrote to memory of 2596 2308 {BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe 31 PID 2664 wrote to memory of 2732 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 32 PID 2664 wrote to memory of 2732 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 32 PID 2664 wrote to memory of 2732 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 32 PID 2664 wrote to memory of 2732 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 32 PID 2664 wrote to memory of 2616 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 33 PID 2664 wrote to memory of 2616 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 33 PID 2664 wrote to memory of 2616 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 33 PID 2664 wrote to memory of 2616 2664 {FA15A97A-1836-453e-9D75-FF0425E25087}.exe 33 PID 2732 wrote to memory of 2480 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 36 PID 2732 wrote to memory of 2480 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 36 PID 2732 wrote to memory of 2480 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 36 PID 2732 wrote to memory of 2480 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 36 PID 2732 wrote to memory of 2316 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 37 PID 2732 wrote to memory of 2316 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 37 PID 2732 wrote to memory of 2316 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 37 PID 2732 wrote to memory of 2316 2732 {A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe 37 PID 2480 wrote to memory of 2988 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 38 PID 2480 wrote to memory of 2988 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 38 PID 2480 wrote to memory of 2988 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 38 PID 2480 wrote to memory of 2988 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 38 PID 2480 wrote to memory of 2984 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 39 PID 2480 wrote to memory of 2984 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 39 PID 2480 wrote to memory of 2984 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 39 PID 2480 wrote to memory of 2984 2480 {E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe 39 PID 2988 wrote to memory of 2424 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 40 PID 2988 wrote to memory of 2424 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 40 PID 2988 wrote to memory of 2424 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 40 PID 2988 wrote to memory of 2424 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 40 PID 2988 wrote to memory of 1556 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 41 PID 2988 wrote to memory of 1556 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 41 PID 2988 wrote to memory of 1556 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 41 PID 2988 wrote to memory of 1556 2988 {69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe 41 PID 2424 wrote to memory of 2712 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 42 PID 2424 wrote to memory of 2712 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 42 PID 2424 wrote to memory of 2712 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 42 PID 2424 wrote to memory of 2712 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 42 PID 2424 wrote to memory of 2700 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 43 PID 2424 wrote to memory of 2700 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 43 PID 2424 wrote to memory of 2700 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 43 PID 2424 wrote to memory of 2700 2424 {B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe 43 PID 2712 wrote to memory of 2832 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 44 PID 2712 wrote to memory of 2832 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 44 PID 2712 wrote to memory of 2832 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 44 PID 2712 wrote to memory of 2832 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 44 PID 2712 wrote to memory of 1336 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 45 PID 2712 wrote to memory of 1336 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 45 PID 2712 wrote to memory of 1336 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 45 PID 2712 wrote to memory of 1336 2712 {A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exeC:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exeC:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exeC:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exeC:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exeC:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exeC:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exeC:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exeC:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exeC:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exeC:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exeC:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe12⤵
- Executes dropped EXE
PID:2864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8EB0~1.EXE > nul12⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FACC1~1.EXE > nul11⤵PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FFF02~1.EXE > nul10⤵PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3DB7~1.EXE > nul9⤵PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B027F~1.EXE > nul8⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{69A2C~1.EXE > nul7⤵PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7D81~1.EXE > nul6⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A15A0~1.EXE > nul5⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FA15A~1.EXE > nul4⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BEDB4~1.EXE > nul3⤵PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51a69e022b9262facd6dafe4b5a59ea43
SHA1aef71ee94c763836499dba6d38e1c8c79d98e704
SHA25650cd0eea2bbeaaa8cf61c48a7256002590e079f049c8200a163a4e694410c0bc
SHA512620ba11f8bb74046395f2400774da5864acb5d3d04828e3e7f4515f76f665e98326ca3342a5e10f23759ae5e8d288105463c3b3541f50855805c7168c33db042
-
Filesize
344KB
MD5fad26117e8c2d660d8fcc32be983e06a
SHA126f6128d7b6a0c840f8976dc5a066efc398b9622
SHA2562407b9f4e4210da0755041e5a871a87f9f36940593d7880b208dc1162aa37d71
SHA512298dd86c73247824b53a286d938d9c4319b36f28e43d589271902753ce78def663ea19d9357bd2fb6b91af361c78e75e30731ae5ddf40c2c4e887877893b0402
-
Filesize
344KB
MD539582d3a589b7a6f80313232464b056b
SHA14c347d2f66f52a4876666010e4bddf86784ba8ed
SHA2564b475286f2d7ffc3fe45a35d0ba009bb486bed88d39ac153857bb287afe41648
SHA5123e2f56b9fa04af5edf44e1989eddabea83094cfffb0a26b45ae0f822d22e41f5fb81be735e5076d96908fb84bf5659f5b44535abe9312376e18f81f759dfdd0e
-
Filesize
344KB
MD5370f1599a85d086ecbb3f6a28c469539
SHA11d186dec0c8a4f0c309d31ec5f7aec2b2393d4f1
SHA256d473681c7da0a5585edc55651e309b8196b113e4c8b7612e0e10b8e6f002f062
SHA512e9ca1ab0b882259e4bacbb724323f7a8bc971784c4f851897d1d61faa047c095c25404cf6f53962f23801201e49981ad670f61d5d4bc20eb30001c0c4acf008a
-
Filesize
344KB
MD54edd5fff43c0a4e9e7f1bc9c63b90b11
SHA1a1785f0eae2ff6e235b1af5750c4227e99fb8f9a
SHA2560e44ce803dbb27202ecdc2414294b7bc7617a900b74f8274661f3d5c710d4988
SHA5121a7cefc3f4d281c1359b26d3ea1e6caf9d9eff158d1323342af934299c227989a6ad265001f79910e84f37076d4609d1f4dee28024d4fc0443749be2e1d0a812
-
Filesize
344KB
MD5440f9ba14dce5b8614d6a05d25e9dda9
SHA1e7ccb3c3cb394c25917ea61eb99361f3fabeb770
SHA256c6bc88516f0aab5cbed7202ad57974574e4288cbaf829d5cc688eaa98e636b77
SHA512047b39d462d67364dde819a3c3f4711e6157aa75a309e5b00dc50135e4305782f586d6735c0948da0cbbd9e99a4b94db33d200886236381477355e638cb10d4b
-
Filesize
344KB
MD5b3167267f67232d331187aee53a2341a
SHA1a9d4bca99451e1c382eb2f613fcbe6324edbc1fa
SHA256f8479845705603c3213e9be3d843fd74c1aa9a2eaf82b42a91bcfd67da124402
SHA512a73ad55c1b191e9393f8d0c2f1ee7c9217f50f04f9e68a15f625c48fa4ab7454c649bd6f915763456332c960db428239f411d2703b3cd09759ff80af4e11b3f8
-
Filesize
344KB
MD525f43251e8d5ba4b18f7df77e460a18e
SHA19a6a2d0d4116298fe1a7b2854ecdaf9933d4ccc6
SHA256c9bee3b88774b0c94283ac8fabfb87dff424354c2c000e318140e635a2011fc2
SHA51210d9e147298424f9275b378b0194178cb9d83e8a4ae48f3bfdb48fc73ea47f4fb1e7c3b05c284122f3cc8350815fec073d2269223c05b2af64d26d13a2e6d882
-
Filesize
344KB
MD5ff57b42fac1d06e59916c1f3977f203f
SHA1ce19ab7b0a3fdc24e34b0dd66ab2bbabef864024
SHA256b8a353b10df0f0475415220813d6ddfa0d436c9696a0909cdb0f90ff44686f41
SHA512c08f3462c14578bbc8af75b7f70ff7330276e6bbb8589c63d9b81144add622c34a80c368ff17d6025c2d92de96c0a5609e024ffa77a4402ae7ffb1781577676c
-
Filesize
344KB
MD5ad8196d01fa438699d676000eeea256a
SHA17d30349d09b0cf4b11960656ecee05f56f7a5c25
SHA2565811b9685336a68ee8cb984abc51e495a335a708b19877ea39b5ad9afc1420c9
SHA512b0996dd0da7e0fe339f1c7437bc7ed5669f9d88691d341056f99df20fd706d5a44a4cbb01b383e3b65773ab028d4ccbcf70bb76e80a2651c03e1e5785d8edd2c
-
Filesize
344KB
MD5268b585eead4b1aa6c702981baa8d048
SHA12822874260679c515eefa10b2a14fbaf1ca448d6
SHA25633e28632d500bbd61132da6a49d73d44516950e7738eb7350ac361f77591dd67
SHA51236597e702d7719e583fbce92d85746dcaeecbdb6304dfd2f139ba9a48874cbacd5975cb46297e60a7539bc4347359e9fe5c894083c16b9ecde0c458a1a3030b0