Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
-
Size
204KB
-
MD5
375dbfc59e996eb9752cdbd68645f0a0
-
SHA1
0ed548a9c92a86c6e89beaefeb934ba842afe498
-
SHA256
28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840
-
SHA512
30088a8564b7440e55653b2b15047fdfdabea143fe6aa1d696d2efc19f8729d88defef90124c764479b8013842cfaa69441a14a78c84ef5baaa7369eb5d49fc5
-
SSDEEP
1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000d000000012253-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012336-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012253-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0035000000014171-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012253-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012253-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012253-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01261DD-327E-4fa2-8449-5A52A8E69F38}\stubpath = "C:\\Windows\\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe" {60F17303-6864-42fe-8C50-2685E8C133E5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}\stubpath = "C:\\Windows\\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe" 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3048EB6-2C35-4daf-A628-8160CFCEE987} {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A366651-1280-4e5d-A8B2-5CA00566D18C}\stubpath = "C:\\Windows\\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe" {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1} {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F910C86-4864-4838-A08B-6974D02587EE} {ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F910C86-4864-4838-A08B-6974D02587EE}\stubpath = "C:\\Windows\\{4F910C86-4864-4838-A08B-6974D02587EE}.exe" {ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F17303-6864-42fe-8C50-2685E8C133E5} {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01261DD-327E-4fa2-8449-5A52A8E69F38} {60F17303-6864-42fe-8C50-2685E8C133E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7} {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}\stubpath = "C:\\Windows\\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe" {BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A366651-1280-4e5d-A8B2-5CA00566D18C} {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}\stubpath = "C:\\Windows\\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe" {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389} {BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C5264E-B694-41e7-B83B-639A0752B0DF}\stubpath = "C:\\Windows\\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe" {4F910C86-4864-4838-A08B-6974D02587EE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D} {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}\stubpath = "C:\\Windows\\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe" {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C5264E-B694-41e7-B83B-639A0752B0DF} {4F910C86-4864-4838-A08B-6974D02587EE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC} 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3048EB6-2C35-4daf-A628-8160CFCEE987}\stubpath = "C:\\Windows\\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe" {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}\stubpath = "C:\\Windows\\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe" {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F17303-6864-42fe-8C50-2685E8C133E5}\stubpath = "C:\\Windows\\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe" {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe -
Deletes itself 1 IoCs
pid Process 1796 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 1572 {BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe 1268 {ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe 1300 {4F910C86-4864-4838-A08B-6974D02587EE}.exe 568 {D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe File created C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe File created C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe File created C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe {60F17303-6864-42fe-8C50-2685E8C133E5}.exe File created C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe {BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe File created C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe {ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe File created C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe {4F910C86-4864-4838-A08B-6974D02587EE}.exe File created C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe File created C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe File created C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe File created C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Token: SeIncBasePriorityPrivilege 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe Token: SeIncBasePriorityPrivilege 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe Token: SeIncBasePriorityPrivilege 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe Token: SeIncBasePriorityPrivilege 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe Token: SeIncBasePriorityPrivilege 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe Token: SeIncBasePriorityPrivilege 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe Token: SeIncBasePriorityPrivilege 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe Token: SeIncBasePriorityPrivilege 1572 {BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe Token: SeIncBasePriorityPrivilege 1268 {ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe Token: SeIncBasePriorityPrivilege 1300 {4F910C86-4864-4838-A08B-6974D02587EE}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2076 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 28 PID 2184 wrote to memory of 2076 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 28 PID 2184 wrote to memory of 2076 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 28 PID 2184 wrote to memory of 2076 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 28 PID 2184 wrote to memory of 1796 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 29 PID 2184 wrote to memory of 1796 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 29 PID 2184 wrote to memory of 1796 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 29 PID 2184 wrote to memory of 1796 2184 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 29 PID 2076 wrote to memory of 2592 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 30 PID 2076 wrote to memory of 2592 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 30 PID 2076 wrote to memory of 2592 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 30 PID 2076 wrote to memory of 2592 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 30 PID 2076 wrote to memory of 2776 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 31 PID 2076 wrote to memory of 2776 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 31 PID 2076 wrote to memory of 2776 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 31 PID 2076 wrote to memory of 2776 2076 {1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe 31 PID 2592 wrote to memory of 2652 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 32 PID 2592 wrote to memory of 2652 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 32 PID 2592 wrote to memory of 2652 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 32 PID 2592 wrote to memory of 2652 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 32 PID 2592 wrote to memory of 2732 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 33 PID 2592 wrote to memory of 2732 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 33 PID 2592 wrote to memory of 2732 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 33 PID 2592 wrote to memory of 2732 2592 {D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe 33 PID 2652 wrote to memory of 2860 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 36 PID 2652 wrote to memory of 2860 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 36 PID 2652 wrote to memory of 2860 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 36 PID 2652 wrote to memory of 2860 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 36 PID 2652 wrote to memory of 2024 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 37 PID 2652 wrote to memory of 2024 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 37 PID 2652 wrote to memory of 2024 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 37 PID 2652 wrote to memory of 2024 2652 {1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe 37 PID 2860 wrote to memory of 2372 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 38 PID 2860 wrote to memory of 2372 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 38 PID 2860 wrote to memory of 2372 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 38 PID 2860 wrote to memory of 2372 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 38 PID 2860 wrote to memory of 2644 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 39 PID 2860 wrote to memory of 2644 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 39 PID 2860 wrote to memory of 2644 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 39 PID 2860 wrote to memory of 2644 2860 {65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe 39 PID 2372 wrote to memory of 1948 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 40 PID 2372 wrote to memory of 1948 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 40 PID 2372 wrote to memory of 1948 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 40 PID 2372 wrote to memory of 1948 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 40 PID 2372 wrote to memory of 2268 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 41 PID 2372 wrote to memory of 2268 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 41 PID 2372 wrote to memory of 2268 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 41 PID 2372 wrote to memory of 2268 2372 {60F17303-6864-42fe-8C50-2685E8C133E5}.exe 41 PID 1948 wrote to memory of 1908 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 42 PID 1948 wrote to memory of 1908 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 42 PID 1948 wrote to memory of 1908 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 42 PID 1948 wrote to memory of 1908 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 42 PID 1948 wrote to memory of 2308 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 43 PID 1948 wrote to memory of 2308 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 43 PID 1948 wrote to memory of 2308 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 43 PID 1948 wrote to memory of 2308 1948 {A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe 43 PID 1908 wrote to memory of 1572 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 44 PID 1908 wrote to memory of 1572 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 44 PID 1908 wrote to memory of 1572 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 44 PID 1908 wrote to memory of 1572 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 44 PID 1908 wrote to memory of 2296 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 45 PID 1908 wrote to memory of 2296 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 45 PID 1908 wrote to memory of 2296 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 45 PID 1908 wrote to memory of 2296 1908 {87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exeC:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exeC:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exeC:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exeC:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exeC:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exeC:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exeC:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exeC:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exeC:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exeC:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exeC:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe12⤵
- Executes dropped EXE
PID:568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F910~1.EXE > nul12⤵PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ADB91~1.EXE > nul11⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE19D~1.EXE > nul10⤵PID:1288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87BB5~1.EXE > nul9⤵PID:2296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0126~1.EXE > nul8⤵PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60F17~1.EXE > nul7⤵PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65FCD~1.EXE > nul6⤵PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1A366~1.EXE > nul5⤵PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3048~1.EXE > nul4⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E887~1.EXE > nul3⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5dd9b13d119704df675d88dbc14c984d1
SHA18fb4f5e69eccad3da479da3f939849a7e7440d02
SHA256cf6d076e08e1de2a1875d9b6a77f057fab9c493a72c3f444f65e6ffa0f958080
SHA512b43526fd739633dc4c179c78159d289305f93478ebbc283dae96d943ea5debbc2264798790af0efeee82a369a8214f4341f521f79c87a722aabb98bcbdf2e23d
-
Filesize
204KB
MD55399c9798202f70a677ed821373fc51c
SHA1df33b9f4610d0a532cf62daced1cbaeb12382e90
SHA25683a474ddc1a9ba78ed554ecaf93493b6ff28e9cd4656ec8833f78ba3f2425f50
SHA5126408c8b7846a3d5a0a410a839e0f1dca1dd3ad36d80ccac16c0a7b6e05d4735d21390dce54933f10650c1d96cf2fd6c0d13e0a2f0e0b7ca7832d601c06f2b9eb
-
Filesize
204KB
MD5c26bb1056be0b019c9eff58f47627b16
SHA130174555516dab67cee6729f51a8435ae1661bf4
SHA256eecec752bff6a6e567edb26fc571a01576aa0b0e63551239c8c2217b2545dcb4
SHA5124c625ccae26482efc38d35f295527de0186a48496cca285daaf68f6a7ddbe88362dd60455c56f80a0ea87c7bdbecb318eb4869c3d4466f727a423cb38bc10487
-
Filesize
204KB
MD510f8fe41fa6795d904a76dd525a1b14c
SHA1465781678a8836bc1b9e8f2bc3479f6764d79338
SHA2568b62598ea62c5190f554faec567a11f49b84b5a9050056ff72f1ff0a987ca4cb
SHA51269469a27e8c37df18afe0f44eccf8f2cddf5a7bb09f171ecabe180791ef866646f9c91f1959cb812fa2e0c31e4a9e7f5f415aa7104d44e85c4f571f985f6d01b
-
Filesize
204KB
MD556b1c7ec78f95c4eef7ca5507a3c0005
SHA1f47c3fabc38a53811f49a39007dbb2a257385d80
SHA256202f1e8883e6598a33478c3bfcc88cc68523cfa4825e820e9b8696ff79389328
SHA512ad20fa9607b97f171267e5dc297d964baa34296d3fc541de1d49a145e44bad3620afaad10ec596c74b8122c388c683d2d80a436a457e232cc1f2ca3889751b32
-
Filesize
204KB
MD5224dff83407275da3b6a1d8a11bcd345
SHA11a39fcce5f7b94f780733d680a27acd5eaca559d
SHA256a84cf7b4b99616b150de50cf9d9f7d507533daaa7a4ff03139e8b2a9b0b1aadd
SHA5123fe175f07c0d97252f20ddcffe307fcbf2868b1ebe2e0d99e35c74dec83dce777d0c6750c230ed658db1bc39cce0eb560a52759517186e279c78cdd3eff19d86
-
Filesize
204KB
MD58d7a3f63fd15a12ddc3a21548dda960a
SHA1721a3e18946836d4a2693025547f064c07c7c97b
SHA256f2d67b64a2aba5ebf27a29f0641f00a615e24bfd25eb0675b586f96411f9d96e
SHA512c946208bc5890f608df76c5aa420ba0a6d0f3b9c88ee2494a63875bbba7200c37d89340217e92e28ed3dc4ef910fd6181b5088ac6872171b7798b06605d21400
-
Filesize
204KB
MD571aa768d0833da5568ef641d9bd64ec0
SHA194c390cd9318fae45b3be5a9abd7b375a3a64ad6
SHA2560efdf28f900627b04006493e8b59b1996cd19d8d91594ad80e6e0e1343b725c1
SHA51234a7d8a06bdbbc9e589196575efc06dfc384888c82d23017e02cc9e0bdd0b1dbd7a1b8221ade51d65309168244f6a4b3b7fbcfcd9b4d04d5c9747f04838716c2
-
Filesize
204KB
MD557644328720eb97d9a7c52d30f056161
SHA1aa7b2d59dac00255ecd01454f59402a2dbcb23f3
SHA2561be1a8af8b67d29c6468d106aef4f74c1474d099c7341338bf8529b2396854b0
SHA5129b337607ba1badeb9e5dd1f96d7e12199dae9a396a4dbfaad8ca7cd3402149dea5b6610d85d1e36f31eb287054fab995be2cfd61bcef21aa0fc8243a0fd46420
-
Filesize
204KB
MD50cfb6f50aaf97ef9e5ca01d8a36ebcc5
SHA195aa04d2572a11b1f978e0b0d3382060ce8e10f6
SHA2560d211aaa744e65a547e3e0d830f0c41ddfe34dc7be94228466bc1b7f864e4cdc
SHA51213959bb866378473c2955611e8731803e10c67642bf83c332d610698c253b3a4379284c502cd66742544d6cd0b65b2df550c1513cdd4ea170437c4a7de32174f
-
Filesize
204KB
MD5ba720864efd67e14565ae7a03f4d4d5c
SHA1b00dfd0c9df14af71d66697479e6739137769476
SHA256a7151f2068ddf5cded8ca8f6187241942d9b791d5b1f593557fa48a5824ea48f
SHA512a6273dfcfae49155bb4eee41b98ba12c31a1bee62466ae0d5cbacfd09056a2fc487fd2ab0da8228ddd669df1786f1387bb5135aa18c66dafa233a0cbf5600d34