Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
-
Size
168KB
-
MD5
5f0dc811482238f0932c7529f94c2671
-
SHA1
d6e5550a87d5851acc0a5ad0ea8e2e3944c2382f
-
SHA256
dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603
-
SHA512
c4bb9f4d54df43d7ccdac3e7808e2a5c773c380d9b098f18cd1e59f783859075daa25d219d268dce983a7f6c565cd6f95ba4c6edbb9353cec0354b6caae0ce11
-
SSDEEP
1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b00000001224e-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000122cd-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001224e-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001224e-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001224e-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001224e-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001224e-74.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657} {D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}\stubpath = "C:\\Windows\\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe" {D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86FF227-920A-469d-91B6-5A0EEE0F28E6} {B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}\stubpath = "C:\\Windows\\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe" 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}\stubpath = "C:\\Windows\\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe" {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}\stubpath = "C:\\Windows\\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe" {2BE51290-E81F-4adc-8799-538FAC502141}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FF8615-255C-49df-A76D-6F048669F28E} {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB} {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}\stubpath = "C:\\Windows\\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe" {B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5} 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B} {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE51290-E81F-4adc-8799-538FAC502141} {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE51290-E81F-4adc-8799-538FAC502141}\stubpath = "C:\\Windows\\{2BE51290-E81F-4adc-8799-538FAC502141}.exe" {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70600684-3492-475c-ADDB-A0522AD3C3C6}\stubpath = "C:\\Windows\\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe" {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53} {D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}\stubpath = "C:\\Windows\\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe" {D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0} {2BE51290-E81F-4adc-8799-538FAC502141}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80} {97FF8615-255C-49df-A76D-6F048669F28E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}\stubpath = "C:\\Windows\\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe" {97FF8615-255C-49df-A76D-6F048669F28E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70600684-3492-475c-ADDB-A0522AD3C3C6} {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}\stubpath = "C:\\Windows\\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe" {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FF8615-255C-49df-A76D-6F048669F28E}\stubpath = "C:\\Windows\\{97FF8615-255C-49df-A76D-6F048669F28E}.exe" {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe -
Deletes itself 1 IoCs
pid Process 2608 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 1060 {D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe 1340 {D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe 1920 {B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe 588 {B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe File created C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe File created C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe {97FF8615-255C-49df-A76D-6F048669F28E}.exe File created C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe {D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe File created C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe {B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe File created C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe File created C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe {2BE51290-E81F-4adc-8799-538FAC502141}.exe File created C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe File created C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe File created C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe File created C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe {D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Token: SeIncBasePriorityPrivilege 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe Token: SeIncBasePriorityPrivilege 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe Token: SeIncBasePriorityPrivilege 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe Token: SeIncBasePriorityPrivilege 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe Token: SeIncBasePriorityPrivilege 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe Token: SeIncBasePriorityPrivilege 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe Token: SeIncBasePriorityPrivilege 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe Token: SeIncBasePriorityPrivilege 1060 {D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe Token: SeIncBasePriorityPrivilege 1340 {D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe Token: SeIncBasePriorityPrivilege 1920 {B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 3060 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 28 PID 996 wrote to memory of 3060 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 28 PID 996 wrote to memory of 3060 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 28 PID 996 wrote to memory of 3060 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 28 PID 996 wrote to memory of 2608 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 29 PID 996 wrote to memory of 2608 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 29 PID 996 wrote to memory of 2608 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 29 PID 996 wrote to memory of 2608 996 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 29 PID 3060 wrote to memory of 3068 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 30 PID 3060 wrote to memory of 3068 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 30 PID 3060 wrote to memory of 3068 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 30 PID 3060 wrote to memory of 3068 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 30 PID 3060 wrote to memory of 2696 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 31 PID 3060 wrote to memory of 2696 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 31 PID 3060 wrote to memory of 2696 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 31 PID 3060 wrote to memory of 2696 3060 {6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe 31 PID 3068 wrote to memory of 2556 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 32 PID 3068 wrote to memory of 2556 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 32 PID 3068 wrote to memory of 2556 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 32 PID 3068 wrote to memory of 2556 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 32 PID 3068 wrote to memory of 304 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 33 PID 3068 wrote to memory of 304 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 33 PID 3068 wrote to memory of 304 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 33 PID 3068 wrote to memory of 304 3068 {FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe 33 PID 2556 wrote to memory of 2756 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 36 PID 2556 wrote to memory of 2756 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 36 PID 2556 wrote to memory of 2756 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 36 PID 2556 wrote to memory of 2756 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 36 PID 2556 wrote to memory of 2792 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 37 PID 2556 wrote to memory of 2792 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 37 PID 2556 wrote to memory of 2792 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 37 PID 2556 wrote to memory of 2792 2556 {2BE51290-E81F-4adc-8799-538FAC502141}.exe 37 PID 2756 wrote to memory of 2452 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 38 PID 2756 wrote to memory of 2452 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 38 PID 2756 wrote to memory of 2452 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 38 PID 2756 wrote to memory of 2452 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 38 PID 2756 wrote to memory of 1476 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 39 PID 2756 wrote to memory of 1476 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 39 PID 2756 wrote to memory of 1476 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 39 PID 2756 wrote to memory of 1476 2756 {26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe 39 PID 2452 wrote to memory of 556 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 40 PID 2452 wrote to memory of 556 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 40 PID 2452 wrote to memory of 556 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 40 PID 2452 wrote to memory of 556 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 40 PID 2452 wrote to memory of 2680 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 41 PID 2452 wrote to memory of 2680 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 41 PID 2452 wrote to memory of 2680 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 41 PID 2452 wrote to memory of 2680 2452 {97FF8615-255C-49df-A76D-6F048669F28E}.exe 41 PID 556 wrote to memory of 2672 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 42 PID 556 wrote to memory of 2672 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 42 PID 556 wrote to memory of 2672 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 42 PID 556 wrote to memory of 2672 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 42 PID 556 wrote to memory of 2664 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 43 PID 556 wrote to memory of 2664 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 43 PID 556 wrote to memory of 2664 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 43 PID 556 wrote to memory of 2664 556 {8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe 43 PID 2672 wrote to memory of 1060 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 44 PID 2672 wrote to memory of 1060 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 44 PID 2672 wrote to memory of 1060 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 44 PID 2672 wrote to memory of 1060 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 44 PID 2672 wrote to memory of 1428 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 45 PID 2672 wrote to memory of 1428 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 45 PID 2672 wrote to memory of 1428 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 45 PID 2672 wrote to memory of 1428 2672 {70600684-3492-475c-ADDB-A0522AD3C3C6}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exeC:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exeC:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exeC:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exeC:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exeC:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exeC:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exeC:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exeC:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exeC:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exeC:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exeC:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe12⤵
- Executes dropped EXE
PID:588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B16DE~1.EXE > nul12⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D83A9~1.EXE > nul11⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D1903~1.EXE > nul10⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70600~1.EXE > nul9⤵PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8134A~1.EXE > nul8⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{97FF8~1.EXE > nul7⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26B8C~1.EXE > nul6⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BE51~1.EXE > nul5⤵PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FC2DD~1.EXE > nul4⤵PID:304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6DEB2~1.EXE > nul3⤵PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD54bf78308bd1e33c5e1c074a09b9fb11d
SHA159ff47694d0af6e607f7034090ec3c3e7ffa62b1
SHA2569a08d6f358a51a009a70d50cc8c9938eb42146f7065872b814a315ad24274312
SHA512c3191121a07daa4b3db1cdec931368ec44eed154ad33b0689ace6774f75c5a17b3851e0dc2e940b97492d6ce5e882e4a51857360346f5a23e9194eb9e2df1cc5
-
Filesize
168KB
MD5da725d5820d7701b85259420e2c5d1be
SHA16c28b43d342ff99346c0cccde8cdcd6807dfdebf
SHA2569ee69bc3cd7f5eafda81114450e5dde78fa49a706fc3fd1f928abfe664183edb
SHA512fa2c2b2afd2368283f5e15390c0f69e4cc0ca26399def9e828c90a36b44c64ddddb56b9fd65660383bfface7de4bcd901273d0687470dc6525a127ccdbd80070
-
Filesize
168KB
MD5823c5e20a4681a5602878816daa59829
SHA1fde1443471e9fac0a3a981af0c2dd39efd733900
SHA2569ba7d10d24df1dfcf27116e3dccac88396de0220609593d0cc7f7414300aa4ba
SHA51257aea77323daa5ad9b966dc8d5725c4fc606cfd11384c33bf08a52fff9e07c83cf8deff937740c8bd92c35fe028219623e04cc0f4d48828e8b9eb58d6b7decde
-
Filesize
168KB
MD57ea02d42125db7ee910d83d79bf156cf
SHA1d7926357bb6504f6d4587fbcc8d22ea3326eb041
SHA256eb9b099fc3032894a4d11489514768319b17b926da7c7f498a193f929a024128
SHA5128cfbef2e511fa80cf392b630557cd57d095928908e32371c7c6b121579037186c8e2db507fceb42d62fcdce5170a5dd17ab6a90d458304681781d12ad1dc7376
-
Filesize
168KB
MD5588285051dc56f5a5ec984e9ba7d02a4
SHA19cb312a748d24c64bdddd2c18c825d1f93a3ef6e
SHA25612a5f741a1208315534a47ea8f6ccf70d13b29731c20f5994b0be8ae104af8db
SHA512d99ad375277357efdfd1113ec62c570ca08ebe6fd62a63f3503a4b001a0f6d0a1a588605e559bcdc6e560ba78ff97a7d267c91c11e448f67816f6ac191d7a013
-
Filesize
168KB
MD5286ab9b667d8074db6752d0c1355ab40
SHA14d5fe0e2cb7665099223da5ea83ed9b4f5d20057
SHA2567ef0558fc551ce111f0199e5ac75f563f13a2989d1382f8fddb1a9434c683330
SHA512712915a6b311a6cd0a07bea844b5795e9095a305c16107a6acd91ea02673bb3e5b8d7c95c6e8ad5a3c3e117219d20565d57fe1067ae8075a1437a4546d4cd117
-
Filesize
168KB
MD5b40d8516cce15d0b25ded870dfe9b5f3
SHA155fc7ca87901de75369828bccda5d9f36aede7f1
SHA25653924cf3d25ecdd57c4173a708d8380cb0ccc0965e53e30041b3af591d6f712b
SHA512191e048d5833d84a57ebe977cfd655770a3099eabf83996d6464013261cb15e66cad742a956d4318f56ae37ac45b9543401e973eec84c8909c5ae993b6c3b125
-
Filesize
168KB
MD59d0c2979ff128d053dc04a36e72c10c9
SHA185640199fd2e0f8760ff1f1c7fe0df40fe8af4db
SHA25634120f7fe0f3bdaa60f23d3e72e7b223c39f9e284053906eb5fed67c8bc6565e
SHA512bfba589570a736ffc40c6fd54deb7c52bc08d4d4d25b2c935c884685b9ba83f111d962b07552db3a4b1409d26d80c9944253d95fa1ff1b8fe4209f9f71d79492
-
Filesize
168KB
MD57db792a83234830699c224538837fa11
SHA14ed50f2469d62e783215e074e45aed5aea240309
SHA25663bb5463cf4cd5ff19007f62678207a3aa8d0616b817e32b41cffb8179e65a11
SHA51202eeee89253764be1c7fa86ee99dff149110a2f3c1ef5d06e02fef5af5a559064b6072e430eb3cc960abdd884fc37743dd3b5dbffe4f6814aceb5db0e76f851b
-
Filesize
168KB
MD5d3bc993d26367e8096229b164e19a83c
SHA11cd59af8fb0fdb571c6c56f765398d1f8ee0990b
SHA256f695d946ffc8335645e8c3abf6fef47acfb0b07dacd54af93724be713b6861ab
SHA512bd0e24beb6adb71852d520ac570b7b0117ebc0c3951581e5f7ad299c287919fa86c65f15f33734329e4d2c7ad3bb470f9be0db745dfa628d63076ba01c90b4f0
-
Filesize
168KB
MD5aeb2d598e5fd784dd5561cb2241cdd50
SHA171a5b5cdde4382fc6bc681fba7845db5aa71d69d
SHA256d6fc2cd581787c92637bad8b0d96e02a4246a6c95fd60d8ae6371519728af390
SHA51202c1ca96f36012699169651b70a16651240dab315aa5f76505f7442fe49862b81a6dfbb5749107b4d75be07d44e986c58ac306f3731bc0e2b9a0a8ac7c3e7e9c