Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
-
Size
408KB
-
MD5
37f14fbc75ba06a427b0a6e6bbffa3d1
-
SHA1
c99c0798797da7dcb3bc89e8d096b51b4c334912
-
SHA256
0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285
-
SHA512
012b98d01a2743d78daa3722e8aa8db7c6ddebf887f257e640e5c48c75c060d78bbf96b66ae88aca34a56daa27d0627f66cb4c4637026717ee915a9a4b5ac13f
-
SSDEEP
3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b00000001224c-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000014c67-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000014c67-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000014c67-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000014c67-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000014c67-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B845A054-066B-49c9-8534-FA6692E64EC9} {E62871A3-4B41-4119-A387-D24A9268E602}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD} {CE7ACB97-9533-498a-AD12-C396408CD496}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}\stubpath = "C:\\Windows\\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe" {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA75B77-B029-429f-AEDB-98353ADD729C} {70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF223F36-74C8-4321-A72A-FB418B2CFF13} 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7ACB97-9533-498a-AD12-C396408CD496} {B845A054-066B-49c9-8534-FA6692E64EC9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF} {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA75B77-B029-429f-AEDB-98353ADD729C}\stubpath = "C:\\Windows\\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe" {70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}\stubpath = "C:\\Windows\\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe" {EDA75B77-B029-429f-AEDB-98353ADD729C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E} {E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}\stubpath = "C:\\Windows\\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe" {E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}\stubpath = "C:\\Windows\\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe" {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AE291D-10F4-4141-8D69-8CC6AD4C2921} {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62871A3-4B41-4119-A387-D24A9268E602} {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62871A3-4B41-4119-A387-D24A9268E602}\stubpath = "C:\\Windows\\{E62871A3-4B41-4119-A387-D24A9268E602}.exe" {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B845A054-066B-49c9-8534-FA6692E64EC9}\stubpath = "C:\\Windows\\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe" {E62871A3-4B41-4119-A387-D24A9268E602}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7ACB97-9533-498a-AD12-C396408CD496}\stubpath = "C:\\Windows\\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe" {B845A054-066B-49c9-8534-FA6692E64EC9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}\stubpath = "C:\\Windows\\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe" {CE7ACB97-9533-498a-AD12-C396408CD496}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB} {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF223F36-74C8-4321-A72A-FB418B2CFF13}\stubpath = "C:\\Windows\\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe" 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6} {EDA75B77-B029-429f-AEDB-98353ADD729C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}\stubpath = "C:\\Windows\\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe" {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe -
Deletes itself 1 IoCs
pid Process 2628 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 824 {70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe 1252 {EDA75B77-B029-429f-AEDB-98353ADD729C}.exe 2288 {E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe 1784 {2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe {EDA75B77-B029-429f-AEDB-98353ADD729C}.exe File created C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe File created C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe File created C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe {E62871A3-4B41-4119-A387-D24A9268E602}.exe File created C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe {B845A054-066B-49c9-8534-FA6692E64EC9}.exe File created C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe File created C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe File created C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe {CE7ACB97-9533-498a-AD12-C396408CD496}.exe File created C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe File created C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe {70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe File created C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe {E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Token: SeIncBasePriorityPrivilege 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe Token: SeIncBasePriorityPrivilege 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe Token: SeIncBasePriorityPrivilege 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe Token: SeIncBasePriorityPrivilege 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe Token: SeIncBasePriorityPrivilege 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe Token: SeIncBasePriorityPrivilege 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe Token: SeIncBasePriorityPrivilege 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe Token: SeIncBasePriorityPrivilege 824 {70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe Token: SeIncBasePriorityPrivilege 1252 {EDA75B77-B029-429f-AEDB-98353ADD729C}.exe Token: SeIncBasePriorityPrivilege 2288 {E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2032 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 28 PID 3036 wrote to memory of 2032 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 28 PID 3036 wrote to memory of 2032 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 28 PID 3036 wrote to memory of 2032 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 28 PID 3036 wrote to memory of 2628 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 29 PID 3036 wrote to memory of 2628 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 29 PID 3036 wrote to memory of 2628 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 29 PID 3036 wrote to memory of 2628 3036 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 29 PID 2032 wrote to memory of 2884 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 30 PID 2032 wrote to memory of 2884 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 30 PID 2032 wrote to memory of 2884 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 30 PID 2032 wrote to memory of 2884 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 30 PID 2032 wrote to memory of 2696 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 31 PID 2032 wrote to memory of 2696 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 31 PID 2032 wrote to memory of 2696 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 31 PID 2032 wrote to memory of 2696 2032 {AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe 31 PID 2884 wrote to memory of 2960 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 34 PID 2884 wrote to memory of 2960 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 34 PID 2884 wrote to memory of 2960 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 34 PID 2884 wrote to memory of 2960 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 34 PID 2884 wrote to memory of 2176 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 35 PID 2884 wrote to memory of 2176 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 35 PID 2884 wrote to memory of 2176 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 35 PID 2884 wrote to memory of 2176 2884 {58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe 35 PID 2960 wrote to memory of 1520 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 36 PID 2960 wrote to memory of 1520 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 36 PID 2960 wrote to memory of 1520 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 36 PID 2960 wrote to memory of 1520 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 36 PID 2960 wrote to memory of 568 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 37 PID 2960 wrote to memory of 568 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 37 PID 2960 wrote to memory of 568 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 37 PID 2960 wrote to memory of 568 2960 {E62871A3-4B41-4119-A387-D24A9268E602}.exe 37 PID 1520 wrote to memory of 1276 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 38 PID 1520 wrote to memory of 1276 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 38 PID 1520 wrote to memory of 1276 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 38 PID 1520 wrote to memory of 1276 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 38 PID 1520 wrote to memory of 2848 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 39 PID 1520 wrote to memory of 2848 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 39 PID 1520 wrote to memory of 2848 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 39 PID 1520 wrote to memory of 2848 1520 {B845A054-066B-49c9-8534-FA6692E64EC9}.exe 39 PID 1276 wrote to memory of 2112 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 40 PID 1276 wrote to memory of 2112 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 40 PID 1276 wrote to memory of 2112 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 40 PID 1276 wrote to memory of 2112 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 40 PID 1276 wrote to memory of 2744 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 41 PID 1276 wrote to memory of 2744 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 41 PID 1276 wrote to memory of 2744 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 41 PID 1276 wrote to memory of 2744 1276 {CE7ACB97-9533-498a-AD12-C396408CD496}.exe 41 PID 2112 wrote to memory of 2656 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 42 PID 2112 wrote to memory of 2656 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 42 PID 2112 wrote to memory of 2656 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 42 PID 2112 wrote to memory of 2656 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 42 PID 2112 wrote to memory of 2756 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 43 PID 2112 wrote to memory of 2756 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 43 PID 2112 wrote to memory of 2756 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 43 PID 2112 wrote to memory of 2756 2112 {B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe 43 PID 2656 wrote to memory of 824 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 44 PID 2656 wrote to memory of 824 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 44 PID 2656 wrote to memory of 824 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 44 PID 2656 wrote to memory of 824 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 44 PID 2656 wrote to memory of 2812 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 45 PID 2656 wrote to memory of 2812 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 45 PID 2656 wrote to memory of 2812 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 45 PID 2656 wrote to memory of 2812 2656 {5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exeC:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exeC:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exeC:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exeC:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exeC:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exeC:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exeC:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exeC:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exeC:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exeC:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exeC:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe12⤵
- Executes dropped EXE
PID:1784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E78CE~1.EXE > nul12⤵PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EDA75~1.EXE > nul11⤵PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70A3E~1.EXE > nul10⤵PID:1128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5B167~1.EXE > nul9⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9D00~1.EXE > nul8⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE7AC~1.EXE > nul7⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B845A~1.EXE > nul6⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6287~1.EXE > nul5⤵PID:568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{58AE2~1.EXE > nul4⤵PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF223~1.EXE > nul3⤵PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD564b5cb59a5ab022eb7a31f133e7c5639
SHA1bfd9e2377434f93f30401a6ba9fcf139d774b35c
SHA256ef66ed80fd3593a828456ea25053be6c9576057513c0edb3081018de04d6d14e
SHA5121d6946ccd7f7ac96a5559e3df6947b229fe50e1fc89a966fd575a09e440c3d11267347eeffc121de38a45a258fdebbd2c2215fbb1f27e8a28973483c1e91eeb2
-
Filesize
408KB
MD5df6d198f0371a49ae9609085f1291d31
SHA1fafb82545d8e03093adb55789a34c7b675778d2f
SHA2560a8bda7d501c4ea2897790daca60d1f7f92db74f7679679c954a43e0fa8499b4
SHA5123fb4a4ba18375900bb860edb972cde9dc34c7241a36ca1fc3ee181aab49d77e54d6f9ef29a342bf1093c53a3978bfa49369116ee870cbddaab91a4b9bd426c62
-
Filesize
408KB
MD5549eb82483622ce523a936a44bdbb3c7
SHA117e492ed0c4fffbe5380d4289f287ecd3b0c0ac1
SHA25681f9f8235ee8491e9646df217b29bd66ad9ce8ee6e5d330498d593e4ea814ed2
SHA512c8df51a747676d73641e76224ca1fe114e757b1b57dff14bf4f7f5720c702c19ff0d05e7c2989574806939a790b347ae1cff096a1a59d4bfce5f0427c9fd16d9
-
Filesize
408KB
MD5fd24fe43f08278ab608912090903e8a5
SHA1bccaf567a8eda59ec49e9afe7a878e3556190981
SHA256395d8e133184d7e982a1597938d49385d1107d32fe646339eb39bb634873e368
SHA5121f9a298a0a052fecb96a192c374f744ea571ccdc176251998ec00b3a1caa6719c0bc3b5f6e69e6b57f3d7d3527cdbdd7b07d13c7c57ca92ef36c7c50a3a61ef4
-
Filesize
408KB
MD50d9c906f4439bbcfeacf1c8bb08218f9
SHA1cee9409622ba76d42cccb3501bec66fc9cf26a93
SHA2566896fea704b9eaa6d2f6465c14a29f17589f7304900075b523821c3e33ae7a50
SHA5126f36c27e61031f889b3f03ef4af724c30fc3a4f73f8a97647d7eb91df9639c1002b44544937de5df6c8ba2629e5c5e7c1772a0f34c55bce6ea0d756c7a5c6215
-
Filesize
408KB
MD50bfcf77dc8ffb76d1ab46afc929ceaa5
SHA11f41a3ddf16ca5a26af7825680df89e8b31ba105
SHA256ddba66bee3ef076703679c5715eeff60ff62f6956e608387598befdf68610847
SHA512e2770cad68cfb70b64df9908de017b0583068ab8f1e1be6286a788d3d778630963be7ee1f0ea76d0034027128a852c4a7c82f8f6066fc1aa1636cd64275bdcf0
-
Filesize
408KB
MD50a43bb9710db25a320d9b9cf090ed9f3
SHA1972242682a43302561669fb8fba7c9dafc6c1118
SHA256789300252398d6485978bcdd8b53238de3d16955e09aac236c49d69091c2fdba
SHA51203db8011b3dcdcb1cd0db70f3c81c0fa97b8fe22f68ee6106102c5276450e1ad7eba7d4c65e26657a200c98ca52f975a3644a85930e8c2d09fac95295d557251
-
Filesize
408KB
MD57896a7db0afd39b71ef3d06e35e1396e
SHA1188fbb2243b55bd84629a8bb35ef6b77a4137164
SHA256e65699ad2828ff019d4ad2cdf763e7764c2ae5dc2a002bde0ae18f06df011f33
SHA512e3a1e2c2a7755f8a0cb5a08264788e82426d9c31e7969ec600bd33f2cbd89dbd04826fd16edcb8ccb5a6a4aa3c5ec0c6e99f0df1e53b357ad7d51226a49e22c3
-
Filesize
408KB
MD54da37b754cd22f1dcc14716eeef6dd2a
SHA1b478e10b9c256667b6d746e0ada03092ae8961b6
SHA2567132656997c9490f24a1b53a0ad468c13ea2bf1aaa4aa7811fff28f5b3733d40
SHA512b5fb4e4c1d70432ac743a496eff5c068ac7a871af2eb6cc4b28f1d3680727b8c644cf238e34031486ce6d4bb5a620be52c70c037d58c111a6d1660bd7e6061fb
-
Filesize
408KB
MD5d408dd2c36569776c03b0d392c453d9d
SHA1d65a8c1be858271b328c1dc918d229295d07f639
SHA256e54180b557030be6b7890055a2386b21452e67c24128f85bd5e15f19ec5b21e2
SHA512b863a33b1fd775717830cf2e1927c54e874ac1700ea094c3b6935d761b14232b31f0ad1c464b2258bc5447753e50cbe68471f0cd2493b249523a4b6202a218ad
-
Filesize
408KB
MD5298091adbd6370d37db33656afe1b89c
SHA19d969551f51dded49e86c4391eef935dd1c5a4a9
SHA256d5e91ac7b5f4eb091e7624faefaa5a646ae34e14d962c7423bf55725bbe8257c
SHA5129c745b822aa465823c7273034b5a61bd19ce8df71bd26a3ae9a8511268fcdc509e9d9a178241646f147c87047032575a1141ccac757707dc3b700380fd47a12f