Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
-
Size
204KB
-
MD5
1116de28e782e197373277782dff7273
-
SHA1
f31cbededbc7ad1476d0e3e7642708139e64cc53
-
SHA256
361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f
-
SHA512
e5ea98079f6e1066c24e16fa0489e1a4a0ba9f960006170cbbb841499112c68f895eb6e54766d9e6c280ecdfc35b1bf18e88935cb38d3e9ab774fd16252603ce
-
SSDEEP
1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000012257-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001340b-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0031000000015d5e-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0032000000015d5e-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0033000000015d5e-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0031000000015d67-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015d5e-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000015d6f-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015d8f-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300} 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9} {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}\stubpath = "C:\\Windows\\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe" {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}\stubpath = "C:\\Windows\\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe" {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}\stubpath = "C:\\Windows\\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe" {9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA} {80421C56-0D9E-4d14-932F-88989A4ED863}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300}\stubpath = "C:\\Windows\\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe" 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602} {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}\stubpath = "C:\\Windows\\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe" {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A} {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117} {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771} {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}\stubpath = "C:\\Windows\\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe" {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057} {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6} {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863} {ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863}\stubpath = "C:\\Windows\\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe" {ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}\stubpath = "C:\\Windows\\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe" {80421C56-0D9E-4d14-932F-88989A4ED863}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}\stubpath = "C:\\Windows\\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe" {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057}\stubpath = "C:\\Windows\\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe" {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}\stubpath = "C:\\Windows\\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe" {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850} {9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe -
Deletes itself 1 IoCs
pid Process 2524 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 976 {9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe 2732 {ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe 1944 {80421C56-0D9E-4d14-932F-88989A4ED863}.exe 832 {7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe File created C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe File created C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe {ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe File created C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe File created C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe File created C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe File created C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe File created C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe {9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe File created C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe {80421C56-0D9E-4d14-932F-88989A4ED863}.exe File created C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe File created C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Token: SeIncBasePriorityPrivilege 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe Token: SeIncBasePriorityPrivilege 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe Token: SeIncBasePriorityPrivilege 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe Token: SeIncBasePriorityPrivilege 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe Token: SeIncBasePriorityPrivilege 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe Token: SeIncBasePriorityPrivilege 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe Token: SeIncBasePriorityPrivilege 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe Token: SeIncBasePriorityPrivilege 976 {9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe Token: SeIncBasePriorityPrivilege 2732 {ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe Token: SeIncBasePriorityPrivilege 1944 {80421C56-0D9E-4d14-932F-88989A4ED863}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2520 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 28 PID 1612 wrote to memory of 2520 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 28 PID 1612 wrote to memory of 2520 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 28 PID 1612 wrote to memory of 2520 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 28 PID 1612 wrote to memory of 2524 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 29 PID 1612 wrote to memory of 2524 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 29 PID 1612 wrote to memory of 2524 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 29 PID 1612 wrote to memory of 2524 1612 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 29 PID 2520 wrote to memory of 2508 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 30 PID 2520 wrote to memory of 2508 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 30 PID 2520 wrote to memory of 2508 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 30 PID 2520 wrote to memory of 2508 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 30 PID 2520 wrote to memory of 2492 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 31 PID 2520 wrote to memory of 2492 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 31 PID 2520 wrote to memory of 2492 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 31 PID 2520 wrote to memory of 2492 2520 {862EBF15-8D0E-4761-B328-C9B1F4645300}.exe 31 PID 2508 wrote to memory of 2612 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 32 PID 2508 wrote to memory of 2612 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 32 PID 2508 wrote to memory of 2612 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 32 PID 2508 wrote to memory of 2612 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 32 PID 2508 wrote to memory of 2628 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 33 PID 2508 wrote to memory of 2628 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 33 PID 2508 wrote to memory of 2628 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 33 PID 2508 wrote to memory of 2628 2508 {DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe 33 PID 2612 wrote to memory of 1792 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 36 PID 2612 wrote to memory of 1792 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 36 PID 2612 wrote to memory of 1792 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 36 PID 2612 wrote to memory of 1792 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 36 PID 2612 wrote to memory of 2436 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 37 PID 2612 wrote to memory of 2436 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 37 PID 2612 wrote to memory of 2436 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 37 PID 2612 wrote to memory of 2436 2612 {D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe 37 PID 1792 wrote to memory of 2700 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 38 PID 1792 wrote to memory of 2700 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 38 PID 1792 wrote to memory of 2700 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 38 PID 1792 wrote to memory of 2700 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 38 PID 1792 wrote to memory of 1544 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 39 PID 1792 wrote to memory of 1544 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 39 PID 1792 wrote to memory of 1544 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 39 PID 1792 wrote to memory of 1544 1792 {501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe 39 PID 2700 wrote to memory of 1740 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 40 PID 2700 wrote to memory of 1740 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 40 PID 2700 wrote to memory of 1740 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 40 PID 2700 wrote to memory of 1740 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 40 PID 2700 wrote to memory of 1712 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 41 PID 2700 wrote to memory of 1712 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 41 PID 2700 wrote to memory of 1712 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 41 PID 2700 wrote to memory of 1712 2700 {D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe 41 PID 1740 wrote to memory of 2196 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 42 PID 1740 wrote to memory of 2196 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 42 PID 1740 wrote to memory of 2196 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 42 PID 1740 wrote to memory of 2196 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 42 PID 1740 wrote to memory of 2112 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 43 PID 1740 wrote to memory of 2112 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 43 PID 1740 wrote to memory of 2112 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 43 PID 1740 wrote to memory of 2112 1740 {20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe 43 PID 2196 wrote to memory of 976 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 44 PID 2196 wrote to memory of 976 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 44 PID 2196 wrote to memory of 976 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 44 PID 2196 wrote to memory of 976 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 44 PID 2196 wrote to memory of 2120 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 45 PID 2196 wrote to memory of 2120 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 45 PID 2196 wrote to memory of 2120 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 45 PID 2196 wrote to memory of 2120 2196 {CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exeC:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exeC:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exeC:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exeC:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exeC:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exeC:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exeC:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exeC:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exeC:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exeC:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exeC:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe12⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80421~1.EXE > nul12⤵PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ADE0E~1.EXE > nul11⤵PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A99B~1.EXE > nul10⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC16B~1.EXE > nul9⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20FB5~1.EXE > nul8⤵PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8410~1.EXE > nul7⤵PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{501F3~1.EXE > nul6⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D7310~1.EXE > nul5⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DFA90~1.EXE > nul4⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{862EB~1.EXE > nul3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD51d7119d991dbb7b23da22d4a5246f1fb
SHA1f43296ce17ffd1f0633e1292719bbfefecb988c2
SHA256ce992bc1baf4767bb163614d1d5a257582b0d7cff4146436fdf101f9ced91536
SHA5127cd3b31759e15254e11ed6234fa800ea648232502cb1718f9ae90928109fec2da03dd7c697aa9171fbbf311913c976fa382aa371b694e9edc3ebca5d25e3a007
-
Filesize
204KB
MD5df7aa31266fed34925ef2cc175cf6ff5
SHA169a2700ce3b49adec1cbd399f3cc973fac7663b8
SHA2567ed3e15ea573840680f44dc82790ed08b916fd25db3531bd2024d32b836f681e
SHA51245a2f2dadcf0f1270f9e310300847b1b7bc8c369822ab5f2e5c30e3debd20fb0258bfae034032eb92d1bb542d4c00a8ebd6cceec0d7105c5a2a2596b214da675
-
Filesize
204KB
MD527a729d2a6ee85b190fa46d20eed2a10
SHA15c71ae69a8d461d51427bd710acefc507b9da15e
SHA25613d278116ec744b7570bdfc0cf1738361d72858107d66e8ab703556649278dfa
SHA5121bac7c0f6768aa45b3cf9aa568fb8fbf96373155252e4da0ba26dbfda99a01b1f3e9c6e181b677901efd1d3634c4d4258ef3c977cc6f76649f7a67ce75235695
-
Filesize
204KB
MD5b28f934e806da810484d9744c2ed4b6b
SHA1dee68429624cad3061c78aa93afb78ee14369d41
SHA256fa2328837d705b03535e24107266fff500000d42c8d801d26bb5567f61a9e051
SHA512364cc7cfda304701ca6a681c20cfda3af3d6eb832968fdedf13e0f1e86295115113f18130b0b0f2098101390c8ef76f473fa0c1e4d6348443574443307448d81
-
Filesize
204KB
MD5889e9ad93b2d919b168683e582829bc5
SHA193758ae5196bb57d01687c405b0b3607fedd3c58
SHA2568332e7f3b109e8aae4e5c47d58f4fa17124e71539e8474b9831d3d4ea75957fe
SHA5120cb1e2df143f186b9e9c75de4af2fe5e5ca432e136898bc09cbd5efa08ce1b8346851e9a1337f8fa98f00297809219029d9df3909d5f901e950ee6b2c3c18f39
-
Filesize
204KB
MD573568b4ef73379e82fb7dee5c19c6fd8
SHA1457f6b3886c9a29a47589e7ae4744b8ea7ca4271
SHA256331799bfcab39fba94442e6d7f28b649c1d4aad6efa0e607ffe29ff69cf54cda
SHA512b2d091c06713bb445e6ab3ea5d74b514a4c3ece3a50b85ca1a7d3c7ed8fee7bd3636409806f6fa7e59658334bebeea90935aee13fb73a36643b2cec72193c4a1
-
Filesize
204KB
MD5811b7c05a9979a820e391a5842b0c1db
SHA17c0536b415317a5d972fe49baabce1fb8402d46d
SHA25699042bdcefb2b5148ac0c52cd5db8ddf5d8502d8ce5182230745cb276b7c28ab
SHA5129a393cbf4ca807fdf2b95d83e176f4495c1fd7571ec696aeec06ec754efb94ae1073ec6edfc3c0dddc6d9bf104300e3b1383f5355f3e2dad5dd86c1660a73773
-
Filesize
204KB
MD54cb5cb4c122368ab986902efee33130b
SHA1726a76f6398e300f6afd5725ec00d74584249e00
SHA256925674927431b5a27f46b8d931a17d13049a017d5ed92a09bcb5408989940fd6
SHA512682cd878ed92a9a9b5ab451c7d3d3ceb3b693e453028e5af022394c2a2e5ee7ac7d9c8f614fd8aa0d0cd2411fcae374f1b2bd076ebb6400f8618ac04dc412198
-
Filesize
204KB
MD54273603e448c7b2028e9f101be08eab0
SHA14d094e903c9519bd530fb1b6a40c5166514751d5
SHA256cd770e2929a25314938efd1eb79dff867efd46c84025d85352160e55105770fd
SHA512dde4620c1a1b0ba7c2c1b7262678531cbf551ddfb3025b1949ed46bea171e10e429abb26ee10569091599ec3ca4d9e02cc59ad46896b5ebde1518e42d81cceb2
-
Filesize
204KB
MD5c0a5cc39d316c7294f41abd03011f5f0
SHA14abfa7261e402984464a52f0baffce06f0e001d1
SHA256d02fad6f622cb5f67c8ed3ad28d3b47fb538c7956d0514bd1957369809d7970f
SHA512ed00a9108a05578112e0a140d198cc3a9d7f4f5705ca191b12b9c7e09ade1788f55d2103ec885dd996fb4698a06282ba3e81db4bd8bfe3982ab1b0e928718a68
-
Filesize
204KB
MD54da78d24447d78737bd01da22ade50db
SHA1d4b66d26fa84427288b1501187284dfe49d3f515
SHA256922a641c5d9f28a614bc28d58b0ebc966236d915c48c98d0a2458c48e132dedb
SHA5122c1aa901b51476e88b2cb5659dafa328da4a55468509b51a1542066dee80676448dd2519e9d4cf55a33cb4b9f13eda33c64ff888bda74901432b1427c1288109