Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
-
Size
204KB
-
MD5
14f5b92fdb38838cf5a78fa932e15e9e
-
SHA1
c3337c6cdb30205cc2af4e2d63a50fba1ab65a80
-
SHA256
9ae334582da93f547d84f738b8d96fdae5999d61459a2c8a1b7213aff0c7466a
-
SHA512
ab99fbcaaa0e3966e0e1c6d2ef6c1fefad08ef18a330e1f815d0b3629f07ec097c53a29131e59f72ba6fc9e9ed0b94f57adf725f98bcef7754e6a4dfa062681a
-
SSDEEP
1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c0000000122f0-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000149f5-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000122f0-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015018-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e0000000122f0-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f0000000122f0-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00100000000122f0-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F1EB66-49DC-41bb-BA92-754531032856} {A06D913A-E5F3-463c-B330-539A520C6954}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F1EB66-49DC-41bb-BA92-754531032856}\stubpath = "C:\\Windows\\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe" {A06D913A-E5F3-463c-B330-539A520C6954}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD1C78B-9C26-4228-97A7-16181126C540} {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5283680-C069-4aa6-820B-083E4D49A75F} {46A07A74-5686-4710-911D-FF1F65E315C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8} {C5283680-C069-4aa6-820B-083E4D49A75F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54} {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}\stubpath = "C:\\Windows\\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe" {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A06D913A-E5F3-463c-B330-539A520C6954} {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514AF039-3A2F-489a-BD5F-25A5325A5A2B} {F7F1EB66-49DC-41bb-BA92-754531032856}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2792A540-FCE4-4693-AE0F-03BBA61C58BD} 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}\stubpath = "C:\\Windows\\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe" 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD1C78B-9C26-4228-97A7-16181126C540}\stubpath = "C:\\Windows\\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe" {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5283680-C069-4aa6-820B-083E4D49A75F}\stubpath = "C:\\Windows\\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe" {46A07A74-5686-4710-911D-FF1F65E315C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B260884-9373-4cff-912A-0A4DB2E6FB12} {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A07A74-5686-4710-911D-FF1F65E315C2}\stubpath = "C:\\Windows\\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe" {9DD1C78B-9C26-4228-97A7-16181126C540}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A06D913A-E5F3-463c-B330-539A520C6954}\stubpath = "C:\\Windows\\{A06D913A-E5F3-463c-B330-539A520C6954}.exe" {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}\stubpath = "C:\\Windows\\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe" {514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3} {514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B260884-9373-4cff-912A-0A4DB2E6FB12}\stubpath = "C:\\Windows\\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe" {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A07A74-5686-4710-911D-FF1F65E315C2} {9DD1C78B-9C26-4228-97A7-16181126C540}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}\stubpath = "C:\\Windows\\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe" {C5283680-C069-4aa6-820B-083E4D49A75F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}\stubpath = "C:\\Windows\\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe" {F7F1EB66-49DC-41bb-BA92-754531032856}.exe -
Deletes itself 1 IoCs
pid Process 1956 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 1456 {A06D913A-E5F3-463c-B330-539A520C6954}.exe 3028 {F7F1EB66-49DC-41bb-BA92-754531032856}.exe 1864 {514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe 2436 {15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exe {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe File created C:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe {F7F1EB66-49DC-41bb-BA92-754531032856}.exe File created C:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe File created C:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe File created C:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe {46A07A74-5686-4710-911D-FF1F65E315C2}.exe File created C:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe {C5283680-C069-4aa6-820B-083E4D49A75F}.exe File created C:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe File created C:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe File created C:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe {9DD1C78B-9C26-4228-97A7-16181126C540}.exe File created C:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe {A06D913A-E5F3-463c-B330-539A520C6954}.exe File created C:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe {514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe Token: SeIncBasePriorityPrivilege 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe Token: SeIncBasePriorityPrivilege 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe Token: SeIncBasePriorityPrivilege 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe Token: SeIncBasePriorityPrivilege 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe Token: SeIncBasePriorityPrivilege 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe Token: SeIncBasePriorityPrivilege 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe Token: SeIncBasePriorityPrivilege 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe Token: SeIncBasePriorityPrivilege 1456 {A06D913A-E5F3-463c-B330-539A520C6954}.exe Token: SeIncBasePriorityPrivilege 3028 {F7F1EB66-49DC-41bb-BA92-754531032856}.exe Token: SeIncBasePriorityPrivilege 1864 {514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2340 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 28 PID 824 wrote to memory of 2340 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 28 PID 824 wrote to memory of 2340 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 28 PID 824 wrote to memory of 2340 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 28 PID 824 wrote to memory of 1956 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 29 PID 824 wrote to memory of 1956 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 29 PID 824 wrote to memory of 1956 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 29 PID 824 wrote to memory of 1956 824 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 29 PID 2340 wrote to memory of 2596 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 30 PID 2340 wrote to memory of 2596 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 30 PID 2340 wrote to memory of 2596 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 30 PID 2340 wrote to memory of 2596 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 30 PID 2340 wrote to memory of 2660 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 31 PID 2340 wrote to memory of 2660 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 31 PID 2340 wrote to memory of 2660 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 31 PID 2340 wrote to memory of 2660 2340 {2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe 31 PID 2596 wrote to memory of 2460 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 32 PID 2596 wrote to memory of 2460 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 32 PID 2596 wrote to memory of 2460 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 32 PID 2596 wrote to memory of 2460 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 32 PID 2596 wrote to memory of 2892 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 33 PID 2596 wrote to memory of 2892 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 33 PID 2596 wrote to memory of 2892 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 33 PID 2596 wrote to memory of 2892 2596 {0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe 33 PID 2460 wrote to memory of 2524 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 36 PID 2460 wrote to memory of 2524 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 36 PID 2460 wrote to memory of 2524 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 36 PID 2460 wrote to memory of 2524 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 36 PID 2460 wrote to memory of 2824 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 37 PID 2460 wrote to memory of 2824 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 37 PID 2460 wrote to memory of 2824 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 37 PID 2460 wrote to memory of 2824 2460 {9DD1C78B-9C26-4228-97A7-16181126C540}.exe 37 PID 2524 wrote to memory of 2168 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 38 PID 2524 wrote to memory of 2168 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 38 PID 2524 wrote to memory of 2168 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 38 PID 2524 wrote to memory of 2168 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 38 PID 2524 wrote to memory of 2520 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 39 PID 2524 wrote to memory of 2520 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 39 PID 2524 wrote to memory of 2520 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 39 PID 2524 wrote to memory of 2520 2524 {46A07A74-5686-4710-911D-FF1F65E315C2}.exe 39 PID 2168 wrote to memory of 1980 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 40 PID 2168 wrote to memory of 1980 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 40 PID 2168 wrote to memory of 1980 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 40 PID 2168 wrote to memory of 1980 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 40 PID 2168 wrote to memory of 2816 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 41 PID 2168 wrote to memory of 2816 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 41 PID 2168 wrote to memory of 2816 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 41 PID 2168 wrote to memory of 2816 2168 {C5283680-C069-4aa6-820B-083E4D49A75F}.exe 41 PID 1980 wrote to memory of 2776 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 42 PID 1980 wrote to memory of 2776 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 42 PID 1980 wrote to memory of 2776 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 42 PID 1980 wrote to memory of 2776 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 42 PID 1980 wrote to memory of 2864 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 43 PID 1980 wrote to memory of 2864 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 43 PID 1980 wrote to memory of 2864 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 43 PID 1980 wrote to memory of 2864 1980 {3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe 43 PID 2776 wrote to memory of 1456 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 44 PID 2776 wrote to memory of 1456 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 44 PID 2776 wrote to memory of 1456 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 44 PID 2776 wrote to memory of 1456 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 44 PID 2776 wrote to memory of 1524 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 45 PID 2776 wrote to memory of 1524 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 45 PID 2776 wrote to memory of 1524 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 45 PID 2776 wrote to memory of 1524 2776 {FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exeC:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exeC:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exeC:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exeC:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exeC:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exeC:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exeC:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exeC:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exeC:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exeC:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exeC:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe12⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{514AF~1.EXE > nul12⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F7F1E~1.EXE > nul11⤵PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A06D9~1.EXE > nul10⤵PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FA6FA~1.EXE > nul9⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3D5F0~1.EXE > nul8⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C5283~1.EXE > nul7⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46A07~1.EXE > nul6⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DD1C~1.EXE > nul5⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B260~1.EXE > nul4⤵PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2792A~1.EXE > nul3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD575555498e7462e5ca3903dcbdb77a712
SHA14ef6de9cc56d18d6254eef75ebd5885ddbdbafee
SHA256d9879c6735e7064dbf4d444296e82b1e16d71006642345713eb3c4c82a2f7c17
SHA5127e94a830053601c243ce2a22f7c84d27ecf08847797b8443b1b34db9c6648631496387b637e64a5d71fe9814408c911c1d14329457ca9248ddf8fc27b71aafd4
-
Filesize
204KB
MD5eb4d316c1da32f144b864c3e23edd6c0
SHA1bbdda0814d02e556c463d1ca2df6ccf4bf8db2f2
SHA2568c73881ec6dbbe077455b3a74bf76162dfc7f7a70c8e7ed8000000b3266bd295
SHA5120f589cc0345eb90885bbfd4dafaa8cc1264c3e2e4cf2367a98cb58c367333704ac313eea511d127226f1abccf2dfaba9a2a73318010c7d2539b92642fa550ea6
-
Filesize
204KB
MD59f639dd1fd56592e8b95c38f672a5343
SHA11b3e45a0607bd373931ba5234070f24b6d7f7c90
SHA256dab88d6ca41f08d9947c1d8a64fd693c8a9069c6bda26af9d761ff871bad8419
SHA5121e83fa853f5e19ae92106f7f7c1016b827092b1f886dfb1b5a5372b065c8318c2a51e1ec4eb00e81f13af4020e875a7aa529820cb3f336bc87545460556ccffb
-
Filesize
204KB
MD57fd75b2c398c47491a2721ffd8236150
SHA1df3f136b1930ec02105f4a874eb1ee82e00dd50f
SHA256da74124e85ea179d403b99b90732de38e5458b3e0f0c2ecbd4d8c2ff4ec2b6e7
SHA5121bbcad5a5fca13c5c5cdc15c9b143cd0127a0d7bb6472f12d12d1c16708a3490dd3cf6b18d06232daa84121cff556c9d6b77bc007431c5a961ca1ebd0715b47e
-
Filesize
204KB
MD519ded82733648cb42402579c89721b90
SHA164e536ab1a82afe9afd16134e0cc2af185a77bf2
SHA256fa62f5f5746943470d923d0876233a6af848465a0ca264fcdb66eb5b1f62672b
SHA5126d88cc369a1e7b818686ba7ee5388ba6b394ad2e3ed761363d0ea7fb0314af0b4767ce4dbcd98c8c6ec582085fee9ed180258a487d454e6e5964b578d73e8bec
-
Filesize
204KB
MD51ac6cab7b7d70ee75d48d0063f5c21f3
SHA13f9ee7799ad34b25e48e1705cd3761bdadb41c4b
SHA25687d6e98a63b96722af65dcf57b077207617d4a28eaea909cf356e8255c883eb7
SHA512dfd6407d10783dcda030db79d3ad5826631fe47b9302523ad7313b869c23d07b2cc4eeac802dd8524dce7fea9ee51225c3d0d04bab12297be3667f9a0b118f17
-
Filesize
204KB
MD56de2f55313bfc3c5c4bb32f50bdb9607
SHA1bc4a7df290ca7376afe4916f1f97ba2f9d6a4549
SHA2568ed6ba6112688800a2cbfae7edfbde1af827df7d2756fad7b5b67dfadb212c41
SHA5122bc1d098ea32056a8812fd5073258bfef6d677502beb4266973f57eecb74a0d6e13731e8a7743e13cf694f0439022af3b88f919d9c2f0e8465d238e2015da952
-
Filesize
204KB
MD54813f9470e30d6753085a33c795f4fef
SHA1e5819371c36a5eb2570f8cef22ea57e0d37b8454
SHA25673913842b95a683cae890be7916fef8ea8ddb0347210e79d515c2f4b6030f913
SHA5121b8320a3bd83c030129e196020d520745f06f9768d93d813ea3017276b8a89e617bec7ca8b39f8e45c9c38f7dd284ca10ed87e39d5576ceef56a11941f25657d
-
Filesize
204KB
MD580fe89a3fc86d9a59f7d604370b80462
SHA176be8caa9b362d8f30c081912d94eeeb312cb3d2
SHA256ddb5eae00174809be9e9e5f776d05efec2a725a720adc88cf5c40b8cd229faeb
SHA512528e8184cd59286ab152eed2d5e553d1b0c50924d56f31d8b5ba6c81f00d5f43ff8f226be208973c44a331f6d02fd4abac2b05809d808ddc1d390b9170bad452
-
Filesize
204KB
MD5e9c6a887c4c61c6bc87ae00c59113a7e
SHA18146ff60604b3ff4c2ff3f3f30fd63d4887cb540
SHA256223d6ce922b6f126ddce077d7949c60d85896ccbb61e1f0f9e3cfd9fc66187e3
SHA512a5075dbc102f73f274f184e6d80abd1976f391401dbc423535bc78fb310cf777843ff447afce8d7c004c85e1d253d641c3975b9fcda909aeb44e5a69abbd0ba8
-
Filesize
204KB
MD54000f6ec9f25a293c3232ac453e37f76
SHA1dd68b0ffbe2a5d3f762d4d0f15dff2e3ef42b135
SHA256a23f959ba9712d4eb55fa02f962ea43c02d5046212e7ef085a52aa85a98d0dec
SHA5128ae94707520f4f60e2de9ad51928dad74608769ade6de19a1ed4cc5e4a72356379d4e41ee006118f51145911bc9d63a82783baa0f36c5fcb6811e304f07ca197