Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe
-
Size
197KB
-
MD5
7e4c99c818180036023dab47835f27d5
-
SHA1
eb83e14dd03416dfbf2a9673c829a82db13b10ca
-
SHA256
f385068e29ea8c135ebf911095d024add3bd99ec7f8b1f08c3d2450d5fedce12
-
SHA512
a264ec7d8b216bf04651730e5dd1d724df0b6632f98ac63d66058a11ea104ca46087e7fd096b571ee652e4b80b592a4618a95cfab9836f2e59ba1d5b043d0373
-
SSDEEP
3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGhlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000014e3d-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002c0000000155d4-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d0000000155d4-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000900000001560a-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000001560a-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015a2d-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001300000000f680-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C35EDF54-5D37-460c-9B8F-58D319EA6F44} 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FBE356-A744-444d-BCB1-6FEFE77A701B}\stubpath = "C:\\Windows\\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe" {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C442D40B-7220-4553-A823-ED93437E1D41} {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F} {C442D40B-7220-4553-A823-ED93437E1D41}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D3FD3C-111A-4b85-89DD-D67E134983F2} {B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E300877D-D93D-4e77-B156-5E49969C8E76} {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{262F8A0B-7128-4828-8DC7-5DF5567BBD41} {E300877D-D93D-4e77-B156-5E49969C8E76}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C442D40B-7220-4553-A823-ED93437E1D41}\stubpath = "C:\\Windows\\{C442D40B-7220-4553-A823-ED93437E1D41}.exe" {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CFB945-8234-44ee-BA70-5EBC526040B8} {352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CFB945-8234-44ee-BA70-5EBC526040B8}\stubpath = "C:\\Windows\\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe" {352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}\stubpath = "C:\\Windows\\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe" {C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FBE356-A744-444d-BCB1-6FEFE77A701B} {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}\stubpath = "C:\\Windows\\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe" {E300877D-D93D-4e77-B156-5E49969C8E76}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A62A17-FF0D-438b-9491-BA81613D2C39} {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A62A17-FF0D-438b-9491-BA81613D2C39}\stubpath = "C:\\Windows\\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe" {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{031CA2D6-BEF1-47d3-9E83-E3037945ED04} {C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}\stubpath = "C:\\Windows\\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe" {B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}\stubpath = "C:\\Windows\\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe" 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E300877D-D93D-4e77-B156-5E49969C8E76}\stubpath = "C:\\Windows\\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe" {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B076488-F558-4997-8C1B-4144F2EFA30D} {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B076488-F558-4997-8C1B-4144F2EFA30D}\stubpath = "C:\\Windows\\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe" {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}\stubpath = "C:\\Windows\\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe" {C442D40B-7220-4553-A823-ED93437E1D41}.exe -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 2752 {352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe 1656 {B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe 2860 {C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe 2076 {031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe File created C:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe File created C:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe {352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe File created C:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe File created C:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe File created C:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe File created C:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe {B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe File created C:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe {C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe File created C:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe {E300877D-D93D-4e77-B156-5E49969C8E76}.exe File created C:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exe {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe File created C:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe {C442D40B-7220-4553-A823-ED93437E1D41}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe Token: SeIncBasePriorityPrivilege 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe Token: SeIncBasePriorityPrivilege 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe Token: SeIncBasePriorityPrivilege 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe Token: SeIncBasePriorityPrivilege 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe Token: SeIncBasePriorityPrivilege 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe Token: SeIncBasePriorityPrivilege 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe Token: SeIncBasePriorityPrivilege 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe Token: SeIncBasePriorityPrivilege 2752 {352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe Token: SeIncBasePriorityPrivilege 1656 {B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe Token: SeIncBasePriorityPrivilege 2860 {C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 3024 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 28 PID 1284 wrote to memory of 3024 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 28 PID 1284 wrote to memory of 3024 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 28 PID 1284 wrote to memory of 3024 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 28 PID 1284 wrote to memory of 2616 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 29 PID 1284 wrote to memory of 2616 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 29 PID 1284 wrote to memory of 2616 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 29 PID 1284 wrote to memory of 2616 1284 2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe 29 PID 3024 wrote to memory of 2680 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 31 PID 3024 wrote to memory of 2680 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 31 PID 3024 wrote to memory of 2680 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 31 PID 3024 wrote to memory of 2680 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 31 PID 3024 wrote to memory of 2664 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 32 PID 3024 wrote to memory of 2664 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 32 PID 3024 wrote to memory of 2664 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 32 PID 3024 wrote to memory of 2664 3024 {C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe 32 PID 2680 wrote to memory of 2944 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 34 PID 2680 wrote to memory of 2944 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 34 PID 2680 wrote to memory of 2944 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 34 PID 2680 wrote to memory of 2944 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 34 PID 2680 wrote to memory of 2932 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 35 PID 2680 wrote to memory of 2932 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 35 PID 2680 wrote to memory of 2932 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 35 PID 2680 wrote to memory of 2932 2680 {74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe 35 PID 2944 wrote to memory of 576 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 36 PID 2944 wrote to memory of 576 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 36 PID 2944 wrote to memory of 576 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 36 PID 2944 wrote to memory of 576 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 36 PID 2944 wrote to memory of 1604 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 37 PID 2944 wrote to memory of 1604 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 37 PID 2944 wrote to memory of 1604 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 37 PID 2944 wrote to memory of 1604 2944 {E300877D-D93D-4e77-B156-5E49969C8E76}.exe 37 PID 576 wrote to memory of 2760 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 38 PID 576 wrote to memory of 2760 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 38 PID 576 wrote to memory of 2760 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 38 PID 576 wrote to memory of 2760 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 38 PID 576 wrote to memory of 2800 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 39 PID 576 wrote to memory of 2800 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 39 PID 576 wrote to memory of 2800 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 39 PID 576 wrote to memory of 2800 576 {262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe 39 PID 2760 wrote to memory of 2144 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 40 PID 2760 wrote to memory of 2144 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 40 PID 2760 wrote to memory of 2144 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 40 PID 2760 wrote to memory of 2144 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 40 PID 2760 wrote to memory of 1048 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 41 PID 2760 wrote to memory of 1048 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 41 PID 2760 wrote to memory of 1048 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 41 PID 2760 wrote to memory of 1048 2760 {D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe 41 PID 2144 wrote to memory of 812 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 42 PID 2144 wrote to memory of 812 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 42 PID 2144 wrote to memory of 812 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 42 PID 2144 wrote to memory of 812 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 42 PID 2144 wrote to memory of 1988 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 43 PID 2144 wrote to memory of 1988 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 43 PID 2144 wrote to memory of 1988 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 43 PID 2144 wrote to memory of 1988 2144 {6B076488-F558-4997-8C1B-4144F2EFA30D}.exe 43 PID 812 wrote to memory of 2752 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 44 PID 812 wrote to memory of 2752 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 44 PID 812 wrote to memory of 2752 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 44 PID 812 wrote to memory of 2752 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 44 PID 812 wrote to memory of 2600 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 45 PID 812 wrote to memory of 2600 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 45 PID 812 wrote to memory of 2600 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 45 PID 812 wrote to memory of 2600 812 {C442D40B-7220-4553-A823-ED93437E1D41}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exeC:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exeC:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exeC:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exeC:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exeC:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exeC:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exeC:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exeC:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exeC:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exeC:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exeC:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe12⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3D3F~1.EXE > nul12⤵PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7CFB~1.EXE > nul11⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{352FB~1.EXE > nul10⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C442D~1.EXE > nul9⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B076~1.EXE > nul8⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4A62~1.EXE > nul7⤵PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{262F8~1.EXE > nul6⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3008~1.EXE > nul5⤵PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74FBE~1.EXE > nul4⤵PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C35ED~1.EXE > nul3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD50e801ee35f43e3c1a3aa005e57d376a8
SHA1562e39b8557f7a0ef07f7c2ebba37e1ba663ad45
SHA2566c26993d6eebfadb6febc1b5f1650f3eb6133df4a8355956bd772301cb7b167a
SHA51241f365d3869a26c671b9e39f6b4bd21d0ee2e3ca72323c5d2a97da1dd745ec5d35f80a51faa3e869fa24867e7205fbf495d86b82089b57401a934c4a47fb20f4
-
Filesize
197KB
MD5b1d1a7730507128bda545689fc7e8c95
SHA19f0b61bdd9490062d6b926bece33588dce7a08ea
SHA256133c5d322a8f674455b9e95a3b36d362d197d627b7c04197dab0619fb6bd2113
SHA5129242a3610ec4cdbcf4a4830c3800249e6681138434bc30f426e943bcf38bd330da5744dfcf69f8a897fda4e927c3c767c6482673f7ff26cd579858d2619f87a6
-
Filesize
197KB
MD52a722f074e0f13900a919fa90dc5db2f
SHA15ca837fda9b90abe40444d272dd6589d6e0e0da1
SHA25671100067b3c36408e6fc28c14d30286a64429db7e5a5b0b534b0f8f3b9b05457
SHA512b540d9b6ec64e2171a742878544bb482733d01f04e46f28138e718bbfbae850cba75b7a539a246d01bb0836cf60304c38a1634e5c482d08c324cae5af1eca504
-
Filesize
197KB
MD59f2ee303d37a2299dce086d7e6235f72
SHA1d2ed44cbab6ffcac4ca41561740a15b36451d391
SHA256353b6d7752f78fc27ebafa694d4fe86f4c4fd86b3ba83b732326a894f170cbe0
SHA51288a9d15a8941de2ad9ef657722d1e2f2a97e231c7dbcb230fa3952fdc235356b5cba8fff313b35f476d11dbb3bee2111a49a319382187eba8d03243f04bc16f2
-
Filesize
197KB
MD5228bc63631384d99aa8d302414c41012
SHA185f4ad4d38afada553f17820387e2395311c5d20
SHA25653ebb8e6bbab45d06466e2d26f005262884b501c2ef5a63e7ff138e6bda32b67
SHA512e50805b7b51aedf26125c479a05ca3576638069e4edcf0bf7bab10be472c20c8c3b720ac2d3b30ae5c4bacef0ac8bfc630e80def95231603297c880838f0b6a1
-
Filesize
197KB
MD52139725ae4b080bf387565e939a95695
SHA1218ca37d2d2262454cecb407bc836a052290ce32
SHA2560fbf08cfa81d4287d4285da51ad90fcb3ddff8c699a48e631f09965ccb442ffd
SHA512f28b99968090c0024510a5e0d941b04184e6d02faee75e24c8e0674c9f2653cf2d6b5f95b9d20c413c2287db57069b7ba2fff99c8e05b40c49a82e7bf6ef9ec7
-
Filesize
197KB
MD56f03d225d96d5a346b12695056bca83a
SHA1cf829ab05dfb8f2c4c77dfde3f9c09babd88b5b4
SHA256967a0aab2d16e3b1489bc4f9492e3607608427d44c55b3f1dffd05e4d2b13053
SHA5128a4cd58c42f0621bb33d4b8fc1ced140407e0357125bfe074d515104eeb59f7a80359ebd4b63a1c6620ff4a7522299a1acecb8e0a033a2ba86418d504beddcc3
-
Filesize
197KB
MD594def956146c167c91dfadcf0d37ba8a
SHA10fc85d63edec11abfe7a91e9c3be56c40f483e32
SHA2563cd78ebd7428e45be4fb130d9d360f40646e5b1832b5add20015ba540e2142c0
SHA512918250db5fd87f982776a89fee09fd4e8b3af8f3660dde559f22e0235d7ce6a70461dec17917566474278886f4c89025000d50be6746aef569a8f91f0aca5db6
-
Filesize
197KB
MD59d23c15b9ba6ab8d0adaf9090b7318fe
SHA108d737f1d2315f2436e434c25d8d623e857c3e0d
SHA256d5b70d8f61c186e3f4705db5b3ec9ad40e9b6d68c06b5184de23f0809910f1ad
SHA512c2a22bbbe0f1a032b69ff39b5040464f1c42dff89e104e4c1a48fe0e620267753327ebed97d516a904b044b1f3b69eb358c31132a0fd9cef670eba8f3ea27a82
-
Filesize
197KB
MD5ece55a82c1103b9195bd3d68bad18d4d
SHA11ff101b712f6ec5b949c0dab42703633f5f98076
SHA2560a784b64f4469d344223598c600b11e2f649e67736480991e26530dff17a0d0e
SHA512699e81f473322ed0c15efd89e836ef97a0a3301276f7dbf17c8359aafedbbdcb23d8fb3b88dc71d7d5f93e5f3d8f1d36049707c12edac90168fde119cddf70b0
-
Filesize
197KB
MD5b03688013d5840f14d12059ed2205d8d
SHA1bedb1fc37bdf092b4765e7d62ae42146c45e9b46
SHA25661c5d8f27ec429173ad9d875b72c85f0b9bab36471ccc5f6aafd5722439f18d6
SHA51236b223c14d4fd67b8da783ee25ce9247cad3b3b0d8a25981106262faa565fc9d2346d66b3d18b902718ff326293fc900c28c44fcd8370fa4dcc69abaff05e78e