Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
-
Size
408KB
-
MD5
63674177d321bd82d8149f48e69fd53a
-
SHA1
d0a3b27b8a3d3a82241d7c13dfda65cbdcb8fb4a
-
SHA256
9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b
-
SHA512
b8fd7f95eb163002cd765f4059122813ab7193a0c6cda577b9e6cb97e881c001767e71005c76f3251b68509304f762f7e04f63f679855ee39b33d2601194fada
-
SSDEEP
3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000013a71-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000141a2-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000013a71-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000143ec-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000013a71-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000013a71-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000013a71-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}\stubpath = "C:\\Windows\\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe" {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}\stubpath = "C:\\Windows\\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe" {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77A1454-F23A-4dc2-A284-7D800C7B708C}\stubpath = "C:\\Windows\\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe" {99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{213237EF-16EA-4f8e-B83E-CDDF85EE4139} {C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}\stubpath = "C:\\Windows\\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe" {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}\stubpath = "C:\\Windows\\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe" {6958DF70-2E70-47fb-B333-8654538B68C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BA95AD-07DD-4b72-8192-81D57F4EDD92} {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D} {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}\stubpath = "C:\\Windows\\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe" {EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77A1454-F23A-4dc2-A284-7D800C7B708C} {99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6958DF70-2E70-47fb-B333-8654538B68C7} 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAF96995-C120-43da-9B5F-A1398B1DCF9E} {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9} {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28} {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}\stubpath = "C:\\Windows\\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe" {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2} {EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5} {6958DF70-2E70-47fb-B333-8654538B68C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}\stubpath = "C:\\Windows\\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe" {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}\stubpath = "C:\\Windows\\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe" {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC54689C-C80C-4a22-9ACE-AFCA466F3050} {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}\stubpath = "C:\\Windows\\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe" {C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6958DF70-2E70-47fb-B333-8654538B68C7}\stubpath = "C:\\Windows\\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe" 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe -
Deletes itself 1 IoCs
pid Process 772 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 1996 {EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe 1716 {99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe 1752 {C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe 112 {213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe File created C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe {EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe File created C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe {99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe File created C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe {6958DF70-2E70-47fb-B333-8654538B68C7}.exe File created C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe File created C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe File created C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe File created C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe {C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe File created C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe File created C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe File created C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe Token: SeIncBasePriorityPrivilege 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe Token: SeIncBasePriorityPrivilege 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe Token: SeIncBasePriorityPrivilege 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe Token: SeIncBasePriorityPrivilege 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe Token: SeIncBasePriorityPrivilege 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe Token: SeIncBasePriorityPrivilege 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe Token: SeIncBasePriorityPrivilege 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe Token: SeIncBasePriorityPrivilege 1996 {EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe Token: SeIncBasePriorityPrivilege 1716 {99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe Token: SeIncBasePriorityPrivilege 1752 {C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 3016 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 28 PID 2360 wrote to memory of 3016 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 28 PID 2360 wrote to memory of 3016 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 28 PID 2360 wrote to memory of 3016 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 28 PID 2360 wrote to memory of 772 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 29 PID 2360 wrote to memory of 772 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 29 PID 2360 wrote to memory of 772 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 29 PID 2360 wrote to memory of 772 2360 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 29 PID 3016 wrote to memory of 2584 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 30 PID 3016 wrote to memory of 2584 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 30 PID 3016 wrote to memory of 2584 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 30 PID 3016 wrote to memory of 2584 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 30 PID 3016 wrote to memory of 2660 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 31 PID 3016 wrote to memory of 2660 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 31 PID 3016 wrote to memory of 2660 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 31 PID 3016 wrote to memory of 2660 3016 {6958DF70-2E70-47fb-B333-8654538B68C7}.exe 31 PID 2584 wrote to memory of 2052 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 32 PID 2584 wrote to memory of 2052 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 32 PID 2584 wrote to memory of 2052 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 32 PID 2584 wrote to memory of 2052 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 32 PID 2584 wrote to memory of 2940 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 33 PID 2584 wrote to memory of 2940 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 33 PID 2584 wrote to memory of 2940 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 33 PID 2584 wrote to memory of 2940 2584 {931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe 33 PID 2052 wrote to memory of 2528 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 36 PID 2052 wrote to memory of 2528 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 36 PID 2052 wrote to memory of 2528 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 36 PID 2052 wrote to memory of 2528 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 36 PID 2052 wrote to memory of 2924 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 37 PID 2052 wrote to memory of 2924 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 37 PID 2052 wrote to memory of 2924 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 37 PID 2052 wrote to memory of 2924 2052 {97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe 37 PID 2528 wrote to memory of 320 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 38 PID 2528 wrote to memory of 320 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 38 PID 2528 wrote to memory of 320 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 38 PID 2528 wrote to memory of 320 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 38 PID 2528 wrote to memory of 2796 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 39 PID 2528 wrote to memory of 2796 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 39 PID 2528 wrote to memory of 2796 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 39 PID 2528 wrote to memory of 2796 2528 {CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe 39 PID 320 wrote to memory of 2672 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 40 PID 320 wrote to memory of 2672 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 40 PID 320 wrote to memory of 2672 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 40 PID 320 wrote to memory of 2672 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 40 PID 320 wrote to memory of 2780 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 41 PID 320 wrote to memory of 2780 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 41 PID 320 wrote to memory of 2780 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 41 PID 320 wrote to memory of 2780 320 {9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe 41 PID 2672 wrote to memory of 2348 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 42 PID 2672 wrote to memory of 2348 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 42 PID 2672 wrote to memory of 2348 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 42 PID 2672 wrote to memory of 2348 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 42 PID 2672 wrote to memory of 2676 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 43 PID 2672 wrote to memory of 2676 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 43 PID 2672 wrote to memory of 2676 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 43 PID 2672 wrote to memory of 2676 2672 {F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe 43 PID 2348 wrote to memory of 1996 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 44 PID 2348 wrote to memory of 1996 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 44 PID 2348 wrote to memory of 1996 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 44 PID 2348 wrote to memory of 1996 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 44 PID 2348 wrote to memory of 1628 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 45 PID 2348 wrote to memory of 1628 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 45 PID 2348 wrote to memory of 1628 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 45 PID 2348 wrote to memory of 1628 2348 {EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exeC:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exeC:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exeC:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exeC:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exeC:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exeC:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exeC:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exeC:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exeC:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exeC:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exeC:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe12⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C77A1~1.EXE > nul12⤵PID:580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99C52~1.EXE > nul11⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EEC61~1.EXE > nul10⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EC546~1.EXE > nul9⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F682B~1.EXE > nul8⤵PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DF30~1.EXE > nul7⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CAF96~1.EXE > nul6⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{97BA9~1.EXE > nul5⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{931C1~1.EXE > nul4⤵PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6958D~1.EXE > nul3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5077f99d63f0d55e0023f83dbb5d19fc7
SHA128a7c1d934b78bd587f7fff48b93384b63c76519
SHA2565fd0624c7be6c38fbeadcdf4c4839f41d1c3771956d17eecb6f7a7c59541c222
SHA512a305189b72c63560cc96d085dd4af7af63803e97e004fd322123800fe90ca8d8f4c5809caeb363920be71ba26df5c6c70d1304c64892b2db43b9e62a2cafeb3b
-
Filesize
408KB
MD5ac1dbb4a6bc9fbf6357a9e9037d745bc
SHA135b31836d22f9b7c9add2589594e08339bda5e31
SHA25610e77337af218aee20dbe7b9edf37850df85d975fa07df0d5a81dc263d415384
SHA512a0d4bd35f6f98590e78d546bca87c1bc2705d81c2fc6290bb1917e49cdad77b3473c484a380bb857f2e250de78ee5f25833db9649c5a605d3728695c7e3ab456
-
Filesize
408KB
MD59c2f2f509f99f1c65ab5a6acb39577be
SHA1cc7b02403c6b64c5df1db5ec953d1f31ca2d92ac
SHA256df67aa8384d4a989519ad37a8db51bacfeb9c508bab62ab757606c68622ca043
SHA5123f538ecfce67675f4691a8bd6499927aff0e30e034d60fe6d9ac17192d5d59083c7f596babb32382ef610502b8d6cb44a2cbb5327359b4e14cbc5b2b9da77721
-
Filesize
408KB
MD548e9864c0274f38911f85897ece73dc7
SHA1dca3299dbc9b90d970bb643533728074ddd34adf
SHA25629995756ea34e4c7e95ca305a43e7ef7a657b0388b8a8accc5f85ced5305d2de
SHA51254f681b97f9d7c240f4c059ef23a0fcf5088e3b2e776cf2abf8443f6d238f195a6afe35aac1af81b5d76055024f2a235258ee290890e7776fade1ebd2de78b0e
-
Filesize
408KB
MD51a134122948bc0a143d270d9385b9991
SHA186b3eb9eb7270719590583081f59e98df1c20270
SHA25678f71561a34333a3e5ffd68f081a240d2b372412f7bcac8c73d00596960a083a
SHA512cc7f9f3a6722ca178e0afea37d43d34dc9259502dea893651d499a5d42259b20cab07481c42313676f0bba1aa7a7fe5e007bbcd35021a788d8f0fd1f5c581896
-
Filesize
408KB
MD546659071465ad25003ca428108e8a1aa
SHA1e72089fd87126428f42a5c35a20803d5c6878fd4
SHA256a9b88315fb44db2caf71a19558a307b6ef2a1fe7164a009b548c9bcdbddd0d9f
SHA5124728873cd520fcf475fae94162e229422e81ba99c7c759e7b81094d28a5469ada238db78bda44eba01d1fc3eecb9fd4159f294e1ac210cd0b9f9952a1e7aa129
-
Filesize
408KB
MD53c5bc08e41d16bff58112fda5ac89c2a
SHA1b96a7f49223af9d81b94ffda515223deaa1bb6ae
SHA25642c7345af68ad97ecf77420032c835b954ce146c857bc81d5455701f004844d3
SHA512761002131c0be192c331c9ba49f336268e9ad12ff56a92f0cf236874387ee60ad19be6542be88f4f34b22d23384676fcff88327f595b82a0d9611f4275cbf1a1
-
Filesize
408KB
MD51a3463c86dc47b8e3b7a08415f17ba8f
SHA1cf522569ee19b9cbd01073c7f69b5eb401e68f7b
SHA25692ecb194a1b6b69cd33b9df3550d01893c537f44b5b98cdd1692ec5d991760b6
SHA5127df35cdf3e7f7f689825fb459bf6b5180658d7caed0fc1c6dea580910047a35c31c451dfcc41d21c7bcfcb7b55b2dbb5196a18e168d9d7f57bb1bff9656d173a
-
Filesize
408KB
MD5b4a68855b2466caf6f589a8fd78fbe43
SHA158dca2683abbfd5be7c85137af0ef95f35e83cdb
SHA25649e7fb2b3e71ec31b6ab8a717375ec5fe4b7a9ca42b21dabfd80e4fd9c9ea1c3
SHA512e8f1b33aec5c6fd9e16f14ee78bb899e6e4f8bbff207a8a6e412c474f202b3ac592070022239876b4b04ce8cd6e99db4320335a4bdc42c7ea123c4ccaa4c6c6b
-
Filesize
408KB
MD5ca0c0aaaa15bec83be9205e867c0dfd3
SHA14f0545343a507f12c2427c0c67b0de4e04852b6a
SHA25635dc19832fef9ddde93b696d8fbc4376ca428d536270b2343e778766d17ceefd
SHA512cfa984fc847ffea01d2c79b96a3cb8540bd5ba7efb11af33adfbc3176da38c2ec5e1745af62109e11b26b9ca3f4037a82136474825b5e2552e8b6feb66f1d2a8
-
Filesize
408KB
MD59d65985176fa7c7a73849b2dca00282a
SHA173e6a7e78e518dfc462a532f19fc330587f922a8
SHA256c81c59e91a1a43222377f0c2d58df56574e60aef7358ab4f68d3f24be9ac840f
SHA512985aeb80a929b783f9cf9de9a0bf2cc64e92b828ae14dc692060f2666f0e34204748f80fadac860171dcb14b0b7cf475f9fbc86c54751c41aca40b2759a45b74