Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
-
Size
204KB
-
MD5
221640e16ccbe316d47a545bce65c559
-
SHA1
64c89a18baebfc0d26f7d03b3598ec9e14ab9ed1
-
SHA256
c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4
-
SHA512
afe12282d65791f3e2fdafcbe3d47758e1e38a82f7987e7bebbb649d554ec8971506b75a2d09ad2f9eda45304f51260867a75aeb40928384acc3462fd0c130ad
-
SSDEEP
1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012254-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00040000000130fc-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015c81-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00050000000130fc-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00060000000130fc-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00070000000130fc-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000130fc-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8}\stubpath = "C:\\Windows\\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe" {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0} {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6}\stubpath = "C:\\Windows\\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe" {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714} {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}\stubpath = "C:\\Windows\\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe" {08886010-0683-4569-B5CA-86122B334181}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E} {32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B} {79C0D496-1469-4659-B710-674F9255570E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}\stubpath = "C:\\Windows\\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe" {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81}\stubpath = "C:\\Windows\\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe" 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8} {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837} {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181}\stubpath = "C:\\Windows\\{08886010-0683-4569-B5CA-86122B334181}.exe" {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E}\stubpath = "C:\\Windows\\{79C0D496-1469-4659-B710-674F9255570E}.exe" {32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}\stubpath = "C:\\Windows\\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe" {79C0D496-1469-4659-B710-674F9255570E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474} {188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81} 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}\stubpath = "C:\\Windows\\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe" {188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837}\stubpath = "C:\\Windows\\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe" {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}\stubpath = "C:\\Windows\\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe" {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181} {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011} {08886010-0683-4569-B5CA-86122B334181}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6} {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe -
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 2692 {32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe 1136 {79C0D496-1469-4659-B710-674F9255570E}.exe 1872 {188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe 2316 {B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe {79C0D496-1469-4659-B710-674F9255570E}.exe File created C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe {188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe File created C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe File created C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe File created C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe File created C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe File created C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe {32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe File created C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe File created C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe File created C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe File created C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe {08886010-0683-4569-B5CA-86122B334181}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Token: SeIncBasePriorityPrivilege 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe Token: SeIncBasePriorityPrivilege 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe Token: SeIncBasePriorityPrivilege 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe Token: SeIncBasePriorityPrivilege 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe Token: SeIncBasePriorityPrivilege 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe Token: SeIncBasePriorityPrivilege 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe Token: SeIncBasePriorityPrivilege 2636 {08886010-0683-4569-B5CA-86122B334181}.exe Token: SeIncBasePriorityPrivilege 2692 {32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe Token: SeIncBasePriorityPrivilege 1136 {79C0D496-1469-4659-B710-674F9255570E}.exe Token: SeIncBasePriorityPrivilege 1872 {188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2464 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 28 PID 2632 wrote to memory of 2464 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 28 PID 2632 wrote to memory of 2464 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 28 PID 2632 wrote to memory of 2464 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 28 PID 2632 wrote to memory of 2568 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 29 PID 2632 wrote to memory of 2568 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 29 PID 2632 wrote to memory of 2568 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 29 PID 2632 wrote to memory of 2568 2632 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 29 PID 2464 wrote to memory of 2968 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 30 PID 2464 wrote to memory of 2968 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 30 PID 2464 wrote to memory of 2968 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 30 PID 2464 wrote to memory of 2968 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 30 PID 2464 wrote to memory of 2080 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 31 PID 2464 wrote to memory of 2080 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 31 PID 2464 wrote to memory of 2080 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 31 PID 2464 wrote to memory of 2080 2464 {162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe 31 PID 2968 wrote to memory of 2616 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 34 PID 2968 wrote to memory of 2616 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 34 PID 2968 wrote to memory of 2616 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 34 PID 2968 wrote to memory of 2616 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 34 PID 2968 wrote to memory of 2880 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 35 PID 2968 wrote to memory of 2880 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 35 PID 2968 wrote to memory of 2880 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 35 PID 2968 wrote to memory of 2880 2968 {A799C4C5-4489-4df5-93E1-39190D179CF6}.exe 35 PID 2616 wrote to memory of 440 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 36 PID 2616 wrote to memory of 440 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 36 PID 2616 wrote to memory of 440 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 36 PID 2616 wrote to memory of 440 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 36 PID 2616 wrote to memory of 1464 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 37 PID 2616 wrote to memory of 1464 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 37 PID 2616 wrote to memory of 1464 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 37 PID 2616 wrote to memory of 1464 2616 {98513519-C272-42e7-B62C-90F87F3C5FE8}.exe 37 PID 440 wrote to memory of 2856 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 38 PID 440 wrote to memory of 2856 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 38 PID 440 wrote to memory of 2856 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 38 PID 440 wrote to memory of 2856 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 38 PID 440 wrote to memory of 3040 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 39 PID 440 wrote to memory of 3040 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 39 PID 440 wrote to memory of 3040 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 39 PID 440 wrote to memory of 3040 440 {EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe 39 PID 2856 wrote to memory of 2652 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 40 PID 2856 wrote to memory of 2652 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 40 PID 2856 wrote to memory of 2652 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 40 PID 2856 wrote to memory of 2652 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 40 PID 2856 wrote to memory of 844 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 41 PID 2856 wrote to memory of 844 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 41 PID 2856 wrote to memory of 844 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 41 PID 2856 wrote to memory of 844 2856 {F95024C6-9E6B-4d77-82F0-DD8612330837}.exe 41 PID 2652 wrote to memory of 2636 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 42 PID 2652 wrote to memory of 2636 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 42 PID 2652 wrote to memory of 2636 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 42 PID 2652 wrote to memory of 2636 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 42 PID 2652 wrote to memory of 1928 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 43 PID 2652 wrote to memory of 1928 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 43 PID 2652 wrote to memory of 1928 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 43 PID 2652 wrote to memory of 1928 2652 {66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe 43 PID 2636 wrote to memory of 2692 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 44 PID 2636 wrote to memory of 2692 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 44 PID 2636 wrote to memory of 2692 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 44 PID 2636 wrote to memory of 2692 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 44 PID 2636 wrote to memory of 2704 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 45 PID 2636 wrote to memory of 2704 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 45 PID 2636 wrote to memory of 2704 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 45 PID 2636 wrote to memory of 2704 2636 {08886010-0683-4569-B5CA-86122B334181}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exeC:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exeC:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exeC:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exeC:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exeC:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exeC:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exeC:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exeC:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exeC:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exeC:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exeC:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe12⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18803~1.EXE > nul12⤵PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{79C0D~1.EXE > nul11⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32EF9~1.EXE > nul10⤵PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{08886~1.EXE > nul9⤵PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66BA1~1.EXE > nul8⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9502~1.EXE > nul7⤵PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EECFA~1.EXE > nul6⤵PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98513~1.EXE > nul5⤵PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A799C~1.EXE > nul4⤵PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{162DB~1.EXE > nul3⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD57164d3bfd369680ce71fcfa2667494af
SHA13c44900a5fbfcca5754676ffe6efcbc1f7588473
SHA256d6f80b67d3bad7fcbdcba2752960e2dc7c47bf503bbbbf9c1541c7079d704d35
SHA512f89f97a858fc09c8a9f7ee2214823d37ad4333520646fb1df5eb191c5d949866a0dc4325acb1003bf5d76df75d19a2605c4f361e6b729d0330624b86212f1f97
-
Filesize
204KB
MD50379cc575c9d18df25411fd0bbdb53af
SHA135ef3986100d2a29eb6fb9a9a92dc7ad89457eb5
SHA256f0e9c96b07a7c88faa80a8a2fd4352b70e048b378326ec01a66d9fe0f3aca09e
SHA512885bf86a7a634e706c6d39911d64f285d4afa2a075ad900eb22a50f1303bbb5b693d8f32af31f0770024f7d072e8c58493fa941f3dbd5e79a837b047c4f5a991
-
Filesize
204KB
MD5da88213bdf6bfab96c212d0dde0220d4
SHA1494e7fd74e0d79af2670845caece4df32c91c76c
SHA2569e8c074fe1f90c08abeb1ebff5cfb13f9635be3a1cd782c16bbbc6b393636240
SHA5122baceb525f10a8a53e385b022373edb575222c8f6f3006c630adde6e31f9e2147f6e92e1ada19c97bc4efad7f14f0c312ad556e72515c6cf383c9616ec46bd6a
-
Filesize
204KB
MD59d47b527d37f302d29871556c95085a0
SHA19449a065d790e5b225bd428b28c52c435eb0bd1b
SHA256d2b40a9c0bd658699b350a42b9697e3769f4d2a856444b979afe930ee109932f
SHA5125c2d32bebac3c2c2c8245d979cb50f4d1938b19461c6013d9f77a139efc397652c5eb053529b9b7c816329026f3aace4d6f9b756d0ea606280e9f822ff19cdec
-
Filesize
204KB
MD59b4b2f6661878e2990dbd378665ab7cd
SHA107d30ccb1db48165464167f3f1672e43de136792
SHA256e3b48ae13c794dfa4b601b567c0dc98ef3861d82b976d98ece98308b96aa0de6
SHA512c40afb6c6c7e774d761eb40d858549f053a3fa0a98f7cbaf4cdbd0aa443587bbb44104e5e80cd8d94ff50a10b6a746a812ea558373bd7dcf9c09783014271f3a
-
Filesize
204KB
MD58032e7bd7e0921788b84667ef4282eba
SHA1df913b95132e5c93057aa3d7ad6321589abd41e5
SHA256e7d504c6d109e564b7b494cb03682cbff0b37382acf15bab669ee8579227ee4f
SHA512dca6ad023296f9578e9683dbbee707b47c242deb6e14d3e46d33ec3147239c26cc3423e2babda7b43631586852849ac63be7a845049dbfba595e7456a23f3778
-
Filesize
204KB
MD533ca14285601737b87f56358389ff2ea
SHA196ccebad416d04c473f79325b621d120e7f8bdab
SHA2569fc823ec4aa3f0fe74b4f2f866d25e4a3e1529f0f43b6ce19ff956ac028b9c66
SHA5122f01063fb315abcef304d233836568e31ea0613ec9f18578ce5eac45af7985586b3b9a40c2e81d948dffc43e521fa0af0c968ac029004e9d82358c0b3660144c
-
Filesize
204KB
MD51a7b9435ae338bf44dd3934059041120
SHA1d32b0fd91db062c98c99e8f7429dd67c0bbba15b
SHA256ec2d846e8cf9519f79b085b09745566fed17f14e74238d957b7f728e403e7752
SHA5127e20d66810d45630b61de340eec94c5837acbf0383eb29acbbf6d12f8e07acb67b71d73452e53d0623d99dad1c4701c09b4690ef4fe5a1d96205b46f6f59cb2f
-
Filesize
204KB
MD5b3c9f16d623251ae81e53d13a733a782
SHA184b65487ffed3df894c36db0d747a55b1fbb496d
SHA256ebc490c2d9573e0727283320949061b455b0b10e350af692bd4710c80e55b6d3
SHA512d01e5ba33f36d579d0983e0c51fe36b791e133a7869db998210cbef60423a39296ad503c418a166ba9349300dd9f4d8bde43cb9e9eb8b183c28942fa419d7350
-
Filesize
204KB
MD55514bbed30469ec70dda59bb309c1ca9
SHA150f1fea57c6df6e5094a9e3cfd1a0c297c60a560
SHA25615829ca22af7d3551932b1f14c2dfa22aeba8c4ff42712219df7625a310025e8
SHA51285d1ee11dc3d626b5d6effc7076ea10041788d8943ce6a25708ee6ca4908ea34b517f97ce916750940b24ec71645a9e22a35bc7c6831e9e2fb085551edc24653
-
Filesize
204KB
MD564c6aafeed2506adfac0132131b556e3
SHA1cc5ce62fbb530d52d68b9d76fa76feaf6bd7e093
SHA256a5221aa31ced443f6794329dafcd95cfd945ef091c791f06fae667cb5f558ac0
SHA51218286d0b517ab4b88a2671dfa26e58ca2a00aefb0e05152b492d5c697fdea49f3425117e247fa1fe3cd8dcd1c9775d9151f5a5b1e713962d5e88b0105f8ffe1a