Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
-
Size
204KB
-
MD5
75d172b074cfb2f8092b21b0cb1417b8
-
SHA1
27016bc58f7ed03a6a012f653f84282547c89a03
-
SHA256
a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc
-
SHA512
2561cacb93cb9dc2976b4d0f808fc957efc7df9f46acbcf5e7816b0e38e2fe124a5c57752c8b400508c4626d4ea2b69bd8fbc4cebfe60b39e11940311b6d0705
-
SSDEEP
1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001234b-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000143e5-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001234b-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000146f4-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001234b-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001234b-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001234b-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}\stubpath = "C:\\Windows\\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe" {B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65782627-3DC2-4ab2-9F09-78420C969855}\stubpath = "C:\\Windows\\{65782627-3DC2-4ab2-9F09-78420C969855}.exe" {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07902000-F022-491c-B968-7A01A8B7FDC3} {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}\stubpath = "C:\\Windows\\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe" {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90} {5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}\stubpath = "C:\\Windows\\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe" {6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683} {B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3} 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}\stubpath = "C:\\Windows\\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe" 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07902000-F022-491c-B968-7A01A8B7FDC3}\stubpath = "C:\\Windows\\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe" {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F027BE9B-853C-47da-943B-B4E9B045E1C7}\stubpath = "C:\\Windows\\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe" {07902000-F022-491c-B968-7A01A8B7FDC3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}\stubpath = "C:\\Windows\\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe" {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02} {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}\stubpath = "C:\\Windows\\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe" {5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B6B830-878E-461d-9A5D-979B7B9AFA72} {6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF251A6-6B71-44d7-9C3C-0A31E7321906} {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}\stubpath = "C:\\Windows\\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe" {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65782627-3DC2-4ab2-9F09-78420C969855} {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F027BE9B-853C-47da-943B-B4E9B045E1C7} {07902000-F022-491c-B968-7A01A8B7FDC3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB} {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2} {65782627-3DC2-4ab2-9F09-78420C969855}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}\stubpath = "C:\\Windows\\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe" {65782627-3DC2-4ab2-9F09-78420C969855}.exe -
Deletes itself 1 IoCs
pid Process 2976 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 1464 {5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe 2876 {6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe 336 {B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe 1456 {6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe File created C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe {07902000-F022-491c-B968-7A01A8B7FDC3}.exe File created C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe File created C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe File created C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe {5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe File created C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe {B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe File created C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe File created C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe File created C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe {65782627-3DC2-4ab2-9F09-78420C969855}.exe File created C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe File created C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe {6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Token: SeIncBasePriorityPrivilege 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe Token: SeIncBasePriorityPrivilege 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe Token: SeIncBasePriorityPrivilege 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe Token: SeIncBasePriorityPrivilege 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe Token: SeIncBasePriorityPrivilege 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe Token: SeIncBasePriorityPrivilege 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe Token: SeIncBasePriorityPrivilege 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe Token: SeIncBasePriorityPrivilege 1464 {5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe Token: SeIncBasePriorityPrivilege 2876 {6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe Token: SeIncBasePriorityPrivilege 336 {B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2088 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 28 PID 1956 wrote to memory of 2088 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 28 PID 1956 wrote to memory of 2088 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 28 PID 1956 wrote to memory of 2088 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 28 PID 1956 wrote to memory of 2976 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 29 PID 1956 wrote to memory of 2976 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 29 PID 1956 wrote to memory of 2976 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 29 PID 1956 wrote to memory of 2976 1956 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 29 PID 2088 wrote to memory of 2504 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 30 PID 2088 wrote to memory of 2504 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 30 PID 2088 wrote to memory of 2504 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 30 PID 2088 wrote to memory of 2504 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 30 PID 2088 wrote to memory of 2608 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 31 PID 2088 wrote to memory of 2608 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 31 PID 2088 wrote to memory of 2608 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 31 PID 2088 wrote to memory of 2608 2088 {23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe 31 PID 2504 wrote to memory of 2528 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 32 PID 2504 wrote to memory of 2528 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 32 PID 2504 wrote to memory of 2528 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 32 PID 2504 wrote to memory of 2528 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 32 PID 2504 wrote to memory of 2516 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 33 PID 2504 wrote to memory of 2516 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 33 PID 2504 wrote to memory of 2516 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 33 PID 2504 wrote to memory of 2516 2504 {4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe 33 PID 2528 wrote to memory of 2472 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 36 PID 2528 wrote to memory of 2472 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 36 PID 2528 wrote to memory of 2472 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 36 PID 2528 wrote to memory of 2472 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 36 PID 2528 wrote to memory of 2452 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 37 PID 2528 wrote to memory of 2452 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 37 PID 2528 wrote to memory of 2452 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 37 PID 2528 wrote to memory of 2452 2528 {65782627-3DC2-4ab2-9F09-78420C969855}.exe 37 PID 2472 wrote to memory of 1940 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 38 PID 2472 wrote to memory of 1940 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 38 PID 2472 wrote to memory of 1940 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 38 PID 2472 wrote to memory of 1940 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 38 PID 2472 wrote to memory of 1612 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 39 PID 2472 wrote to memory of 1612 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 39 PID 2472 wrote to memory of 1612 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 39 PID 2472 wrote to memory of 1612 2472 {27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe 39 PID 1940 wrote to memory of 1656 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 40 PID 1940 wrote to memory of 1656 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 40 PID 1940 wrote to memory of 1656 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 40 PID 1940 wrote to memory of 1656 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 40 PID 1940 wrote to memory of 344 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 41 PID 1940 wrote to memory of 344 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 41 PID 1940 wrote to memory of 344 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 41 PID 1940 wrote to memory of 344 1940 {07902000-F022-491c-B968-7A01A8B7FDC3}.exe 41 PID 1656 wrote to memory of 2460 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 42 PID 1656 wrote to memory of 2460 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 42 PID 1656 wrote to memory of 2460 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 42 PID 1656 wrote to memory of 2460 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 42 PID 1656 wrote to memory of 1376 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 43 PID 1656 wrote to memory of 1376 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 43 PID 1656 wrote to memory of 1376 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 43 PID 1656 wrote to memory of 1376 1656 {F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe 43 PID 2460 wrote to memory of 1464 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 44 PID 2460 wrote to memory of 1464 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 44 PID 2460 wrote to memory of 1464 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 44 PID 2460 wrote to memory of 1464 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 44 PID 2460 wrote to memory of 2588 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 45 PID 2460 wrote to memory of 2588 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 45 PID 2460 wrote to memory of 2588 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 45 PID 2460 wrote to memory of 2588 2460 {F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exeC:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exeC:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exeC:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exeC:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exeC:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exeC:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exeC:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exeC:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exeC:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exeC:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exeC:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe12⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1B6B~1.EXE > nul12⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C823~1.EXE > nul11⤵PID:984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5AAEB~1.EXE > nul10⤵PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0DB8~1.EXE > nul9⤵PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F027B~1.EXE > nul8⤵PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07902~1.EXE > nul7⤵PID:344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27A73~1.EXE > nul6⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65782~1.EXE > nul5⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4CF25~1.EXE > nul4⤵PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23B4E~1.EXE > nul3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD59368918784f91ff17d6b67c6d4f1e256
SHA176d2e7554374fceb7c98e90835f48da3d0382ee4
SHA256e732887af2a1cf0474280aa0cc79638549685bc133c5bed6bdeedb916a433908
SHA5120105010c8d6fecf22b5dfd99ba08bf8a73ff0c5218912941cfd9da573011f7154c6265580d5ec4995a77fb5ee85b6723ad6c099af96cf6a6169b8b144eebb398
-
Filesize
204KB
MD536b79d330b1d71ada09236c47c67f8cf
SHA1d1939977766e962f336a21f61e5378cb9362f0cd
SHA25673b2ba53274fcc5a5dd439e7789d4f5d9c0d153bd84d218d297da362cdb19b73
SHA51231d09766e14c48d99d76aeac802b89c63f8ef4caea63147f31e3179bb65a3aea6ba182920d13215cc7c00b582906b866332dd7312d33e546cfa0ae41b9cbcfde
-
Filesize
204KB
MD5c29e441448ba725cfe04f36dbe0270a0
SHA1947fa7cb93afb1e03424db044647587ae75abfc2
SHA256f7b4d05b685fa0759a97cbd6180794da78c4e91d860e913e9ace5a7bef87b439
SHA5125603eddbf0e4b10620d8ce80551e153bc609193e0bddde27c6292884b3351da1e673049fae047a2b4e30e19f13cda1e02758a64f18fd00e47262541fe4023237
-
Filesize
204KB
MD57ca9dbc2743ebf88d6a047e019c94550
SHA179f34246006be021ec01d7f087cb5a21b71c0c0a
SHA256d7a97f111875869d2e67811f7d19b7d9e5479fc47bd8f0988d29d5d19a8002a4
SHA5125884303716b423376a6ccb8526d290e872b4886f1fb70f14b99a0858cd566d71d75052ad95b30896947a29772a66583141b7204ca2a9b3139e07e2f5d04138fb
-
Filesize
204KB
MD5cba1ec6d6f4347665cda465a237a6d80
SHA1e5177b45bce3c4ef78d51c4edfee766cf4739d0d
SHA25677993e3659edc3a5e79fa66187d8c35b60a909241ebc8cfcf68141d62c29684e
SHA512bfdab196c942fd0a0847d98e39c03e5657d085d06599127ee589316e892e89059da455dac6eb4fc418f94aa0726def34991f8c5dac8630de775349b1df632127
-
Filesize
204KB
MD5d8082e1fb1ad8dfbad4444e90265c173
SHA13c9cd35a4bd6eeb9875d3097fbce64c8628abb7d
SHA2562d12105fa4f585b2106f8e9cfb7bb5be3fcda084f367437e69815dfa40519be5
SHA512e681f70f6a6db6c7d9ad61a1ca606a674ee9cea75f3e9bf553b3e16da8549ecabbd42c421d6d75731e00aa2330ede1bd3376fbde75813be1c6819e2b5f2748d3
-
Filesize
204KB
MD574b93cb2a248b6694f252db76176d62a
SHA197b5d3acaaaf7af3f7ba9fe73a34cb931257d579
SHA256812c3fee92c96a0513677a64a0b123ac04ab8a9ee76623c32b5f66c6d300b682
SHA512f745f8e55a3d6792290fa506136524a8e6906604dec6a9b4a8eb4b75d0e9270761eb90b5d81e52071a5d8eabdeef27e9cff3fc3b16a39360dd302bb6da8cfbe9
-
Filesize
204KB
MD5cf131a7cfa7e3bebae4a9ba0ba54168a
SHA104d078bec5baff0b34825901f841821f009a26ed
SHA256dddb9316cb33e238711de14e2fd66ccce74936c4e101a18f1aa35a801c7fed45
SHA512a10ea3bfd703328e8fe3a07204fa641e9c795cf7eaa46db44ebe832f077c366bd53c18f93f740cf6708d1b4404176eac9afb99812a9f2a9ef4dc256358a043ea
-
Filesize
204KB
MD5e1658e689b8aaefaa4c0ce1b796b468d
SHA1874a3058b8c2f83ef20fa91aee893538e64a652c
SHA2566e31d80fb7bb8c07421895c3198379726c719e91143470bafc1c97cc3e749c1b
SHA512a171bb392ad7c4c3425f52821cfa9b70a5c71281eba26e9ddeefb1767a59c6d2b858480d1d4664b4bcede8591af1bddf36fafdddab0c3645c2bc5f7b04733cf5
-
Filesize
204KB
MD51c9704de3a87a2fe157564ab75d5f8f6
SHA123efcbae6bd563aaa9724e1895de374db8de8cca
SHA256b0d406d986cc8dea963670ba30d921f7e6a94aed2b0c45207fa0ddfc365ab2f5
SHA512eb25996d6ccb1de29e238bdfbb484ca784afee15725394f9bc34b713726a51c7f75e9f0b866f81159737dd4e0e32cee02b4d04938eb5147f6d827baa5d5daed0
-
Filesize
204KB
MD59af7a6a0181cada47cda5572898e1f34
SHA14dbcd378953937a6a1aa7bcd29eb8a51eca8af79
SHA2561f56cec93c7d22b67466bbb5931cf8045ab59410fff96d3f2134e5605354629d
SHA512ffce8cf660ac8476d5d2daa2bf3be7726174ae0fe314b5e8fbfac68b507b9eb2e919c7303ac4c71ac21c89ad802274f77ec4395a8e004a4bf344af299eea3d18